detecting-port-scanning-with-fail2ban

# Detecting Port Scanning with Fail2ban ## When to Use - Automatically blocking IP addresses that perform port scans against internet-facing servers - Defending SSH, HTTP, FTP, and other services against brute force attacks with automated IP banning - Creating custom detection filters for organization-specific attack patterns in log files - Reducing noise from automated scanning bots before traffic reaches IDS/IPS for deeper analysis - Implementing defense-in-depth by adding host-based automated response to network monitoring **Do not use** as the sole network security control, for protecting against distributed attacks from many source IPs, or as a replacement for proper firewall rules and network segmentation. ## Prerequisites - Fail2ban 0.11+ installed (`fail2ban-client --version`) - Root/sudo access for iptables/nftables manipulation - Services logging connection attempts to parseable log files (syslog, auth.log, access.log) - iptables or nftables installed and operational as the host firewall - Optional: SMTP server for email notifications on ban events ## Workflow ### Step 1: Install and Configure Fail2ban ```bash # Install Fail2ban sudo apt install -y fail2ban # Create local configuration (never edit jail.conf directly) sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local # Configure global defaults sudo tee /etc/fail2ban/jail.local << 'EOF' [DEFAULT] # Ban duration (1 hour default, escalates for repeat offenders) bantime = 3600 # Detection window findtim...