fail2ban — alert on a ban spike (attack in progress)
Sudden ban spike in fail2ban — credential stuffing or enumeration campaign. I want to know within the first 5 minutes, not the morning after.
Recipe
#!/usr/bin/env bash
# /etc/cron.d/fail2ban-spike
# */5 * * * * root /opt/fail2ban-spike.sh
LOG=${LOG:-/var/log/fail2ban.log}
WINDOW=300 # last 5 min
THRESH=${THRESH:-20} # alert above 20 bans / window
SINCE=$(date -d "-${WINDOW} seconds" '+%Y-%m-%d %H:%M:%S')
COUNT=$(awk -v since="$SINCE" '
$0 >= since && /Ban / { c++ }
END { print c+0 }
' "$LOG")
if [ "$COUNT" -gt "$THRESH" ]; then
curl -fsS "$HEARTBEAT_URL" --data "bans=$COUNT,window=${WINDOW}s"
exit 2
fi
echo "OK ($COUNT bans / 5m)"Same thing in Enterno.io
Wire it to an Enterno heartbeat — 30-day retention of ban-rate so you can spot 'yesterday it was 50/h, today it is 500' without standing up ELK.
Related recipes
Apache starts returning 502/503 from one backend but not all. Want an endpoint with the 5xx ratio over the last 60 s.
Site is on the HSTS preload list, but after an nginx refactor the header is gone. In 3 months the domain will be removed from the preload list. Need a daily check.
A name-server misconfig leaks AXFR to the internet — every subdomain, MX, TXT (including SPF/DKIM keys) is visible to attackers. Daily check with alert.