Monitor Fail2ban

 fail2ban IP LOG

# tail -n 10 /var/log/fail2ban.log

fail2ban-Client status

# fail2ban-client status

list all currently blocked ips:

# fail2ban-client status | grep "Jail list:" | sed "s/ //g" | awk '{split($2,a,",");for(i in a) system("fail2ban-client status " a[i])}' | grep "Status\|IP list"

 systemctl enable fail2ban.service

 systemctl start fail2ban.service

 systemctl restart fail2ban.service

see all the previously banned IPs through /var/log/fail2ban.log

# zgrep 'Ban' /var/log/fail2ban.log*

Generating Simple Reports

Grouping by IP address:

# awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n

Grouping by IP address and Hostname:

 # awk '($(NF-1) = /Ban/){print $NF,"("$NF")"}' /var/log/fail2ban.log | sort | logresolve | uniq -c | sort -n

Group by IP address and Fail2Ban section:

 # grep "Ban " /var/log/fail2ban.log | awk -F[\ \:] '{print $10,$8}' | sort | uniq -c | sort -n

Reporting on 'today's activity:

 # grep "Ban " /var/log/fail2ban.log | grep `date +%Y-%m-%d` | awk '{print $NF}' | sort | awk '{print $1,"("$1")"}' | logresolve | uniq -c | sort -n

Grouping by Date and Fail2Ban section

 # zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c

Monitor Fail2ban Logs and Firewall Configuration

It's important to know that a service like Fail2ban is working as-intended. Start by using systemctl to check the status of the service:

sudo systemctl status fail2ban

If something seems amiss here, you can troubleshoot by checking logs for the fail2ban unit since the last boot:

sudo journalctl -b -u fail2ban

Next, use fail2ban-client to query the overall status of fail2ban-server, or any individual jail:

sudo fail2ban-client status

sudo fail2ban-client status jail_name

Follow Fail2ban's log for a record of recent actions (press Ctrl-C to exit):

sudo tail -F /var/log/fail2ban.log

List the current rules configured for iptables:

sudo iptables -L

Show iptables rules in a format that reflects the commands necessary to enable each rule:

sudo iptables -S

Useful commands

To check fail2ban activity:

Logs: tail /var/log/fail2ban.log

Check status: fail2ban-client status

Check status of certain service: fail2ban-client status ssh

Check regex results: fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

Unblock IP

If unblock an IP is needed:

using iptables: iptables -D fail2ban-<CHAIN_NAME> -s <IP> -j DROP

using tcp-wrappers: remove IP from /etc/hosts.deny