Yesterday, I installed
Fail2Ban on a
CentOS 7 server after
noticing SSH break-in
attempts by password guessing. Today, I checked the fail2ban log to see how
many IP addresses were banned and whether after being banned for an hour there
were any subsequent password guessing attempts from the same IP address. I saw
that 40 IP addresses had been banned since I installed Fail2Ban last night and
that some of those addresses had been banned multiple times. You can count
the number of times an IP address has been banned by using the
awk command
awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | sort | uniq -c
| sort -n. You can pipe the output of that command to the
wc command
wc -l to count the total number of lines which tells you the number
of IP addresses that have been banned as explained at
Fail2ban logging.
[root@moonpoint ~]# awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | s
ort | uniq -c | sort -n
1 103.50.219.194
1 104.200.134.181
1 104.244.77.37
1 107.189.14.174
1 107.189.14.230
1 107.189.14.41
1 107.189.1.96
1 107.189.31.223
1 107.189.8.233
1 183.157.169.70
1 183.195.121.197
1 205.185.123.33
1 205.185.124.131
1 209.141.42.29
1 221.131.165.50
1 221.131.165.56
1 221.181.185.151
1 221.181.185.198
1 222.186.30.112
1 222.187.254.41
1 64.225.49.153
1 71.9.165.219
2 104.244.76.64
2 107.189.12.163
2 209.141.36.75
2 209.141.40.64
2 221.131.165.65
2 222.186.30.76
2 222.187.232.39
3 107.189.13.104
3 45.61.184.115
3 70.62.137.84
4 187.149.76.88
4 189.85.145.113
4 205.185.122.239
4 209.141.57.74
4 210.73.207.44
4 222.186.42.137
5 209.141.34.165
5 89.211.207.62
[root@moonpoint ~]# awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n | wc -l
40
[root@moonpoint ~]#
