How to find most problematic subnets from Fail2ban log

Attackers are persistent, they keep coming back and look for security loopholes.

In order to identify most problematic subnets from fail2ban log, use below command

$ sudo zgrep -h  "Ban " /var/log/fail2ban.log* | awk '{print $NF}' | awk -F\. '{print $1"."$2"."}' | sort | uniq -c

1 103.79.
1 103.89.
2 120.92.
1 148.70.
8 152.136.
13 61.181.
1 61.82.

Here you can see that IP addresses from 61.181.XX.XX subnet are getting most banned.

Use below command to sort results in ascending order of count of block

$ sudo zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $NF}' | awk -F\. '{print $1"."$2"."}' | sort | uniq -c | sort -n

1 103.79.
1 103.89.
1 148.70.
1 61.82.
2 120.92.
8 152.136.
13 61.181.

In order to get list of IP addresses from a particular subnet, for this example from 152.136.XX.XX subnet, use below command

sudo zgrep -h "Ban " /var/log/fail2ban.log* | awk '(NF == 8 && $NF ~ /^152\.136\./){print $NF}' | sort | uniq -c

1 152.136.128.XX
1 152.136.133.XX
1 152.136.133.XX
1 152.136.136.XX
1 152.136.139.XX
1 152.136.148.XX
1 152.136.157.XX
1 152.136.88.XX

Here you can see that 8 ip addresses from 152.136.XX.XX subnet were banned by fail2ban. It clearly shows that once one ip address is blocked, attacker is renewing ip address from ISP and trying to attack again.

More more ways to analyse Fail2ban logs, please visit Fail2ban Log Analysis