Fail2ban Logging

# ls -lh /var/log/fail2ban.log
-rw-------. 1 root root 624K Apr  9 11:59 /var/log/fail2ban.log

It is a text file and you can see IP addresses that have been banned within it.

# tail /var/log/fail2ban.log
2016-04-09 11:49:22,650 fail2ban.filter         [2076]: INFO    [sshd] Found 183.3.202.184
2016-04-09 11:49:22,826 fail2ban.filter         [2076]: INFO    [sshd] Found 183.3.202.184
2016-04-09 11:49:24,296 fail2ban.filter         [2076]: INFO    [sshd] Found 183.3.202.184
2016-04-09 11:49:25,131 fail2ban.filter         [2076]: INFO    [sshd] Found 183.3.202.184
2016-04-09 11:49:26,788 fail2ban.filter         [2076]: INFO    [sshd] Found 183.3.202.184
2016-04-09 11:49:27,003 fail2ban.filter         [2076]: INFO    [sshd] Found 183.3.202.184
2016-04-09 11:49:27,756 fail2ban.actions        [2076]: NOTICE  [sshd] 183.3.202.184 already banned
2016-04-09 11:49:30,121 fail2ban.filter         [2076]: INFO    [sshd] Found 183.3.202.184
2016-04-09 11:49:32,531 fail2ban.filter         [2076]: INFO    [sshd] Found 183.3.202.184
2016-04-09 11:59:16,443 fail2ban.actions        [2076]: NOTICE  [sshd] Unban 183.3.202.184
#

If you wish to determine the country of origin for an attack, you can do so via a number of alternatives.

1. GeoIP - You can install GeoIP® software from MaxMind. The company provides commercial software and databases that can be used to associate an IP address with a particular country, but also provides GeoLite2 Free Downloadable Databases, which MaxMind states aren't as accurate as its commercial product, but may be accurate enough for your purposes; it is what I use. You can install the software from source code as explained at Determining the Country Associated with an IP Address or, if you are using a Linux system you may find that you can easily install the free software through your distribution's package manager. E.g., with CentOS Linux, you can install the software with yum by issuing the command yum install geoip. You can then look up the country associated with an IP address by issing the command geoiplookup IP_Address.

   # geoiplookup 183.3.202.184
   GeoIP Country Edition: CN, China

2. Regional internet registries (RIRs) websites - you can look up IP addresses that you found using the websites of regional internet registries, which are responsible for the allocation of blocks of IP addresses - see Looking up an IP address using a RIR
3. Online IP address lookup sites - There are many websites that provide an IP address lookup tool. E.g., you can use the IP Address Lookup tool provided by WhatIsMyIP.com.

If you wish to see a list of IP addresses from the current log file and the number of times that the IP address has been banned, you can use the AWK utility with the following command:

awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n

NF is a variable that represents the number of fields AWK finds on a line. Fields are separated by a whitespace character. The $(NF-1) tells AWK that I want to examine the next to last field on a line looking for the word "Ban" in that field. E.g., the following line is a representative line for when fail2ban has banned an IP address after repeated failed login attempts:

2016-04-09 04:27:34,680 fail2ban.actions        [2076]: NOTICE  [sshd] Ban 103.231.43.254

The word "Ban" is the next to last field and the IP address that is being banned is the last field. When AWK sees "Ban" in the next to last field on the line it displays the last field, i.e., $NF. The output of AWK is then piped into the sort utility which sorts the IP addresses and then pipes its output to the uniq utility where the -c parameter instructs the program to prefix lines by the number of occurrences of the line, so if an IP address occurs 11 times, indicating it was banned eleven times, it will be preceded by "11". Then at the last step, the output of uniq is piped into sort again so that the output displayed is sorted so that lines that begin with larger numbers will be displayed later than those beginning with smaller numbers, so an IP address that was banned 11 times will appear after one that was banned only once, but before one that was banned 35 times. To sort by numeric value, a -n parameter is given to the utility. That tells sort that if it sees a line beginning with "203" and another beginning with "2", that the one beginning with "203" should be displayed after the one beginning with "2"; otherwise it would sort them in the reverse order.

E.g., I see the following when I use the command to examine today's fail2ban log on a CentOS server:

# awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n
      1 103.231.43.254
      1 119.188.7.134
      1 123.15.53.3
      1 146.148.71.222
      1 152.101.90.82
      1 166.62.85.153
      1 193.201.227.183
      1 218.25.208.122
      1 218.25.208.91
      1 221.203.142.135
      1 222.214.218.200
      1 222.73.205.78
      1 23.96.249.188
      1 31.222.165.88
      1 46.8.44.157
      1 61.178.42.242
      1 82.60.83.168
      1 89.174.66.57
      1 90.63.238.146
      1 94.102.51.34
      2 117.135.131.60
      2 222.186.56.171
      2 61.241.82.125
      7 222.186.34.72
     59 222.186.56.87
     82 183.3.202.183
    188 183.3.202.184
#

