what ip got banned most?

awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n
      1 125.163.71.XXX
      1 37.75.213.XXX
      1 80.199.0.XXX
      2 151.236.200.XXX
      2 190.85.234.XXX
      4 188.75.155.XXX
      4 190.223.32.XXX
      4 200.105.154.XXX
      6 191.209.9.XXX
     11 78.250.49.XXX
     34 176.223.165.XXX
    133 104.236.146.XXX
    174 103.72.162.XXX
    184 54.37.196.XXX

what subnets got banned most?

zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $NF}' | awk -F\. '{print $1"."$2"."}' | sort | uniq -c | sort -n | tail

# those subnets got banned most (higher number = more bans)
17 200.105.
21 210.92.
23 27.255.
34 176.223.
93 45.125.
140 104.236.
175 103.72.
184 54.37.
226 200.111.
1190 181.214.

# this e.g. is an ip from malaysia that exceeded fail2ban rules for exim a lot
whois 103.72.162.186
# show ips of the most banned subnet 181.214.
grep -r -i -E --color=auto "181.214." /var/log/fail2ban*;

… i whoised 3 and all were in fail2ban jail for exim-iptables, all were US located and attempts to use this server for spam?

address: 60007 – Chicago – IL
country: US

Links:

https://www.the-art-of-web.com/system/fail2ban-log/

admin