http://wiki.ljackson.us/index.php?title=Fail2ban&action=history&feed=atom Fail2ban - Revision history 2024-03-28T12:13:29Z Revision history for this page on the wiki MediaWiki 1.7.1 http://wiki.ljackson.us/index.php?title=Fail2ban&diff=3536&oldid=prev Ljackson: /* Extract Frequent Bans from Messages/Fail2ban.log */ 2020-11-18T05:16:54Z <p><span class="autocomment">Extract Frequent Bans from Messages/Fail2ban.log</span></p> <table border='0' width='98%' cellpadding='0' cellspacing='4' style="background-color: white;"> <tr> <td colspan='2' width='50%' align='center' style="background-color: white;">←Older revision</td> <td colspan='2' width='50%' align='center' style="background-color: white;">Revision as of 05:16, 18 November 2020</td> </tr> <tr><td colspan="2" align="left"><strong>Line 33:</strong></td> <td colspan="2" align="left"><strong>Line 33:</strong></td></tr> <tr><td> </td><td style="background: #eee; font-size: smaller;">Sep 18 00:55:38 core fail2ban.actions: WARNING [sasl-iptables] Ban 212.70.149.4</td><td> </td><td style="background: #eee; font-size: smaller;">Sep 18 00:55:38 core fail2ban.actions: WARNING [sasl-iptables] Ban 212.70.149.4</td></tr> <tr><td> </td><td style="background: #eee; font-size: smaller;">&lt;/pre&gt; </td><td> </td><td style="background: #eee; font-size: smaller;">&lt;/pre&gt; </td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;"></td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;">=== Extract &gt;6 count offender IP addresses and generate iptables rules to file ===</td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;"> </td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;"> cat /var/log/messages* | grep Ban | cut -d']' -f 2- | cut -d' ' -f 3 | sort | uniq -c | sort -rn | awk -F' ' '{if($1&gt;6)print$2}' | xargs -IX echo '-A INPUT -s X -j DROP -m comment --comment &quot;Fail2ban PermaBan!!&quot;' &gt; ips.txt</td></tr> <tr><td> </td><td style="background: #eee; font-size: smaller;"></td><td> </td><td style="background: #eee; font-size: smaller;"></td></tr> <tr><td> </td><td style="background: #eee; font-size: smaller;">Generate iptables rules (copy/paste IP addresses based on sorted list) [Mac OSX]</td><td> </td><td style="background: #eee; font-size: smaller;">Generate iptables rules (copy/paste IP addresses based on sorted list) [Mac OSX]</td></tr> </table> Ljackson http://wiki.ljackson.us/index.php?title=Fail2ban&diff=3530&oldid=prev Ljackson: /* Filter and visualize 7 columns on space-padded single digit day-of-month (SDDOM) log files */ 2020-11-18T05:04:31Z <p><span class="autocomment">Filter and visualize 7 columns on space-padded single digit day-of-month (SDDOM) log files</span></p> <table border='0' width='98%' cellpadding='0' cellspacing='4' style="background-color: white;"> <tr> <td colspan='2' width='50%' align='center' style="background-color: white;">←Older revision</td> <td colspan='2' width='50%' align='center' style="background-color: white;">Revision as of 05:04, 18 November 2020</td> </tr> <tr><td colspan="2" align="left"><strong>Line 11:</strong></td> <td colspan="2" align="left"><strong>Line 11:</strong></td></tr> <tr><td> </td><td style="background: #eee; font-size: smaller;">Zero-padded for last 3 days, sort results by text and filter through more</td><td> </td><td style="background: #eee; font-size: smaller;">Zero-padded for last 3 days, sort results by text and filter through more</td></tr> <tr><td> </td><td style="background: #eee; font-size: smaller;"></td><td> </td><td style="background: #eee; font-size: smaller;"></td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;">&lt;pre&gt;</td></tr> <tr><td> </td><td style="background: #eee; font-size: smaller;">awk '{$2 = sprintf(&quot;%02d&quot;, $2); print}' secure* | awk -F'[: ]' 'BEGIN{ mths=&quot; JanFebMarAprMayJunJulAugSepOctNovDec&quot;; tt=systime()-(60*60*24*3) } mktime(strftime(&quot;%Y&quot;)&quot; &quot;index(mths,$1)/3&quot; &quot;$2&quot; &quot;$3&quot; &quot;$4&quot; &quot;$5) &gt;= tt {for (i=1; i&lt;8; i++) printf $i&quot;\t&quot;; if (i = NF) print &quot;Cols:&quot;NF;}' | sort | more</td><td> </td><td style="background: #eee; font-size: smaller;">awk '{$2 = sprintf(&quot;%02d&quot;, $2); print}' secure* | awk -F'[: ]' 'BEGIN{ mths=&quot; JanFebMarAprMayJunJulAugSepOctNovDec&quot;; tt=systime()-(60*60*24*3) } mktime(strftime(&quot;%Y&quot;)&quot; &quot;index(mths,$1)/3&quot; &quot;$2&quot; &quot;$3&quot; &quot;$4&quot; &quot;$5) &gt;= tt {for (i=1; i&lt;8; i++) printf $i&quot;\t&quot;; if (i = NF) print &quot;Cols:&quot;NF;}' | sort | more</td></tr> <tr><td>-</td><td style="background: #ffa; font-size: smaller;">&#160;</td><td>+</td><td style="background: #cfc; font-size: smaller;"><span style="color: red; font-weight: bold;">&lt;/pre&gt;</span></td></tr> <tr><td> </td><td style="background: #eee; font-size: smaller;"></td><td> </td><td style="background: #eee; font-size: smaller;"></td></tr> <tr><td> </td><td style="background: #eee; font-size: smaller;">=== Extract Frequent Bans from Messages/Fail2ban.log ===</td><td> </td><td style="background: #eee; font-size: smaller;">=== Extract Frequent Bans from Messages/Fail2ban.log ===</td></tr> </table> Ljackson http://wiki.ljackson.us/index.php?title=Fail2ban&diff=3529&oldid=prev Ljackson: /* Filter full text rows on space-padded single digit day-of-month (SDDOM) log files */ 2020-11-18T05:04:18Z <p><span class="autocomment">Filter full text rows on space-padded single digit day-of-month (SDDOM) log files</span></p> <table border='0' width='98%' cellpadding='0' cellspacing='4' style="background-color: white;"> <tr> <td colspan='2' width='50%' align='center' style="background-color: white;">←Older revision</td> <td colspan='2' width='50%' align='center' style="background-color: white;">Revision as of 05:04, 18 November 2020</td> </tr> <tr><td colspan="2" align="left"><strong>Line 3:</strong></td> <td colspan="2" align="left"><strong>Line 3:</strong></td></tr> <tr><td> </td><td style="background: #eee; font-size: smaller;">Zero-padded for last 3 days, sort results by text and filter through more</td><td> </td><td style="background: #eee; font-size: smaller;">Zero-padded for last 3 days, sort results by text and filter through more</td></tr> <tr><td> </td><td style="background: #eee; font-size: smaller;"></td><td> </td><td style="background: #eee; font-size: smaller;"></td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;">&lt;pre&gt;</td></tr> <tr><td> </td><td style="background: #eee; font-size: smaller;">awk '{$2 = sprintf(&quot;%02d&quot;, $2); print}' secure* | awk -F'[: ]' 'BEGIN{ mths=&quot; JanFebMarAprMayJunJulAugSepOctNovDec&quot;; tt=systime()-(60*60*24*10) } mktime(strftime(&quot;%Y&quot;)&quot; &quot;index(mths,$1)/3&quot; &quot;$2&quot; &quot;$3&quot; &quot;$4&quot; &quot;$5) &gt;= tt {print $0}' | sort | more</td><td> </td><td style="background: #eee; font-size: smaller;">awk '{$2 = sprintf(&quot;%02d&quot;, $2); print}' secure* | awk -F'[: ]' 'BEGIN{ mths=&quot; JanFebMarAprMayJunJulAugSepOctNovDec&quot;; tt=systime()-(60*60*24*10) } mktime(strftime(&quot;%Y&quot;)&quot; &quot;index(mths,$1)/3&quot; &quot;$2&quot; &quot;$3&quot; &quot;$4&quot; &quot;$5) &gt;= tt {print $0}' | sort | more</td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;">&lt;/pre&gt;</td></tr> <tr><td> </td><td style="background: #eee; font-size: smaller;"></td><td> </td><td style="background: #eee; font-size: smaller;"></td></tr> <tr><td> </td><td style="background: #eee; font-size: smaller;">=== Filter and visualize 7 columns on space-padded single digit day-of-month (SDDOM) log files ===</td><td> </td><td style="background: #eee; font-size: smaller;">=== Filter and visualize 7 columns on space-padded single digit day-of-month (SDDOM) log files ===</td></tr> </table> Ljackson http://wiki.ljackson.us/index.php?title=Fail2ban&diff=3528&oldid=prev Ljackson: /* Extract Frequent Bans from Messages/Fail2ban.log */ 2020-11-18T05:03:42Z <p><span class="autocomment">Extract Frequent Bans from Messages/Fail2ban.log</span></p> <table border='0' width='98%' cellpadding='0' cellspacing='4' style="background-color: white;"> <tr> <td colspan='2' width='50%' align='center' style="background-color: white;">←Older revision</td> <td colspan='2' width='50%' align='center' style="background-color: white;">Revision as of 05:03, 18 November 2020</td> </tr> <tr><td colspan="2" align="left"><strong>Line 1:</strong></td> <td colspan="2" align="left"><strong>Line 1:</strong></td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;">=== Filter full text rows on space-padded single digit