Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. In this article we will lear how to get the most of this fine tool.

1- IP Report

This script shows each of the IP found in Fail2Ban log file and the number of occurrences of each IP.

awk ‘($(NF-1) = /Ban/){print $NF}’ /var/log/fail2ban.log | sort | uniq -c | sort -n

1 67.165.8.251 1 78.187.175.106 1 79.67.142.238 1 82.83.51.48 1 86.200.180.187 2 13.95.106.197 2 37.49.225.88 4 218.65.30.25 5 200.61.196.52 9 81.248.5.48

2- IP Report ALL log files

zgrep -h “Ban ” /var/log/fail2ban.log* | awk ‘{print $NF}’ | sort | uniq -c

*An IP address gets banned because it’ve been caught at least maxfailure times

3- Subnet Report

You can shorten the IP addresses to identify the most annoying subnets

zgrep -h “Ban ” /var/log/fail2ban.log* | awk ‘{print $NF}’ | awk -F\. ‘{print $1″.”$2″.”}’ | sort | uniq -c | sort -n | tail

9 81.248. 10 39.115. 10 58.221. 11 42.7. 11 5.101. 12 42.247. 13 37.49. 17 37.97. 42 113.200. 82 198.100.

You can also take one on the list and shows how many times that subnet appear in each logfile:

zgrep -c 198.100. /var/log/fail2ban.log*

/var/log/fail2ban.log:0 /var/log/fail2ban.log.1:0 /var/log/fail2ban.log.2.gz:0 /var/log/fail2ban.log.3.gz:20 /var/log/fail2ban.log.4.gz:144

4- IP address and Hostname Report

awk ‘($(NF-1) = /Ban/){print $NF,”(“$NF”)”}’ /var/log/fail2ban.log | sort | logresolve | uniq -c | sort -n

1 103.210.135.136 (103.210.135.136) 1 103.54.140.123 (103.54.140.123) 1 108-82-128-117.lightspeed.nworla.sbcglobal.net (108.82.128.117) 1 112.161.187.208 (112.161.187.208) 1 115.199.55.214 (115.199.55.214) 1 118.244.238.4 (118.244.238.4) 1 121.33.248.149 (121.33.248.149) 1 123.59.182.194 (123.59.182.194) 1 138.186.77.166 (138.186.77.166) 1 170.83.199.122 (170.83.199.122) 1 180.250.247.34 (180.250.247.34) 1 181.214.87.223 (181.214.87.223) 1 186.132.224.140.broad.zz.fj.dynamic.163data.com.cn (140.224.132.186) 1 186.188.224.37 (186.188.224.37) 1 190.124.248.2 (190.124.248.2) 1 218.156.85.17 (218.156.85.17) 1 218.87.109.152 (218.87.109.152)

Note1: The logresolve command can take some time.

Note2: You need to insert the correct path for logresolve.

5- Jail Report

Show the number of occurrences by IP by Jail

grep “Ban ” /var/log/fail2ban.log | awk -F[\ \:] ‘{print $10,$8}’ | sort | uniq -c | sort -n

1 190.124.248.2 [ssh] 1 190.96.14.98 [dovecot-pop3imap] 1 222.236.67.150 [ssh] 1 24.23.242.130 [ssh] 1 37.49.225.88 [postfix-sasl] 1 37.49.225.88 [sasl] 1 37.49.225.90 [postfix-sasl] 1 39.115.133.212 [pureftpd] 1 42.159.246.3 [ssh] 1 42.231.229.178 [ssh] 1 42.7.26.16 [ssh] 1 42.7.26.88 [ssh] 1 46.173.47.39 [ssh] 1 5.19.144.92 [ssh] 1 58.220.197.198 [postfix-sasl] 1 79.67.142.238 [ssh] 1 82.83.51.48 [ssh] 1 86.200.180.187 [ssh] 2 13.95.106.197 [pureftpd] 4 218.65.30.25 [ssh] 5 200.61.196.52 [postfix-sasl] 9 81.248.5.48 [ssh]

6 – Today’s File2ban Activity

grep “Ban ” /var/log/fail2ban.log | grep `date +%Y-%m-%d` | awk ‘{print $NF}’ | sort | awk ‘{print $1,”(“$1″)”}’ | logresolve | uniq -c | sort -n

1 138.186.77.166 (138.186.77.166) 1 c-67-165-8-251.hsd1.pa.comcast.net (67.165.8.251) 4 52.196.61.200-static.telecom.com.ar (200.61.196.52)

You can also scans all fail2ban logfiles and gives you a summary of how many ban events there were for each section on each day:

zgrep -h “Ban ” /var/log/fail2ban.log* | awk ‘{print $5,$1}’ | sort | uniq -c

2 [dovecot-pop3imap] 2018-03-10 1 [dovecot-pop3imap] 2018-03-11 4 [dovecot-pop3imap] 2018-03-13 1 [dovecot-pop3imap] 2018-03-15 1 [dovecot-pop3imap] 2018-04-03 3 [postfix-sasl] 2018-03-04 3 [postfix-sasl] 2018-03-05 7 [postfix-sasl] 2018-03-06 2 [postfix-sasl] 2018-03-07 5 [postfix-sasl] 2018-03-08 13 [postfix-sasl] 2018-03-09 28 [postfix-sasl] 2018-03-10 29 [postfix-sasl] 2018-03-11 18 [postfix-sasl] 2018-03-12 2 [postfix-sasl] 2018-03-14 5 [postfix-sasl] 2018-03-15 3 [postfix-sasl] 2018-03-16