Fail2ban Status commands

fail2ban-client status postfix

Show status of all fail2ban jails at once
create the file fail2ban-allstatus.sh
#!/bin/bash
JAILS=`fail2ban-client status | grep Jail list | sed -E s/^[^:]+:[ \t]+// | sed s/,//g`
for JAIL in $JAILS
do
fail2ban-client status $JAIL
done

or with a command

fail2ban-client status|awk -F: ‘/Jail list:/ { split($2,jail,”,”) ; for (i in jail) { gsub(/[\t ]/,””,jail[i]); system(“fail2ban-client status “jail[i]); }; }’

grep -srni “journalmatch” /etc/fail2ban/filter.d/

 

Unban ip Failban

Step 1: Find IP Address to Unblock

Log in to your server via SSH and type in the following command:

iptables -L -n

Look for the IP address you want to unblock / unban.

Step 2: Get Jail Name of fail2ban Blocked IP Address

Now we must find the jail name this IP address is in. To do so, type the following to find the jail list settings:

fail2ban-client status

Step 3: Unban IP Address from fail2ban

For this example, we will remove an IP address jailed within ssh. To do so, type in the following:

fail2ban-client set <jail-name> unbanip 123.123.123.123

The IP address should now be unbanned from fail2ban.

fail2ban-client set apache-auth unbanip 83.99.83.189
fail2ban-client set apache-badbots unbanip 83.99.83.189
fail2ban-client set apache-botsearch unbanip 83.99.83.189
fail2ban-client set apache-modsecurity unbanip 83.99.83.189
fail2ban-client set apache-nohome unbanip 83.99.83.189
fail2ban-client set apache-overflows unbanip 83.99.83.189
fail2ban-client set apache-shellshock unbanip 83.99.83.189
fail2ban-client set courier-auth unbanip 83.99.83.189
fail2ban-client set courier-smtp unbanip 83.99.83.189
fail2ban-client set cyrus-imap unbanip 83.99.83.189
fail2ban-client set dovecot unbanip 83.99.83.189
fail2ban-client set dropbear unbanip 83.99.83.189
fail2ban-client set drupal-auth unbanip 83.99.83.189
fail2ban-client set ispconfig unbanip 83.99.83.189
fail2ban-client set php-url-fopen unbanip 83.99.83.189
fail2ban-client set postfix unbanip 83.99.83.189
fail2ban-client set postfix-rbl unbanip 83.99.83.189
fail2ban-client set postfix-sasl unbanip 83.99.83.189
fail2ban-client set pure-ftpd unbanip 83.99.83.189
fail2ban-client set recidive unbanip 83.99.83.189
fail2ban-client set roundcube-auth unbanip 83.99.83.189
fail2ban-client set selinux-ssh unbanip 83.99.83.189
fail2ban-client set sendmail-auth unbanip 83.99.83.189
fail2ban-client set sendmail-reject unbanip 83.99.83.189
fail2ban-client set sshd unbanip 83.99.83.189
fail2ban-client set sshd-ddos unbanip 83.99.83.189
fail2ban-client set wordpress unbanip 83.99.83.189

Fail2ban Error in file postfix-sasl.conf

my old file conf was :
failregex = ^%(__prefix_line)swarning: [-._\w]+\[\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$

If you go to https://regex101.com/ you can test the regular expression on the log string :

May 10 15:57:59 mail postfix/smtpd[28617]: warning: ip43.ip-192-99-125.net[192.99.125.43]: SASL LOGIN authentication failed: Connection lost to authentication server

I corrected the error and the the configuration is :

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+:]*={0,2})?\s*$

You can leave also the first setting but it is not necessary.

 

 

Fail2ban and wordpress

Find the wordpress log file.

normally is configured in httpd.conf (if u are using apache web server)
Find the wordpress log file.
normally is configured in httpd.conf (if u are using apache web server)

    # The following directives define some format nicknames for use with
    # a CustomLog directive (see below).
    #

    #LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    LogFormat "%h %v %l %u %t \"%r\" %>s %b" comonvhost

    
      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio

    
    #
    # The location and format of the access logfile (Common Logfile Format).
    # If you do not define any access logfiles within a 
    # container, they will be logged here.  Contrariwise, if you *do*
    # define per- access logfiles, transactions will be
    # logged therein and *not* in this file.
    #
    #CustomLog "logs/access_log" common
    #
    # If you prefer a logfile with access, agent, and referer information
    # (Combined Logfile Format) you can use the following directive.
    #
    CustomLog "logs/access_log" combined

here the log file parameters

My server example of failed login to wordpress


%v       %h                     %l %u %t                     \"%r\"                        %>s
saic.it 85.10.117.176 - -       [30/Sep/2017:09:29:02 +0200] "POST /wp-login.php HTTP/1.1" 200 
%b   \"%{Referer}i\"                   \"%{User-Agent}i\""
5444 "http://www.saic.it/wp-login.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0"

Link

Link2

How to unban ip with Failban

fail2ban-client set postfix unbanip 32.227.233.171

how to show jail list :
fail2ban-client status

how to view the status of a jail:
fail2ban-client status roundcube
show all the ipa for all jails
fail2ban-client status | grep “Jail list:” | sed “s/ //g” | awk ‘{split($2,a,”,”);for(i in a) system(“fail2ban-client status ” a[i])}’ | grep “Status\|IP list”
Esfor jail in $(fail2ban-client status | grep ‘Jail list:’ | sed ‘s/.*Jail list://’ | sed ‘s/,//g’); do fail2ban-client set $jail unbanip 185.41.34.122; done

List of banned or recidive ip

iptables -L -n