- Code: Select all
cat /var/log/fail2ban.log |grep -i ban |more
shows the whole line in the log file with the IP address and also the iptable command like this:
- Code: Select all
2007-07-23 13:26:30,427 INFO: SSH: 211.200.44.249 has 6 login failure(s). Banned.
2007-07-23 13:26:30,429 WARNING: SSH: Ban 211.200.44.249
2007-07-23 13:26:30,430 DEBUG: iptables -L INPUT | grep -q fail2ban-ssh
2007-07-23 13:26:30,431 DEBUG: iptables -I fail2ban-ssh 1 -s '211.200.44.249' -j DROP
2007-07-23 13:26:30,432 INFO: proftpd: 211.200.44.249 has 6 login failure(s). Banned.
2007-07-23 13:26:30,434 WARNING: proftpd: Ban 211.200.44.249
2007-07-23 13:26:30,435 DEBUG: iptables -L INPUT | grep -q fail2ban-ftp
2007-07-23 13:26:30,436 DEBUG: iptables -I fail2ban-ftp 1 -s '211.200.44.249' -j DROP
Generating Simple Reports
All of the following commands can be run at the command-line or via a script. They are written for Linux/UNIX systems but may work on other platforms.
Grouping by IP address:
- Code: Select all
awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort
Note: the variable NF equals the number of fields in each row of the logfile. So $NF is the value of the last field.
Sample output:
- Code: Select all
...
4 XXX.124.81.130
5 XXX.248.175.246
8 XXX.29.45.142
Remember that each time an IP address gets banned it's because they've been caught at least maxfailure times, so a total of 8 represents maybe 30 matches in the relevant logfile. Once they reach 10-20 you might consider them as candidates for reporting, or a more permanent solution (see below).
To run this report for all logfiles only a slight change is needed:
- Code: Select all
zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $6}' | sort | uniq -c
or, even better:
- Code: Select all
zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $6}' | awk -F\. '{print $1"."$2"."}' | sort | uniq -c | sort | tail
This is the best report for identifying problem subnets. The output will be the first two bytes of the most 'caught' subnets:
- Code: Select all
...
75 83.110.
90 219.95.
154 210.213.
Let's take the last one on the list (highlighted) and see what it's been up to:
- Code: Select all
zgrep -c 210.213. /var/log/fail2ban.log*
The output shows how many times those numbers appear in each logfile:
- Code: Select all
fail2ban.log:39
fail2ban.log.1.gz:129
fail2ban.log.2.gz:55
fail2ban.log.3.gz:78
fail2ban.log.4.gz:22
and which specific IP addresses are involved:
- Code: Select all
zcat /var/log/fail2ban.log* | awk '(NF == 6 && $NF ~ /^210\.213\./){print $NF}' | sort | uniq -c
The output of this will be a list of the IP addresses starting with 210.213. If they look like they're part of a subnet (or multiple subnets) you can copy the lowest and highest numbers in our Subnet Calculator to give you the subnet code which you can then add to your firewall rules (see below for details).
Grouping by IP address and Hostname:
The command for including hostnames in the list is a bit more complicated. You also need to insert the correct path for the logresolve program which converts IP addresses to hostnames (the path may be something like /usr/sbin/logresolve but it varies between systems):
- Code: Select all
awk '($(NF-1) = /Ban/){print $NF,"("$NF")"}' /var/log/fail2ban.log | sort | logresolve | uniq -c | sort
Note: The logresolve command can take some time, especially if there are a lot of IP addresses to be processed.
The output is similar to what we've seen previously, but also includes the hostname which makes it easier to identify the ISP and/or country of origin and to see which entries might be related:
- Code: Select all
...
4 XXX.net.pk (XXX.83.169.221)
5 XXX.248.175.246 (XXX.248.175.246)
8 XXX.example.com.au (XXX.29.45.142)
You can of course just run dig, nslookup or logresolve manually on the addresses that you want to identify.
Group by IP address and Fail2Ban section:
- Code: Select all
grep "Ban " /var/log/fail2ban.log | awk -F[\ \:] '{print $10,"("$7")"}' | sort | uniq -c | sort
This shows us which services each IP address has been trying to access/exploit:
- Code: Select all
...
4 XXX.124.81.130 (SMTP)
5 XXX.248.175.246 (SMTP)
8 XXX.29.45.142 (SMTP)
Now you know which logfiles to look in to see what they were doing to get banned. In this case it's most likely passing forged mail headers to sendmail which you can see in /var/log/mail/mail.log (or the relevant file on your system).
Reporting on 'today's activity:
Here's a report I find useful to run before midnight each day to generate a summary of the day's activity:
- Code: Select all
grep "Ban " /var/log/fail2ban.log | grep `date +%Y-%m-%d` | awk '{print $6}' | sort | awk '{print $1,"("$1")"}' | logresolve | uniq -c | sort
The output will be the same as the second report above, but limited to just today's activity rather than the whole logfile.
Grouping by Date and Fail2Ban section
This report scans all fail2ban logfiles and gives you a summary of how many ban events there were for each section on each day:
- Code: Select all
zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $4,$1}' | sort | uniq -c
This can give you an idea of longer-term trends and the effectiveness of your firewall rules. This method of examining all logfiles rather than just the current one can also be applied to most of the reports above.
(copied from http://www.the-art-of-web.com/system/fail2ban-log/)
- Code: Select all