Find out when and why an IP address was banned


#1

Is there a way to see when and why an address was banned? I have gone through the failtoban log and don’t see any reference.


(Communication Technologies) #2

I would expect it to be in the F2B logs, unless all the relevant logs have cycled. In that case I think you will not be able to find what you are looking for. We enabled ban notifications to also generate an email, to create a secondary record for us.


#3

fail2ban is likely not the only mechanism to drop suspect connections through iptables, well behaved firewall rules will likely write to /var/log/syslog aka /var/log/messages also.


#4

Why do you care?

An authorized IP was inadvertently banned; you unbanned it but want to be sure it doesn’t happen again?

An unauthorized IP was banned that you expected to have been blocked by an earlier defense e.g. your hardware firewall and you want to find out how the attacker circumvented that defense?

An unauthorized IP was correctly banned but you are concerned that the attacker will try other methods?

Some other problem?


#5

Because an unauthorized IP address wasn’t banned. Sometimes valid sites are banned and those sites don’t have static addresses due to be residences so I would like to know what happened so I can try and have the event not happen.


(Lorne Gaetz) #6

The word ‘ban’ implies that the source IP was blocked by fail2ban. If it was, it will be logged in /var/log/fail2ban with the jail that triggered it.