[ivlad]

While I agree fail2ban is a wrong tool to prevent password brute force - better authentication mechanisms should be used instead - it has its uses. For example, it can be used to automatically ban (or alert about) dumb http scanners like gobuster. I am not saying, a determined attacker cannot bypass it, but if it saves me some hassle and raises the bar for them, why should not I do it?

More general, some attacker actions, especially during recon, rely on making many attempts to connect, fetch an URL, resolve FQDN, etc., these could be detected and automatically responded to, making attacker’s job harder and providing extra visibility to defenders.

[kasey_junk]

You shouldn’t use it because fail2ban itself can (and has been) attacked. It doesn’t make the attackers job meaningfully harder but does add complexity to your systems, that complexity is weakness.

[ivlad]

I looked at fail2ban exploits and they are either LPE due to file permissions or command injection in other tools like mailutils.

Citation needed for the claim “has been attacked” if you refer to real attacks in the wild.

[wglb]

One noted upthread https://news.ycombinator.com/item?id=37796588

[ivlad]

Yeah, that’s command injection in mailutils I mentioned, not in fail2ban itself. Did you see how it’s supposed to be exploited? Did you see a real-life exploitation?

While it’s a nice trick, it’s simply not relevant. And the vulnerability before that seems to be 10 years old. I’d say it’s a decent track record.