How to get list of all IP addresses banned by Fail2ban

In order to get list of all IP addresses banned by Fail2ban (including IP addresses previously banned and currently banned), use below command:

$ sudo zgrep "Ban " /var/log/fail2ban.log*

This will give output as shown below

/var/log/fail2ban.log.2.gz:2019-02-06 23:13:17,287 fail2ban.actions        [1681]: NOTICE  [sshd] Ban XX.XX.XX.XX
/var/log/fail2ban.log.2.gz:2019-02-07 18:02:39,202 fail2ban.actions        [1681]: NOTICE  [sshd] Ban XX.XX.XX.XX
/var/log/fail2ban.log.3.gz:2019-02-01 07:58:40,013 fail2ban.actions        [1681]: NOTICE  [sshd] Ban XX.XX.XX.XX
/var/log/fail2ban.log.3.gz:2019-02-01 08:09:07,235 fail2ban.actions        [1681]: NOTICE  [sshd] Ban XX.XX.XX.XX
/var/log/fail2ban.log.3.gz:2019-02-03 01:02:51,026 fail2ban.actions        [1681]: NOTICE  [sshd] Ban XX.XX.XX.XX
/var/log/fail2ban.log.3.gz:2019-02-03 18:32:39,233 fail2ban.actions        [1681]: NOTICE  [sshd] Ban XX.XX.XX.XX
/var/log/fail2ban.log.4.gz:2019-01-22 21:57:13,781 fail2ban.actions        [1681]: NOTICE  [sshd] Ban XX.XX.XX.XX
/var/log/fail2ban.log.4.gz:2019-01-23 01:28:54,538 fail2ban.actions        [1681]: NOTICE  [sshd] Ban XX.XX.XX.XX

Here XX.XX.XX.XX will be IP address which was blocked by Fail2ban. In this post IP addresses are redacted

List of all IP addresses banned by Fail2ban:

Above command also provide information like Date & Time when IP address was blocked and other related information. Sometimes when you want to just list all IP addresses, use below command

sudo zgrep -h "Ban " /var/log/fail2ban.log* | awk '{ print $NF }'

This command will just list IP addresses as show below:

XX.XX.XX.XX
YY.YY.YY.YY
ZZ.ZZ.ZZ.ZZ
XX.XX.XX.XX

You can also count number of times Fail2ban blocked IP addresses by using any of below command:

$ sudo zgrep -h "Ban " /var/log/fail2ban.log* | wc -l
$ sudo zgrep -h "Ban " /var/log/fail2ban.log* | awk '{ print $NF }' | wc -l 

Please note above command will give total number of instances where Fail2ban blocked IP addresses. In order to get list of unique IP addresses blocked by Fail2ban use below command:

$ sudo zgrep -h "Ban " /var/log/fail2ban.log* | awk '{ print $NF }' | sort | uniq

In order to get number of times each IP address was blocked, run below command:

sudo zgrep -h "Ban " /var/log/fail2ban.log* | awk '{ print $NF }' | sort | uniq -c

2 XX.XX.XX.XX
1 YY.YY.YY.YY
1 ZZ.ZZ.ZZ.ZZ

Here you can see IP address XX.XX.XX.XX was blocked 2 times and remaining IP addresses were blocked single time.

To list blocked IP addresses in ascending order for number of counts, use below command

sudo zgrep -h "Ban " /var/log/fail2ban.log* | awk '{ print $NF }' | sort | uniq -c | sort -n

List of all IP addresses banned by Fail2ban, grouped by IP address and Hostname:

Use below command to also include hostname for IP addresses. Logresolve command is not installed by default, you have to install logresolve before running this command.

$ sudo zcat -f /var/log/fail2ban.log* | awk '($(NF-1) = /Ban/){print $NF,"("$NF")"}' | sort | logresolve | uniq -c | sort -n

This time output includes the hostname which makes it easier to identify the ISP and/or country of origin and to see which IP addresses might be related to each other.

1 XX.XX.88.218.broad.nc.sc.dynamic.163data.com.cn (218.88.XX.XX)
3 mail.XXXX.net (190.90.XX.XX)

List of all IP addresses banned by Fail2ban, grouped by Fail2ban sections:

Below command will list which services each IP addresses have been trying to access or exploit

$ sudo zgrep -h "Ban " /var/log/fail2ban.log* | awk -F[\ \:] '{print $19,$17}' | sort | uniq -c | sort -n

1 218.88.XX.XX [sendmail]
3 190.90.XX.XX [sshd]

Summary by date and Fail2ban section

If you want to get daily count of how many IP addresses are blocked for each services, then use below command

$ sudo zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $6,$1}' | sort | uniq -c

5 [sshd] 2019-05-06
6 [sendmail] 2019-05-06
9 [sshd] 2019-05-07
8 [sendmail] 2019-05-07

More more ways to analyse Fail2ban logs, please visit Fail2ban Log Analysis

1 Like