Find host or IP on Fail2ban log in Centos using bash and awk

Find out your fail2ban log and make permanent block. You need to install ipset to make your iptables rules
 
  • Create script bannedge2centos.sh
#!/bin/bash
## create by dedetok March 2016
## GNU GPL v3
echo "These IP get WARNING at least twice"
awk '(/fail2ban.filter/ && /WARNING/) { print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n |
{
  while read -r line1 line2
  do
    if [ "$line1" -ge 2 ]; then
      echo "$line1 $line2"
    fi
  done
}

echo "These IP get Filter sshd at least twice"
awk '(/fail2ban.filter/ && /sshd/) { print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n | {
  while read -r line1 line2
  do
    if [ "$line1" -ge 2 ]; then
      echo "$line1 $line2"
    fi
  done
}

echo "These IP get Filter ftpd at least twice"
awk '(/fail2ban.filter/ && /vsftpd/) { print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n | {
  while read -r line1 line2
  do
    if [ "$line1" -ge 2 ]; then
      echo "$line1 $line2"
    fi
  done
}

echo "These hosts get Filter Fail2ban at least twice"
awk '(/fail2ban.filter/ && /WARNING Unable/) { print $(NF-7)}' /var/log/fail2ban.log | sort | uniq -c |
 sort -n | {
  while read -r line1 line2
  do
    if [ "$line1" -ge 2 ]; then
      echo "$line1 $line2"
    fi
  done
}
  • Create ipset rules mynetrules
# ipset create mynetrules hash:net
  • Run bash bannedge2centos.sh  
# ./bannedge2centos.sh
These IP get WARNING at least twice
2 ['199.15.112.8']
2 ['216.117.2.180']
2 ['82.148.206.193']
4 ['208.100.26.231']
4 ['31.211.102.129']
5 ['71.6.167.142']
10 ['88.80.15.69']
28 known
These IP get Filter sshd at least twice
2 118.136.248.90
18 84.16.74.40
These IP get Filter ftpd at least twice
5 88.80.15.69
These hosts get Filter Fail2ban at least twice
2 128-140-19-52.maxnet.ir:
2 1-39-45-166.live.vodafone.in:
2 178.218.202.224.ip.turontelecom.uz:
2 181-174-60-157.telebucaramanga.net.co:
2 222.64.uzpak.uz:
2 238.124.206.49-ras.beamtele.net:
2 75-242-69-115.vasaicable.co.in:
2 78.187.230.16.static.ttnet.com.tr:
2 85-113-26-150.static.ktnet.kg:
2 91-219-55-106.static-pool.centr.zp.ua:
2 brbnd47-30.mng.net:
2 static-mum-120.63.188.93.mtnl.net.in:
4 client.fttb.2day.kz:
  • Popuate ipset rules mynetrules
# ipset add mynetrules 84.16.74.40
# ipset add mynetrules 71.6.167.142
# ipset add mynetrules 208.100.26.231
# ipset add mynetrules 31.211.102.129
  • Add ipset rules into iptables rules
# iptables -I INPUT -m set --match-set mynetrules src -j DROP
  • Save your new rules
# service ipset save
# service iptables save
Default ipset and iptables: /etc/sysconfig/ipset, /etc/sysconfig/iptables,  and /etc/sysconfig/iptables.save 
  • To reload ipset and iptables
# service ipset reload
# service iptables restart
Another interesting scrips
  • # awk '(/pam_unix/ && /sshd:auth/ && /authentication failure/) { print $NF }' /var/log/secure | sort | uniq -c | sort
  • # awk '(/pam_unix/ && /webmin/ && /authentication failure/) { print $(NF-1) }' /var/log/secure | sort | uniq -c | sort
  • # awk '(/pam_unix/ && /vsftpd/ && /authentication failure/) { print $(NF) }' /var/log/secure | sort | uniq -c | sort 
  • awk '((/not receive/ || /Failed/ || /Connection closed/ || /closed/ || /failure/ ) && /preauth/ && /sshd/) { print (NF-2),$(NF-1),$NF}' /var/log/auth.log | sort  | uniq -c
Note:
  • You can modify these to auto block those IP into your ipset rules. But beware about your IP may incidentally get auto blocked. Check those IP or host location before add them into ipset ruls
  • When ipset size increasing, it wont impose to CPU load.