Note: that though 103.231.43.254 occurs in the above report with a "1" as the count, that represents the number of times it was banned, not the number of failed login attempts from that IP address; an IP address won't be banned until it reaches the maxretry password attempt limit. E.g., if I search the log for the number of occurences of that IP address, I see the following:

# grep '103.231.43.254' /var/log/fail2ban.log
2016-04-09 04:27:26,515 fail2ban.filter         [2076]: INFO    [sshd] Found 103.231.43.254
2016-04-09 04:27:26,543 fail2ban.filter         [2076]: INFO    [sshd] Found 103.231.43.254
2016-04-09 04:27:28,443 fail2ban.filter         [2076]: INFO    [sshd] Found 103.231.43.254
2016-04-09 04:27:30,353 fail2ban.filter         [2076]: INFO    [sshd] Found 103.231.43.254
2016-04-09 04:27:30,382 fail2ban.filter         [2076]: INFO    [sshd] Found 103.231.43.254
2016-04-09 04:27:32,497 fail2ban.filter         [2076]: INFO    [sshd] Found 103.231.43.254
2016-04-09 04:27:34,549 fail2ban.filter         [2076]: INFO    [sshd] Found 103.231.43.254
2016-04-09 04:27:34,579 fail2ban.filter         [2076]: INFO    [sshd] Found 103.231.43.254
2016-04-09 04:27:34,680 fail2ban.actions        [2076]: NOTICE  [sshd] Ban 103.231.43.254
2016-04-09 04:27:36,920 fail2ban.filter         [2076]: INFO    [sshd] Found 103.231.43.254
2016-04-09 04:37:35,286 fail2ban.actions        [2076]: NOTICE  [sshd] Unban 103.231.43.254

The log entries show that systems are being unbanned after ten minutes. I was expecting systems would be banned for one hour, but when I checked jail.conf, I found the following:

# [DEFAULT]
# bantime = 3600

<text snipped>

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

I.e., the discrepancy between the ban time I expected and the actual ban time was due to the line for bantime = 3600 which is 1 hour (3600 seconds divided by 60 seconds per minute) being commented out with the acutal ban time being specified as ten minutes. Note: if you are changing a value, create a jail.local file in the same directory as jail.conf and put the changed parameter there, since jail.conf may be overwritten whenever you upgrade fail2ban.

In the above log output, I see that one IP address, 183.3.202.184 , which is an IP address assigned to an entity in China, was banned 188 times. Searching through the log file for the number of times that IP address occurred in the log file, I see it was found 3,515 times in the one week of failed login attempts recorded by fail2ban in that log file.

# grep '183.3.202.184' /var/log/fail2ban.log | wc -l
3515

That figure came only from the current fail2ban log file, which logs failed logins from April 3 to today, April 9, 2016. But there is also another compressed log file fail2ban.log-20160403.gz file in the /var/log directory.

# ls -lh /var/log/fail2ban*
-rw-------. 1 root root 637K Apr  9 16:27 /var/log/fail2ban.log
-rw-------. 1 root root 4.2K Apr  3 03:36 /var/log/fail2ban.log-20160403.gz

I can check it as well as the current log file with zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $NF}' | sort | uniq -c | sort -n.

# zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $NF}' | sort | uniq -c | sort -n
      1 103.231.43.254
      1 104.238.216.90
      1 119.188.7.134
      1 123.15.53.3
      1 125.212.217.115
      1 146.148.71.222
      1 152.101.90.82
      1 159.122.141.73
      1 166.62.85.153
      1 185.130.5.208
      1 193.201.227.183
      1 193.201.227.199
      1 208.67.1.57
      1 218.25.208.122
      1 220.165.143.41
      1 220.165.143.42
      1 221.203.142.135
      1 222.214.218.200
      1 222.73.205.78
      1 23.96.249.188
      1 31.222.165.88
      1 46.8.44.157
      1 61.178.42.242
      1 62.138.2.209
      1 82.60.83.168
      1 89.174.66.57
      1 90.63.238.146
      1 94.102.51.34
      2 117.135.131.60
      2 218.25.208.91
      2 61.241.82.125
      3 222.186.56.171
      8 222.186.34.72
     59 222.186.56.87
     82 183.3.202.183
    203 183.3.202.184

I can see that the 183.3.202.183 and 203 183.3.202.184 still appear as the worst offenders for break-in attempts. If I look up those addresses at the Internet Storm Center site, I find both have been reported:

Since there were so many break-in attempts from these two IP addresses, I decided to implement a permanent firewall block against both IP addresses. Since the server to which they were attempting to gain access is a CentOS 7 system running FirewallD as the firewall software, I used the following commands to permanently ban those IP addresses.

# firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='183.3.202.183' reject"
success
# firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='183.3.202.184' reject"
success
# systemctl restart firewalld.service
#

References:

1. System: Monitoring the fail2ban log
   The Art of Web
2. Monitoring Failed SSH Logins to a CentOS System
   Date: November 9, 2014
   MoonPoint Support

 

Justdeals Daily Electronics Deals