[semanticist]

While it monitors SSH by default out of the box, people here are talking about creating custom filters which will monitor their Apache or Nginx logs. (Although, that said, we also have it monitor our non-standard SSH port with v. aggressive blocking rules, even though it's also behind a firewall. Defence in depth, and all that.)

The documentation isn't the greatest, but this page explains the concepts well enough and was easy to find using Google.

https://www.fail2ban.org/wiki/index.php/MANUAL_0_8

[tbrock]

I understand the concepts but... how do you actually use it?

[semanticist]

A filter matches lines in the nginx log using regular expressions. If the line matches, it uses another regexp to extract the IP address, and then calls out to scripts to block that IP address.

I'm not going to post the exact configuration files I use, but the GitHub repo for fail2ban contains examples.

https://github.com/fail2ban/fail2ban/blob/0.11/config/filter...

That's a filter that protects Apache against the 'shellshock' (https://en.wikipedia.org/wiki/Shellshock_(software_bug)) vulnerability, for example.

[hluska]

I like Fail2Ban, but as I remember it, my learning process looked a lot like this:

1.) Read through the documentation.

2.) Pour myself a scotch.

3.) Read through more documentation.

4.) Start drinking right out of the bottle.

5.) Try something.

6.) Get an error or experience a spectacular failure.

7.) Use StackOverflow.

8.) GOTO 5.

-------------

In good news, it worked - the light went on and now I'm confident that I could adapt Fail2Ban to suit any use. But, in bad news, honestly, I feel your pain and understand where/why you are getting stuck. Fail2Ban is a very complicated, yet extremely useful piece of software.

[comboy]

cd /etc/fail2ban and explore, you have example configs for all popular software and plenty of explanations in their comments