Using Fail2Ban to limit login attempts

What is Fail2Ban?

We need a means of defending sites against brute-force login attempts. Fail2Ban is a Python application which trails logfiles, looks for regular expressions and works with Shorewall (or directly with iptables) to apply temporary blacklists against addresses that match a pattern too often. This can be used to limit the rate at which a given machine hits login URLs for Confluence.

(warning) The information on this page does not apply to Confluence Cloud.


  • Requires Python 2.4 or higher to be installed
  • Needs a specific file to follow, which means your Apache instance needs to log your Confluence access to a known logfile. You should adjust the configuration below appropriately.

How to set it up

This list is a skeletal version of the instructions

  • There's an RPM available for RHEL on the download page, but you can also download the source and set it up manually
  • Its configuration files go into /etc/fail2ban
  • The generic, default configuration goes into .conf files (fail2ban.conf and jail.conf). Don't change these, as it makes upgrading difficult.
  • Overrides to the generic configuration go into .local files corresponding to the .conf files. These only need to contain the specific settings you want overridden, which helps maintainability.
  • Filters go into filter.d — this is where you define regexps, each going into its own file
  • Actions go into action.d — you probably won't need to add one, but it's handy to know what's available
  • "jails" are a configuration unit that specify one regexp to check, and one or more actions to trigger when the threshold is reached, plus the threshold settings (e.g. more than 3 matches in 60 seconds causes that address to be blocked for 600 seconds)
  • Jails are defined in jail.conf and jail.local. Don't forget the enabled setting for each one — it can be as bad to have the wrong ones enabled as to have the right ones disabled.

Running Fail2Ban

  • Use /etc/init.d/fail2ban {start|stop|status} for the obvious operations
  • Use fail2ban-client -d to get it to dump its current configuration to STDOUT. Very useful for troubleshooting.
  • Mind the CPU usage; it can soak up resources pretty quickly on a busy site, even with simple regexp
  • It can log either to syslog or a file, whichever suits your needs better

Common Configuration


# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.


# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
# ignoreip = <space-separated list of IPs>

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 60

# "maxretry" is the number of failures before a host get banned.
maxretry = 3


enabled  = false


enabled  = true
filter   = cac-login
action   = shorewall
logpath = /var/log/httpd/confluence-access.log
bantime = 600
maxretry = 3
findtime = 60
backend = polling

Configuring for Confluence

The following is an example only, and you should adjust it for your site.



failregex = <HOST>.*"GET /login.action

ignoreregex =

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

5 Archived comments

  1. User avatar

    Justin Downing

    This is great. Can you expand on the examples for regex and the log path to watch for each application? Also, what would the jail.local look like when using iptables?

    16 Apr 2010
  2. User avatar

    Christian Essner

    "JIRA-4.1 includes a rate-limiting mechanism"

    I am not aware of their rate-limiting mechanism in 4.1. Can you please explain?

    27 Apr 2010
  3. User avatar


    Does this actually react on bad logins to confluence or does it expect (pre-) authentication by the proxy apache?

    07 Sep 2011
  4. User avatar

    Urs Weiss

    Some notes and examples for IPtables:

    • Fail2Ban doesn't support IPv6 at the moment. It will not block anything if IPv6 is used!
      (You can search "fail2ban-ipv6" on GitHub for a dirty (but working) fix for CentOS 6 from myself)

    An example for IPtables and Nginx as proxy:

    18 Jul 2014
Powered by Confluence and Scroll Viewport