fail2ban cheat sheet

Veröffentlicht am von Gerald

Show all IP addresses and its jail

sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "select ip,jail from bips"

Show all unique IP addresses

sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "select distinct ip from bips"

Show all unique IP addresess in sshd jail

sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "select distinct ip from bips where jail='sshd'"

Show top 20 most banned IP addresses in all jails

sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "select jail,ip,count(*) as count from bips group by ip order by count desc limit 20"

Unban IP

fail2ban-client set <jail-name> unbanip <ip-address>

Status

fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     8525
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     4335
   `- Banned IP list:

Show usernames (attempted from banned sources) in order of frequency

sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "select json_extract(data,'$.users') from bips" | cut -d\' -f 2 | sort | uniq -c | sort -nk 1

Whitelist IP

sudo nano /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = X.X.X.X
service fail2ban restart

Attention: fail2ban is executed by UFW before the „/etc/ufw/before.rules“ rule!

See also

https://github.com/fail2ban/fail2ban