How to ban top-100 IP's from fail2ban log

Discussion in 'Server Operation' started by SamTzu, Jan 11, 2020.

  1. SamTzu

    SamTzu Active Member

    Steini86 likes this.
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I use recidive jail to ban repeat offenders for a week. That works for me and if that IP sometime gets a new owner they can use that IP eventually.
    There are also collected lists of IP-numbers so those can be added to fail2ban before they attempt to guess passwords on your host.
  3. SamTzu

    SamTzu Active Member

    There are probably many ways to improve that script.
    Using this command we can see who the real spammers/offenders are.
    zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $NF}' | sort | uniq -c | sort -n | tail -100 
    After that it's only a matter of importing a new list every day/week or so using cron. When IP's change hand the number of offenses will drop and eventually be removed from the import list.
  4. Steini86

    Steini86 Active Member

    Nice Project. However, I don't like this forever bans. A week should be enough ;)

    Have a look at this project:
    It is faster that fail2ban (faster lookup of blocked IPs) and maintains lists of known spammer IPs to block.

Share This Page