Monitor Fail2ban
fail2ban IP LOG
# tail -n 10 /var/log/fail2ban.log
fail2ban-Client status
# fail2ban-client status
list all currently blocked ips:
# fail2ban-client status | grep "Jail list:" | sed "s/ //g" | awk '{split($2,a,",");for(i in a) system("fail2ban-client status " a[i])}' | grep "Status\|IP list"
systemctl enable fail2ban.service
systemctl start fail2ban.service
systemctl restart fail2ban.service
see all the previously banned IPs through /var/log/fail2ban.log
# zgrep 'Ban' /var/log/fail2ban.log*
Generating Simple Reports
Grouping by IP address:
# awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n
Grouping by IP address and Hostname:
# awk '($(NF-1) = /Ban/){print $NF,"("$NF")"}' /var/log/fail2ban.log | sort | logresolve | uniq -c | sort -n
Group by IP address and Fail2Ban section:
# grep "Ban " /var/log/fail2ban.log | awk -F[\ \:] '{print $10,$8}' | sort | uniq -c | sort -n
Reporting on 'today's activity:
# grep "Ban " /var/log/fail2ban.log | grep `date +%Y-%m-%d` | awk '{print $NF}' | sort | awk '{print $1,"("$1")"}' | logresolve | uniq -c | sort -n
Grouping by Date and Fail2Ban section
# zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c
Monitor Fail2ban Logs and Firewall Configuration
It's important to know that a service like Fail2ban is working as-intended. Start by using systemctl to check the status of the service:
sudo systemctl status fail2ban
If something seems amiss here, you can troubleshoot by checking logs for the fail2ban unit since the last boot:
sudo journalctl -b -u fail2ban
Next, use fail2ban-client to query the overall status of fail2ban-server, or any individual jail:
sudo fail2ban-client status
sudo fail2ban-client status jail_name
Follow Fail2ban's log for a record of recent actions (press Ctrl-C to exit):
sudo tail -F /var/log/fail2ban.log
List the current rules configured for iptables:
sudo iptables -L
Show iptables rules in a format that reflects the commands necessary to enable each rule:
sudo iptables -S
Useful commands
To check fail2ban activity:
Logs: tail /var/log/fail2ban.log
Check status: fail2ban-client status
Check status of certain service: fail2ban-client status ssh
Check regex results: fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
Unblock IP
If unblock an IP is needed:
using iptables: iptables -D fail2ban-<CHAIN_NAME> -s <IP> -j DROP
using tcp-wrappers: remove IP from /etc/hosts.deny