Parsing Fail2ban logs


2012-10-04

Fail2ban is a ssh (and other programs) log scanner that can block connections from IP addresses that enter incorrect credentials too many times. It's very handy if you have an OpenSSH server connected to the Internet, as it will likely get heavy traffic from people or bots trying log in. Once you have Fail2ban installed, it's pretty interesting to check out the logs. You can see the number of times each IP address has been blocked by using this command:

awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -nr

That will get you the recent bans, but Fail2ban rotates the logs (every 24 hours, I think), so here is a command that will get you a more complete list:

sudo cp /var/log/fail2ban.log* .; sudo gunzip fail2ban.log.*.gz;\
for l in $(ls fail2ban.log*); do cat $l >> fail2bantotals; done;\
sudo awk '($(NF-1) = /Ban/){print $NF}' fail2bantots | sort | uniq -c | sort -nr

That command copies all the Fail2ban logs to your current directory, unzips the compressed ones, dumps the text into a common file (fail2bantotals) then parses the collection. You should get something like this:

54 75.127.65.186
36 178.137.194.52
23 94.77.193.239
23 210.107.122.209
21 69.172.133.250
 5 61.148.75.130
 3 74.122.227.71
 3 61.43.190.165
 3 61.155.178.242
 2 91.205.189.15
 2 211.169.65.3
 2 200.160.6.5
 1 101.79.68.141