Fail2ban - Testing and Monitoring

Created by: Lester Caine, Last modification: 10 May 2026

Check jail status

# All jails overview
fail2ban-client status

# Specific jail detail
fail2ban-client status nginx-404
fail2ban-client status nginx-botsearch
fail2ban-client status recidive

Manual ban/unban testing

# Ban a test IP
fail2ban-client set nginx-404 banip 1.2.3.4

# Confirm firewalld has the rule
firewall-cmd --list-rich-rules

# Check email arrived in support@ folder

# Unban test IP
fail2ban-client set nginx-404 unbanip 1.2.3.4

# Confirm rule removed
firewall-cmd --list-rich-rules

Check ban times are correct

fail2ban-client get nginx-404 bantime
fail2ban-client get nginx-botsearch bantime
fail2ban-client get recidive bantime
fail2ban-client get recidive findtime

Live monitoring

# Watch fail2ban log in real time
tail -f /var/log/fail2ban.log

# Current banned IPs across all jails
fail2ban-client status nginx-404 | grep "Banned IP"
fail2ban-client status nginx-botsearch | grep "Banned IP"
fail2ban-client status recidive | grep "Banned IP"

# Count total bans
fail2ban-client status nginx-404 | grep "Total banned"

Check firewalld rules

# All current rich rules (fail2ban entries)
firewall-cmd --list-rich-rules

# Count active bans
firewall-cmd --list-rich-rules | wc -l

# Check specific IP is blocked
firewall-cmd --list-rich-rules | grep 1.2.3.4

Recidive specific

# Recidive watches fail2ban.log for repeat offenders
# Ban pattern: banned 3+ times in 24 hours = 1 week ban
# Test by checking known repeat offender
fail2ban-client status recidive

# Recidive restores bans after restart - no email on restore
# Only emails on NEW bans
# To force a new ban notification:
fail2ban-client set recidive unbanip 216.244.66.243
fail2ban-client set recidive banip 216.244.66.243

Regex testing

# Test a filter against actual log
fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/nginx-404.conf | tail -5

# Test recidive filter
fail2ban-regex /var/log/fail2ban.log /etc/fail2ban/filter.d/recidive.conf | tail -5

Troubleshooting

# fail2ban not banning despite log entries
# → Check filter regex matches log format
fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/nginx-404.conf

# Bans not blocking traffic
# → Check banaction is firewallcmd not iptables
grep banaction /etc/fail2ban/jail.conf
# → Verify firewalld rules being created
firewall-cmd --list-rich-rules

# No emails from recidive
# → Recidive restores bans silently on restart
# → Only new bans trigger email
# → Test with manual banip

# jail.local overrides not working
# → Edit jail.conf directly, copy to webstack

# Time suffixes (1w, 1d) supported from fail2ban 0.11+
# → Verify: fail2ban-client version

Status check script

#!/bin/bash
# /etc/webstack/scripts/fail2ban-status.sh
echo "=== Fail2ban Status ==="
fail2ban-client status

echo ""
echo "=== Active Bans ==="
for jail in nginx-404 nginx-botsearch recidive; do
    echo "--- $jail ---"
    fail2ban-client status $jail | grep -E "Currently banned|Total banned|Banned IP"
done

echo ""
echo "=== Firewalld Rules ==="
echo "Total rules: $(firewall-cmd --list-rich-rules | wc -l)"
firewall-cmd --list-rich-rules | tail -5
echo "(showing last 5)"

Developed with [Claude AI](https://claude.ai) assistance - Anthropic - May 2026