Getting more out of your Fail2ban logs

With a recent increase in SSH bruteforce attacks, my Fail2ban service is running overtime. For those of you unfamiliar with Fail2ban: it scans log files and bans IPs that show the malicious signs. Banned IP's are temporary jailed and logged.

Fail2ban is a great security measure to protect your servers, however, its logging features are obviously quite basic. Looking for statistics or aggregated counts? Tough luck. However, with some clever shell scripting and the help of a great article on Monitoring the Fail2ban log, you can get a long way.

Bans per IP Address

First, knowing which IP addresses hit your server the most can prove to be really useful. With the help of zgrep, awk, sort and uniq, it is quite simple:

$ zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $NF}' | sort | uniq -c

It will list each IP address along with the number of bans. This could be a way of determining which IP addresses to block.

Bans per Day

Similarly, you can group the number of bans per day:

$ zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c

This can reveal certain trends over time, for example.

Top 10 Bans per Subnet

Finally, you can get some insight from the most attacks by subnet:

$ zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $NF}' | awk -F\. '{print $1"."$2"."}' | sort | uniq -c  | sort -n | tail

This will list the top 10 "problematic" IP subnets.

There's More...

Looking for more information on Fail2ban? Want more useful snippets? Visit Fail2ban and iptables or Monitoring the fail2ban log.