In order to get list of all IP addresses banned by Fail2ban (including IP addresses previously banned and currently banned), use below command:
$ sudo zgrep "Ban " /var/log/fail2ban.log*
This will give output as shown below
/var/log/fail2ban.log.2.gz:2019-02-06 23:13:17,287 fail2ban.actions [1681]: NOTICE [sshd] Ban XX.XX.XX.XX
/var/log/fail2ban.log.2.gz:2019-02-07 18:02:39,202 fail2ban.actions [1681]: NOTICE [sshd] Ban XX.XX.XX.XX
/var/log/fail2ban.log.3.gz:2019-02-01 07:58:40,013 fail2ban.actions [1681]: NOTICE [sshd] Ban XX.XX.XX.XX
/var/log/fail2ban.log.3.gz:2019-02-01 08:09:07,235 fail2ban.actions [1681]: NOTICE [sshd] Ban XX.XX.XX.XX
/var/log/fail2ban.log.3.gz:2019-02-03 01:02:51,026 fail2ban.actions [1681]: NOTICE [sshd] Ban XX.XX.XX.XX
/var/log/fail2ban.log.3.gz:2019-02-03 18:32:39,233 fail2ban.actions [1681]: NOTICE [sshd] Ban XX.XX.XX.XX
/var/log/fail2ban.log.4.gz:2019-01-22 21:57:13,781 fail2ban.actions [1681]: NOTICE [sshd] Ban XX.XX.XX.XX
/var/log/fail2ban.log.4.gz:2019-01-23 01:28:54,538 fail2ban.actions [1681]: NOTICE [sshd] Ban XX.XX.XX.XX
Here XX.XX.XX.XX will be IP address which was blocked by Fail2ban. In this post IP addresses are redacted
List of all IP addresses banned by Fail2ban:
Above command also provide information like Date & Time when IP address was blocked and other related information. Sometimes when you want to just list all IP addresses, use below command
sudo zgrep -h "Ban " /var/log/fail2ban.log* | awk '{ print $NF }'
This command will just list IP addresses as show below:
XX.XX.XX.XX
YY.YY.YY.YY
ZZ.ZZ.ZZ.ZZ
XX.XX.XX.XX
You can also count number of times Fail2ban blocked IP addresses by using any of below command:
$ sudo zgrep -h "Ban " /var/log/fail2ban.log* | wc -l
$ sudo zgrep -h "Ban " /var/log/fail2ban.log* | awk '{ print $NF }' | wc -l
Please note above command will give total number of instances where Fail2ban blocked IP addresses. In order to get list of unique IP addresses blocked by Fail2ban use below command:
$ sudo zgrep -h "Ban " /var/log/fail2ban.log* | awk '{ print $NF }' | sort | uniq
In order to get number of times each IP address was blocked, run below command:
sudo zgrep -h "Ban " /var/log/fail2ban.log* | awk '{ print $NF }' | sort | uniq -c
2 XX.XX.XX.XX
1 YY.YY.YY.YY
1 ZZ.ZZ.ZZ.ZZ
Here you can see IP address XX.XX.XX.XX was blocked 2 times and remaining IP addresses were blocked single time.
To list blocked IP addresses in ascending order for number of counts, use below command
sudo zgrep -h "Ban " /var/log/fail2ban.log* | awk '{ print $NF }' | sort | uniq -c | sort -n
List of all IP addresses banned by Fail2ban, grouped by IP address and Hostname:
Use below command to also include hostname for IP addresses. Logresolve command is not installed by default, you have to install logresolve before running this command.
$ sudo zcat -f /var/log/fail2ban.log* | awk '($(NF-1) = /Ban/){print $NF,"("$NF")"}' | sort | logresolve | uniq -c | sort -n
This time output includes the hostname which makes it easier to identify the ISP and/or country of origin and to see which IP addresses might be related to each other.
1 XX.XX.88.218.broad.nc.sc.dynamic.163data.com.cn (218.88.XX.XX)
3 mail.XXXX.net (190.90.XX.XX)
List of all IP addresses banned by Fail2ban, grouped by Fail2ban sections:
Below command will list which services each IP addresses have been trying to access or exploit
$ sudo zgrep -h "Ban " /var/log/fail2ban.log* | awk -F[\ \:] '{print $19,$17}' | sort | uniq -c | sort -n
1 218.88.XX.XX [sendmail]
3 190.90.XX.XX [sshd]
Summary by date and Fail2ban section
If you want to get daily count of how many IP addresses are blocked for each services, then use below command
$ sudo zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $6,$1}' | sort | uniq -c
5 [sshd] 2019-05-06
6 [sendmail] 2019-05-06
9 [sshd] 2019-05-07
8 [sendmail] 2019-05-07
More more ways to analyse Fail2ban logs, please visit Fail2ban Log Analysis