fail2ban cheat sheet
Show all IP addresses and its jail
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "select ip,jail from bips"
Show all unique IP addresses
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "select distinct ip from bips"
Show all unique IP addresess in sshd jail
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "select distinct ip from bips where jail='sshd'"
Show top 20 most banned IP addresses in all jails
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "select jail,ip,count(*) as count from bips group by ip order by count desc limit 20"
Unban IP
fail2ban-client set <jail-name> unbanip <ip-address>
Status
fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 8525
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 0
|- Total banned: 4335
`- Banned IP list:Show usernames (attempted from banned sources) in order of frequency
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "select json_extract(data,'$.users') from bips" | cut -d\' -f 2 | sort | uniq -c | sort -nk 1
Whitelist IP
sudo nano /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = X.X.X.Xservice fail2ban restart
Attention: fail2ban is executed by UFW before the „/etc/ufw/before.rules“ rule!
