Understanding fail2ban.log contents

stevep · October 15, 2020, 9:59pm

Are these lines in /var/log/fail2ban.log IP’s that have been banned?

2020-10-15 13:41:45,244 fail2ban.filter [700]: INFO [sshd] Found 195.29.102.42 - 2020-10-15 13:41:45
2020-10-15 13:46:45,520 fail2ban.filter [700]: INFO [sshd] Found 45.14.149.8 - 2020-10-15 13:46:44
2020-10-15 13:54:12,548 fail2ban.filter [700]: INFO [sshd] Found 106.124.137.103 - 2020-10-15 13:54:12
2020-10-15 14:23:53,470 fail2ban.filter [700]: INFO [sshd] Found 122.51.114.226 - 2020-10-15 14:23:52
2020-10-15 14:36:55,118 fail2ban.filter [700]: INFO [dovecot] Found 91.241.19.60 - 2020-10-15 14:36:54

Thank you.

stevep · October 16, 2020, 11:52pm

Anyone have an answer to this?

I was trying to become more educated on administering my MIAB server.

I found the fail2ban documentation hard to understand.

Thank you.

andrew · October 17, 2020, 2:26am

Hi - those lines will be the various login (attack) attempts, it’s fail2ban saying “I looked through the sshd log file and I found an attempt from w.x.y.z at time …”.

Fail2ban doesn’t actually ban an address until a certain number of attempts (I think MIAB has it set at 5) within a certain time interval (10 mins).

And fail2ban looks through various log files, corresponding to various services that might be attacked, so you’ll see [sshd] (being ssh login attempts, logged in auth.log), and so on. The details of what is checked is in /etc/fail2ban/jail.conf.

stevep · October 17, 2020, 7:52pm

Thanks for the reply, but can you clarify where is the record/log of what has actually been banned? (I view auth.log routinely anyway if I want to see login attempts).

Regards.

SpookyWatcher · October 18, 2020, 2:48pm

The location is in the /var/log/fail2ban.log After an ip has made enough attempts to trigger a ban it will be in that log and look like this:

2020-10-18 07:27:06,179 fail2ban.filter         [875]: INFO    [sshd] Found 3.18.220.223 - 2020-10-18 07:27:06
2020-10-18 07:27:06,207 fail2ban.actions        [875]: NOTICE  [sshd] Ban 3.18.220.223

This is an actual copy of an entry from my fail2ban.log
You can change the number of attempts in x number of mins to trigger a ban so that a ban will happen quicker.

stevep · October 18, 2020, 8:18pm

EXACTLY what I needed to know. Tks!

After grepping three generations of auth.logs, I don’t get any matches on “NOTICE [sshd] Ban”.

Really odd. I will consider lowering the attempts threshold to trigger at least one ban. Just to ensure it’s working…

Tks again.

Dane · October 20, 2020, 3:18am

I use this script to look for ban entries in the log:

awk '($(NF-1) = /Ban/){print "Date: "$1, "Time: "$2, "Offender: "$NF}' /var/log/fail2ban.log | sort -k 1,2

When I want to look at the archived logs, then I use this:

zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print "Date: "$1, "Time: "$2, "Offender: "$NF}' | sort -k 1,2