day-of-month (SDDOM) log files ===</td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;"></td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;">Zero-padded for last 3 days, sort results by text and filter through more</td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;"></td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;">awk '{$2 = sprintf(&quot;%02d&quot;, $2); print}' secure* | awk -F'[: ]' 'BEGIN{ mths=&quot; JanFebMarAprMayJunJulAugSepOctNovDec&quot;; tt=systime()-(60*60*24*10) } mktime(strftime(&quot;%Y&quot;)&quot; &quot;index(mths,$1)/3&quot; &quot;$2&quot; &quot;$3&quot; &quot;$4&quot; &quot;$5) &gt;= tt {print $0}' | sort | more</td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;"></td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;">=== Filter and visualize 7 columns on space-padded single digit day-of-month (SDDOM) log files ===</td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;"></td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;">Zero-padded for last 3 days, sort results by text and filter through more</td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;"></td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;">awk '{$2 = sprintf(&quot;%02d&quot;, $2); print}' secure* | awk -F'[: ]' 'BEGIN{ mths=&quot; JanFebMarAprMayJunJulAugSepOctNovDec&quot;; tt=systime()-(60*60*24*3) } mktime(strftime(&quot;%Y&quot;)&quot; &quot;index(mths,$1)/3&quot; &quot;$2&quot; &quot;$3&quot; &quot;$4&quot; &quot;$5) &gt;= tt {for (i=1; i&lt;8; i++) printf $i&quot;\t&quot;; if (i = NF) print &quot;Cols:&quot;NF;}' | sort | more</td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;"></td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;"></td></tr> <tr><td> </td><td style="background: #eee; font-size: smaller;">=== Extract Frequent Bans from Messages/Fail2ban.log ===</td><td> </td><td style="background: #eee; font-size: smaller;">=== Extract Frequent Bans from Messages/Fail2ban.log ===</td></tr> <tr><td> </td><td style="background: #eee; font-size: smaller;"></td><td> </td><td style="background: #eee; font-size: smaller;"></td></tr> </table> Ljackson http://wiki.ljackson.us/index.php?title=Fail2ban&diff=3520&oldid=prev Ljackson: /* Extract Frequent Bans from Messages/Fail2ban.log */ 2020-09-18T18:13:28Z <p><span class="autocomment">Extract Frequent Bans from Messages/Fail2ban.log</span></p> <table border='0' width='98%' cellpadding='0' cellspacing='4' style="background-color: white;"> <tr> <td colspan='2' width='50%' align='center' style="background-color: white;">←Older revision</td> <td colspan='2' width='50%' align='center' style="background-color: white;">Revision as of 18:13, 18 September 2020</td> </tr> <tr><td colspan="2" align="left"><strong>Line 21:</strong></td> <td colspan="2" align="left"><strong>Line 21:</strong></td></tr> <tr><td> </td><td style="background: #eee; font-size: smaller;"></td><td> </td><td style="background: #eee; font-size: smaller;"></td></tr> <tr><td> </td><td style="background: #eee; font-size: smaller;"> for i in `pbpaste`; do echo '-A INPUT -s '$i' -j DROP -m comment --comment &quot;Fail2ban PermaBan!!&quot;'; done</td><td> </td><td style="background: #eee; font-size: smaller;"> for i in `pbpaste`; do echo '-A INPUT -s '$i' -j DROP -m comment --comment &quot;Fail2ban PermaBan!!&quot;'; done</td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;"></td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;">=== Service Names and Port Numbers ===</td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;"></td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;">Lookup via /etc/services</td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;"> cat /etc/services | grep -E ' (25|465|110|995|143|993)\/'</td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;"></td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;">Service Name Data Table</td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;">&lt;pre&gt;</td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;"># service-name port/protocol [aliases ...] [# comment]</td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;">smtp 25/tcp mail</td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;">smtp 25/udp mail</td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;">pop3 110/tcp