How to show all banned IP with fail2ban?

Please keep in mind that the fail2ban banning of IP is temporary in nature.

The best way to have a look at the full list of IPs that have been blocked would be to check the log file:

sudo zgrep 'Ban' /var/log/fail2ban.log*

Edit: this answer previously searched for 'Ban:', but even in 2013 the source has no colon (ref).

The following command can also give you a clean list of input rules:

sudo iptables -L INPUT -v -n | less

Similar to NA AE above with kwaa's comments included, this lists all IPs:

sudo zgrep 'Ban' /var/log/fail2ban.log*

but that output has so many lines. This counts lines of all logged banned (and likely unbanned) ip's:

sudo zgrep 'Ban' /var/log/fail2ban.log* | wc -l

The output from above command (with line count) should match 'Total Banned' count in fail2ban's status output:

fail2ban-client status sshd

tested in Ubuntu 18.04.1 LTS.

My output from 'wc -l' line:

7244

And from fail2ban's status, the same 7244 number is verified:

Status for the jail: sshd
|- Filter
|  |- Currently failed: 7
|  |- Total failed: 49457
|  `- File list:    /var/log/auth.log
`- Actions
   |- Currently banned: 9
   |- Total banned: 7244
   `- Banned IP list:   [...]

You can use sqlite3 command to do some statistics by querying bips table of /var/lib/fail2ban/fail2ban.sqlite3 database (if your fail2ban version < v0.11.1, change bips to bans).

Show all IP address and its jail:

sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "select ip,jail from bips"

Show all unique IP address:

sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "select distinct ip from bips"

Show all unique IP address in sshd jail:

sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "select distinct ip from bips where jail='sshd'"

Show top 20 most banned IP address in all jails:

sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "select jail,ip,count(*) as count from bips group by ip order by count desc limit 20"

If you want to see structure and all data of this file in a GUI app, I recommend DB Browser For Sqlite.

As of version v0.11.1, fail2ban changed its database structure. I run this command in my Linux machine to see what's the difference (Fail2Ban v0.11.1, Ubuntu 20.04)

sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 '.schema'

Part of the output is:

CREATE TABLE bans(jail TEXT NOT NULL, ip TEXT, timeofban INTEGER NOT NULL, bantime INTEGER NOT NULL, bancount INTEGER NOT NULL default 1, data JSON, FOREIGN KEY(jail) REFERENCES jails(name) );
CREATE TABLE bips(ip TEXT NOT NULL, jail TEXT NOT NULL, timeofban INTEGER NOT NULL, bantime INTEGER NOT NULL, bancount INTEGER NOT NULL default 1, data JSON, PRIMARY KEY(ip, jail), FOREIGN KEY(jail) REFERENCES jails(name) );

To view the complete line of iptables:

sudo iptables -L -n | awk '$1=="REJECT" && $4!="0.0.0.0/0"'

To view only the IP address:

sudo iptables -L -n | awk '$1=="REJECT" && $4!="0.0.0.0/0" {print $4}'

You can change "REJECT" by "DROP", depending of your case.

Just an FYI:

• "Total banned" are the total IPs that have been banned for that jail (and probably have been unbanned).
• "Currently banned" are the ONLY IPs that are currently banned for that jail (and the IP list confirms this).

Hope that helps.

There is the banned command (v0.11.2):

fail2ban-client banned

Sample output:

[{'sshd': []}, {'apache-badbots': []}, {'apache-auth': ['XXX.24.23.164', 'XXX.155.205.108', 'XXX.62.130.158']}]

if you want to see the list of banned IP with their timeout ( timeout expires they are removed from the banned pool ) you can use:

ipset list

This will show what is currently banned (REJECT) in the Chain fail2ban-ssh portion of iptables.

sudo iptables -L fail2ban-ssh -v -n

Grouping by IP address:

awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n

Note: the variable NF equals the number of fields in each row of the logfile. So $NF is the value of the last field.

Sample output:

...
  4 XXX.124.81.130
  5 XXX.248.175.246
  8 XXX.29.45.142

Visit this Link for more detail

To add more generic answer:

Please note that iptables might not be correct answer and might not give you relevant information at all (for original poster it is). It depends on which value for banaction = [action] you are using in your DEFAULT or specific jail definition.

I have many small ARM powered boxes running linux but kernel does not have all relevant iptables modules available, so iptables will not work in that case.

*BSD might not have iptables at all and use use something like pf instead.

On my ARM boxes I am using route for blocking. It adds invalid route for banned IPs and therefore return packets are undeliverable and IP is essentially blocked. Works very well. In that case you can check banned IPs by using:

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
# normal routing entries
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
# banned IPs (no gateway, no iface)
223.96.95.85    -               255.255.255.255 !H    0      -        0 -

You have many options for banning. And therefore many options to check ban list. Which one to use depends on your platform and preference. There are many pre-configured configuration files in: /etc/fail2ban/action.d/ to choose from.