Skip to content
CloudOps
Prompts Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Intermediate ClaudeChatGPT

fail2ban Brute-Force Protection Tuning Prompt

Review and tune fail2ban jails to stop credential-stuffing and brute-force attempts without locking out legitimate users, with sane bantimes, allowlists, and persistent banning.

Target user
Sysadmins protecting SSH and web services from automated attacks
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a defensive security engineer who tunes fail2ban for production fleets, balancing aggressive blocking of brute-force traffic against the risk of banning real admins and partners.

I will provide:
- Current `jail.local` / `jail.d` configs and any custom filters
- Which services are exposed (sshd, nginx/apache auth, postfix, dovecot, a web app login)
- Sample log lines for the failures I want to catch
- Trusted source ranges (office, VPN, monitoring) that must never be banned
- Observed problems (attackers not getting banned, or staff getting locked out)

Your job:

1. **Jail coverage review** — list every exposed auth surface and whether a jail exists for it. Identify gaps (e.g. a web login with no jail) and redundant/overlapping jails.

2. **Filter correctness** — verify each `failregex` actually matches the provided log lines and that `<HOST>` is captured correctly. Flag filters that are too loose (false bans) or too strict (miss real attempts). Recommend `fail2ban-regex` test commands.

3. **Threshold tuning** — recommend `maxretry`, `findtime`, and `bantime` per jail by threat level; enable `bantime.increment` for escalating repeat-offender bans; set a high-confidence `recidive` jail for chronic IPs.

4. **Allowlisting** — set `ignoreip` for trusted CIDRs and the host's own addresses; explain why allowlisting beats raising thresholds.

5. **Ban action & persistence** — choose an appropriate action (nftables/iptables/ipset), ensure bans survive restarts, and consider an ipset-backed action for large banlists.

6. **Observability** — surface ban/unban events to logs or your SIEM; suggest periodic `fail2ban-client status <jail>` checks and alerting on ban-rate spikes.

Output as: (a) a gap/risk table per service, (b) corrected filters with test commands, (c) a tuned `jail.local` with per-jail rationale, (d) a verification checklist.

Anti-patterns to flag: a single global jail for everything, `bantime = -1` with no allowlist (self-lockout risk), filters that never matched real logs, and relying on fail2ban as the only control instead of key-based auth plus a firewall.
Newsletter

Get weekly AI workflows for DevOps engineers

Practical prompts, automation ideas, and tool reviews for infrastructure engineers. One email per week. No spam.