pop-3 # POP version 3</td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;">pop3 110/udp pop-3</td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;">imap 143/tcp imap2 # Interim Mail Access Proto v2</td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;">imap 143/udp imap2</td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;">imaps 993/tcp # IMAP over SSL</td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;">imaps 993/udp # IMAP over SSL</td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;">pop3s 995/tcp # POP-3 over SSL</td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;">pop3s 995/udp # POP-3 over SSL</td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;">urd 465/tcp smtps # URL Rendesvous Directory for SSM / SMTP over SSL (TLS)</td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;">igmpv3lite 465/udp # IGMP over UDP for SSM</td></tr> <tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;">&lt;/pre&gt;</td></tr> </table> Ljackson http://wiki.ljackson.us/index.php?title=Fail2ban&diff=3519&oldid=prev Ljackson: /* Extract Frequent Bans from Messages/Fail2ban.log */ 2020-09-18T15:15:00Z <p><span class="autocomment">Extract Frequent Bans from Messages/Fail2ban.log</span></p> <table border='0' width='98%' cellpadding='0' cellspacing='4' style="background-color: white;"> <tr> <td colspan='2' width='50%' align='center' style="background-color: white;">←Older revision</td> <td colspan='2' width='50%' align='center' style="background-color: white;">Revision as of 15:15, 18 September 2020</td> </tr> <tr><td colspan="2" align="left"><strong>Line 18:</strong></td> <td colspan="2" align="left"><strong>Line 18:</strong></td></tr> <tr><td> </td><td style="background: #eee; font-size: smaller;">&lt;/pre&gt; </td><td> </td><td style="background: #eee; font-size: smaller;">&lt;/pre&gt; </td></tr> <tr><td> </td><td style="background: #eee; font-size: smaller;"></td><td> </td><td style="background: #eee; font-size: smaller;"></td></tr> <tr><td>-</td><td style="background: #ffa; font-size: smaller;">Generate iptables rules (copy/paste Mac OSX<span style="color: red; font-weight: bold;">)</span></td><td>+</td><td style="background: #cfc; font-size: smaller;">Generate iptables rules (copy/paste <span style="color: red; font-weight: bold;">IP addresses based on sorted list) [</span>Mac OSX<span style="color: red; font-weight: bold;">]</span></td></tr> <tr><td> </td><td style="background: #eee; font-size: smaller;"></td><td> </td><td style="background: #eee; font-size: smaller;"></td></tr> <tr><td> </td><td style="background: #eee; font-size: smaller;"> for i in `pbpaste`; do echo '-A INPUT -s '$i' -j DROP -m comment --comment &quot;Fail2ban PermaBan!!&quot;'; done</td><td> </td><td style="background: #eee; font-size: smaller;"> for i in `pbpaste`; do echo '-A INPUT -s '$i' -j DROP -m comment --comment &quot;Fail2ban PermaBan!!&quot;'; done</td></tr> </table> Ljackson http://wiki.ljackson.us/index.php?title=Fail2ban&diff=3518&oldid=prev Ljackson at 15:11, 18 September 2020 2020-09-18T15:11:45Z <p></p> <p><b>New page</b></p><div>=== Extract Frequent Bans from Messages/Fail2ban.log ===<br /> <br /> Extract frequent offender IP addresses <br /> <br /> cat /var/log/messages | grep Ban | cut -d']' -f 2- | cut -d' ' -f 3 | sort | uniq -c | sort -n | cut -c 9-<br /> <br /> Logfile excerpt:<br /> <br /> &lt;pre&gt;<br /> Sep 17 23:42:40 core fail2ban.actions: WARNING [sasl-iptables] Ban 212.70.149.20<br /> Sep 17 23:43:38 core fail2ban.actions: WARNING [sasl-iptables] Ban 45.142.120.83<br /> Sep 17 23:44:14 core fail2ban.actions: WARNING [sasl-iptables] Ban 212.70.149.83<br /> Sep 17 23:45:40 core fail2ban.actions: WARNING [sasl-iptables] Ban 212.70.149.52<br /> Sep 18 00:02:05 core fail2ban.actions: WARNING [ssh-iptables] Ban 64.235.45.41<br /> Sep 18 00:22:15 core fail2ban.actions: WARNING [sasl-iptables] Ban 193.169.253.168<br /> Sep 18 00:39:59 core fail2ban.actions: WARNING [sasl-iptables] Ban 78.128.113.120<br /> Sep 18 00:55:38 core fail2ban.actions: WARNING [sasl-iptables] Ban 212.70.149.4<br /> &lt;/pre&gt; <br /> <br /> Generate iptables rules (copy/paste Mac OSX)<br /> <br /> for i in `pbpaste`; do echo '-A INPUT -s '$i' -j DROP -m comment --comment &quot;Fail2ban PermaBan!!&quot;'; done</div> Ljackson