Blocking Brute-Force Atttacks at a JupyterHub

Hello there,

has anybody tried out a tool like fail2ban for blocking off brute-force attacks? I found the gist JupyterHub PAM Authentication Fail2ban Configuration · GitHub which from its expressions sounds promising. However, I haven’t tried it out myself. I would be more than happy with a behavior which is common in many OS: The first 3 attempts work without any delay and after that, people are blocked from logging in for longer and longer time periods. I guess an IP-based approach is the most feasible way to identify users.

Best wishes


I haven’t tried that fail2ban config, but it looks very promising! I do think blocking by ip is the right thing to do, since blocking by e.g. username would make DoS easy by spamming attempted logins for a target username. I also think you’d have to implement username-based blocks in the Authenticator, as fail2ban doesn’t know who’s trying to login, just where the connection is coming from.

1 Like

Thank you for your input!