Files
Anthropic-Cybersecurity-Skills/skills/detecting-port-scanning-with-fail2ban/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.0 KiB

Fail2ban Port Scan Detection API Reference

fail2ban-client CLI

# Service status
fail2ban-client status

# Jail status
fail2ban-client status sshd

# Ban IP manually
fail2ban-client set sshd banip 192.168.1.100

# Unban IP
fail2ban-client set sshd unbanip 192.168.1.100

# Reload configuration
fail2ban-client reload

# Get ban time for jail
fail2ban-client get sshd bantime

# Set ban time
fail2ban-client set sshd bantime 7200

Jail Configuration (/etc/fail2ban/jail.local)

[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5
banaction = iptables-multiport

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600

[portscan]
enabled = true
filter = portscan
logpath = /var/log/syslog
maxretry = 3
findtime = 300
bantime = 86400
action = iptables-allports[name=portscan]

Custom Filter (/etc/fail2ban/filter.d/portscan.conf)

[Definition]
failregex = UFW BLOCK .* SRC=<HOST>
            iptables .* SRC=<HOST> .* DPT=
ignoreregex =

Ban Actions

Action Description
iptables-multiport Ban specific ports via iptables
iptables-allports Ban all ports via iptables
nftables-multiport Ban via nftables
firewallcmd-rich-rules Ban via firewalld
sendmail-whois Email notification with WHOIS
abuseipdb Report to AbuseIPDB

Log Parsing Patterns

# Fail2ban log - count bans per IP
grep "Ban " /var/log/fail2ban.log | grep -oP '\d+\.\d+\.\d+\.\d+' | sort | uniq -c | sort -rn

# Auth.log - failed SSH logins
grep "Failed password" /var/log/auth.log | grep -oP 'from \K\d+\.\d+\.\d+\.\d+' | sort | uniq -c | sort -rn

# Syslog - blocked connections (UFW)
grep "UFW BLOCK" /var/log/syslog | grep -oP 'SRC=\K\d+\.\d+\.\d+\.\d+' | sort | uniq -c | sort -rn

Escalating Ban Times (recidive jail)

[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban.log
bantime = 604800   # 1 week for repeat offenders
findtime = 86400
maxretry = 3