fail2ban is not access control. It is not nothing, either.

A short essay on the long argument I keep having with people who should know better.

A consultant told a client of mine last month that their server was insecure because — and I'm paraphrasing only very slightly — they used fail2ban instead of "modern access controls." The client paid for the report, looked worried, and rang me to ask whether they should rip everything out.

This is the third time this argument has come up in a year. I'd like to settle it.

What fail2ban is

fail2ban is a daemon that watches log files and bans IP addresses that misbehave. You configure jails. Each jail says "if you see this pattern N times in this window, ban the source IP for M seconds." It writes iptables (or nftables) rules. It expires them. That is the whole shape of it.

It is not access control. It is rate-limiting plus reputation, expressed in firewall rules, driven by what the log says.

What it isn't

It isn't authentication. It cannot tell a real attacker who behaves slowly from a real user who fat-fingers their password three times in a row.

It isn't IP-based access control. The ban list is reactive, not allow-list-shaped. If you wanted only your VPN and your office to reach :22, you would write that in iptables directly, today, before lunch.

It isn't a moat. Modern brute-force traffic comes from botnets with tens of thousands of unique source addresses. Banning each one for ten minutes is a small inconvenience to the attacker.

What it is

It is a clean, well-understood, low-overhead first cut at the noise. Done properly, it:

keeps the auth log readable
drops the cost of credential-spraying that would otherwise hit your real authentication
documents, by its existence, that the operator has thought about brute force at all
composes well with the things that are access control

I run it on every box I own. SSH is key-only. PermitRootLogin is off. PasswordAuthentication is off. The administrative path is on a non-standard port behind a VPN. MFA is everywhere it can be.

fail2ban is the doorman, not the lock.

What the consultant should have said

"You're using fail2ban, which is good. Tell me about your other access controls — key-only SSH, whitelisted admin paths, MFA on the things that matter. If those are in place, fail2ban is reducing your noise. If they aren't, we need to talk about those first."

Instead they wrote a paragraph that scared the client and recommended a £40,000 platform. We removed the paragraph. We did not buy the platform. The server is still running. So is fail2ban.

A short rule

When somebody tells you a single tool isn't access control, ask them what they think is. If the answer is one product, they are selling something. If the answer is six interlocking things, several of them open-source, you may be talking to a defender.

Choose your consultants accordingly.