-3

I installed Fail2ban and it's working fine.

I'm NOT a Linux guru, sorry. I can just about find my way around.

I need a script that will print all banned IP addresses and most important the DATE AND TIME that the ban came into effect. I'm only interested in the IP Address and the date and time of the ban. Nothing else.

Can anyone help?

Mikheil
  • 1
  • 1

1 Answers1

0

The question you are asking is a bit combersome, if you want to exclude duplicate ip adresses.

I am using Fail2ban on Ubuntu myself, so my examples is from my running server:

To find all active jails run the command: fail2ban-client status.

On my server it will respond with the following output:

Status
|- Number of jail:      10
`- Jail list:   dovecot, f2b-loop2, f2b-loop3, f2b-loop4, postfix, postfix-rbl, postfix-sasl, postfix-spam-ddos, pureftpd, sshd

In theory it is a bit trivial to create an array where each element in the array is the name of one of the jails.

In my own BASH shell script it is done with the following lines:

#!/bin/bash

JAILS=`fail2ban-client status | grep "Jail list" | sed -E 's/^[^:]+:[ \t]+//' | sed 's/,//g'`
for JAIL in $JAILS
do
  # Insert the commands you want to run for each jail.
  # The variable '$JAIL' contains the name of the jail.
  #
  # Like:
  
  fail2ban-client get $JAIL banip --with-time
done

So first my script will get content from the jail 'dovecot', then 'f2b-loop2', then 'f2b-loop3' and so on.

However:

The same ip address might be featured in several jails. At least that is the case for my jails named f2b-loop(x) where (x) is a number from 2-4.

My loop jails is because I ban a particular ip for increasing amounts of time, like 2 hours, 1 day, 7 days and 1 month.

Therefore:

I have in the past fed my information into a binary search tree over ip adresses, so I could make summarized banning list if a suspicious amount of similar ip adresses was being blocked at the same time.

The reason is that creating 1 blocking rule that covers 64 ip addresses vs 64 individual rules is a bit more server friendly.

... and also the reason why I have more or less blocked 50% of all available ip adresses from 1 iranian, 2 russian and 2 chinese ISPs!

Anyhow:

From my initial snippet it is possible to all kinds of manipulation using shell scripting or piping output to a program that interacts with a database or whatever.

I would highly recommend you reading up on tutorials in shell scripting, if you have no experience with Linux in general, since that is one of the most powerfull tools you are going to use when working with Linux.

Lasse Michael Mølgaard
  • 947
  • 10
  • 27
  • fail2ban-client get $JAIL banip --with-time This does just what I need thanks. I'm ex-Novell and now I'm 81 and retired, I have no desire to learn scripting. – Mikheil Jul 11 '22 at 19:02
  • It does come highly recommended, since it is used for stuff like automation like for instance auto-renewing Let's Encrypt certificates on your server or updating software. The alternative is you do by it hand at least every 3 months. Instead of basically fire and forget. One of my Linux server actually managed to get retired after 10+ years of uninterrupter service due to mechanical failure. The ball bearings in all the fans were *gone* due to wear and tear! – Lasse Michael Mølgaard Jul 12 '22 at 05:36