Advertisement
Previously we gave some complicated commands to our readers who use Fail2Ban and needs some checking. Other way was using BadIPs for creation of graph. Fail2Ban log analysis bash script is for report generation as list of attacker IPs, banned, unbanned, password attempts sorted by date, country. We written this easy script using various commands and we think it is useful to any sysadmin to quickly check a system.
Fail2Ban Log Analysis Bash Script
We have a dedicated GitHub project for the script. Basically you need to create a bash script with any name like notfailed.sh with this content :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | #! /bin/bash echo "This script need Fail2Ban Log at /var/log location and GeoIP to be installed." echo "----------------------------------------------------------------------------" echo "----------------------------------------------------------------------------" echo "Bad IPs from only from /var/log/fail2ban.log alone :" echo "---Number-----IP-------------------------------------------------------------" grep "Ban " /var/log/fail2ban.log | grep `date +%Y-%m-%d` | awk '{print $NF}' | sort | awk '{print $1,"("$1")"}' | logresolve | uniq -c | sort echo "----------------------------------------------------------------------------" echo "---Number of password attempts failed from all non-gzipped fail2ban.log files:" echo "Number--MM--DD-------------------------------------------------------------" cat /var/log/auth.log* | grep 'Failed password' | grep sshd | awk '{print $1,$2}' | sort | uniq -c echo "Kind heartedly you unbanned :" echo "---Number-----IP-------------------------------------------------------------" grep "Unban " /var/log/fail2ban.log | grep `date +%Y-%m-%d` | awk '{print $NF}' | sort | awk '{print $1,"("$1")"}' | logresolve | uniq -c | sort echo "Countries from fail2ban.log who are Banned(Needs GeoIP to be installed) :" echo "---Number--ASN------ISP------------------------------------------------------" zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $NF}' | sort | uniq -c | xargs -n 1 geoiplookup { } | sort | uniq -c | sort | sed -r 's/ GeoIP Country Edition://g' | sed -r 's/ GeoIP ASNum Edition://g' echo "----------------------------------------------------------------------------" echo "----------------------------------------------------------------------------" echo "Fail2Ban Log Check by thecustomizewindows.com, Dr. Abhishek Ghosh" echo "End of report" echo "Visit https://thecustomizewindows.com for more help." |
Then :
Advertisement
---
1 2 | chmod +x notfailed.sh sh notfailed.sh |
And you’ll get a report, in truncated form :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | This script need Fail2Ban Log at `/var/log` location and GeoIP to be installed. ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- Bad IPs from only from /var/log/fail2ban.log alone : ---Number-----IP------------------------------------------------------------- 111 123.183.209.132 (123.183.209.132) ... ... 4 HSI-KBW-5-158-155-172.hsi19.kabel-badenwuerttemberg.de (5.158.155.172) ---------------------------------------------------------------------------- ---Number of password attempts failed from all non-gzipped fail2ban.log files: Number--MM--DD------------------------------------------------------------- 345 Jun 1 279 Jun 2 ... ... 375 May 31 Kind heartedly you unbanned : ---Number-----IP------------------------------------------------------------- 111 123.183.209.132 (123.183.209.132) ... ... 4 HSI-KBW-5-158-155-172.hsi19.kabel-badenwuerttemberg.de (5.158.155.172) Countries from fail2ban.log who are Banned(Needs GeoIP to be installed) : ---Number--ASN------ISP------------------------------------------------------ 10 AS4808 China Unicom Beijing Province Network 14 AS45899 VNPT Corp ... ... 251 IP Address not found 9 IN, India ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- Fail2Ban Log Check by thecustomizewindows.com, Dr. Abhishek Ghosh End of report Visit https://thecustomizewindows.com for more help. |
Of course you can save as text file :
1 | sh notfailed.sh > test.txt |
Then cat it or do whatever. You can save the text file on some cloud storage and delete the old logs.
This script better to be used with GeoIP installed, which we have guides – GeoIP on Apache2 and GeoIP on Nginx.
Tagged With geoip logresolve