How to Unban an IP properly with Fail2Ban

Question

I'm using Fail2Ban on a server and I'm wondering how to unban an IP properly.

I know I can work with IPTables directly: iptables -D fail2ban-ssh <number>

But is there not a way to do it with the fail2ban-client?

In the manuals it states something like: fail2ban-client get ssh actionunban <IP>. But that doesn't work.

Also, I don't want to /etc/init.d/fail2ban restart as that would lose all the bans in the list.

Answer 1

First, find the right jail to unban for. Use:

fail2ban-client status | grep "Jail list" | sed -E 's/^[^:]+:[ \t]+//' | sed 's/,//g'

to get the actual jail names. Then, use this to find the iptables rule name:

iptables -L -n

The rule name and jail name may not be the same but it should be clear which one is related to which.

Then, with Fail2Ban v0.8.8 and later:

fail2ban-client set <jail-name> unbanip <ip-address>

Where <jail-name> is the jail name, and <ip-address> is the IP address to unban.

With Fail2Ban before v0.8.8, the syntax is different:

fail2ban-client get <jail-name> actionunban <ip-address>

Answer 2

Since v0.8.8 there is the unbanip option (actionunban isn't for this purpose) It can be triggered by the set command, if you look at the list of options, you will see the syntax is. So it will be (by heart, please check):

fail2ban-client set ssh-iptables unbanip IPADDRESSHERE 

more generic:

fail2ban-client set JAILNAMEHERE unbanip IPADDRESSHERE

works for me

Answer 3

Example for SSH in interactive mode.

type in bash:

fail2ban-client -i

then in interactive mode type read the status of a jail:

status sshd

you'll get:

Status for the jail: ssh
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 6
|  `- File list:    /var/log/auth.log
`- Actions
   |- Currently banned: 1
   |- Total banned: 2
   `- Banned IP list:   203.113.167.162

then type in fail2ban interactive mode:

set sshd unbanip 203.113.167.162

you'll get:

203.113.167.162

it means no longer 203.113.167.162 in ban list.

Answer 4

The answer of ukoda is wrong:

Call fail2ban-client without parameters and you see a list of possible commands:

get JAIL actionunban ACT             

This gets the unban command for the action ACT for JAIL.

Look into the action parameter of the jail you defined, you probably have an iptables action and maybe some more like sendmail, whois or whatever. so in case your action was iptables it will look like this:

fail2ban-client get JAIL actionunban iptables

and the answer will be:

iptables -D fail2ban-NAME -s IP -j DROP

It will only show you what you would have to write for an unban. There is no unban command itself.

Answer 5

If you are running version v0.10.2:

sudo fail2ban-client unban YOUR_IP_ADDRESS

This is from help:

unban <IP> ... <IP> unbans <IP> (in all jails and database)

Confirmed to work in my case when I most likely got banned due to ssh client logging in repeatedly with wrong password.

Answer 6

If 192.168.2.1 is banned

sudo iptables -L

Check which Chain it's banned in e.g.

Chain fail2ban-sasl (1 references)

DROP all -- 192.168.2.1 anywhere

Then:

# to view the proper command for un-banning
sudo fail2ban-client get sasl actionunban
# actual command
iptables -D fail2ban-sasl -s 192.168.2.1 -j DROP

Answer 7

You first need to get the name of the jail. You can get the list (in most cases it will be only ssh jail):

fail2ban-client status

After getting the jail name you can check which IPs are being ignored.

fail2ban-client get ssh ignoreip

If your IP is in ignore list, you can delete it via:

fail2ban-client set ssh delignoreip your_ip_address
vi /etc/hosts.deny

Remove your host entry:

fail2ban-client reload

Answer 8

Using fail2ban v.0.8.6:

$ sudo fail2ban-client status # to reveal your JAIL name (mine is ssh)
$ sudo fail2ban-client set ssh delignoreip your_ip_address
$ sudo nano /etc/hosts.deny # delete your ip address
$ sudo fail2ban-client reload

Answer 9

From version 0.8.8 this could be a handy script for you - could easily be tweaked to unban from all jails.

I just call it "getf2bstatus.sh"

Example usage ./getf2bstatus.sh 1.2.3.4

#!/bin/bash
echo "Jails where $1 is locked up:"
JAILS=`fail2ban-client status | grep "Jail list" | sed -E 's/^[^:]+:[ \t]+//' | sed 's/,//g'`
for JAIL in $JAILS
do
  currentjail=`fail2ban-client status $JAIL | grep -B 8 $1 | grep Status | awk '{printf $5}'`
  if [[ ${#currentjail} -gt a ]] ; then
        echo $currentjail
  fi
done
echo
echo "To unban $1 use the following commands:"
for JAIL in $JAILS
do
  currentjail=`fail2ban-client status $JAIL | grep -B 8 $1 | grep Status | awk '{printf $5}'`
  if [[ ${#currentjail} -gt a ]] ; then
        echo "fail2ban-client set $currentjail unbanip $1"
   fi
done

Output?

Jails where 1.2.3.4 is locked up:
ssh
To unban 1.2.3.4 use the following commands:
fail2ban-client set ssh unbanip 1.2.3.4

Answer 10

Simplest possible way for all jails is like this:

fail2ban-client unban 10.20.30.40

It will return an integer:

0 = ip was not banned (no action was performed)
1 = ip was cleared from the ban list (if ip was in more than 1 jail this number will increase)

Good idea is to add ip to ignore list (no restart required) so that you will not run into this problem again:

fail2ban-client set JAILNAME addignoreip 10.20.30.40

When done working on this ip:

fail2ban-client set JAILNAME delignoreip 10.20.30.40

Answer 11

unfortunately with version 0.8.2 of fail2ban-client the command:

fail2ban-client get jail actionunban ipaddress

does not run. To solve the problem, best choice is upgrade fail2ban to latest version and use new option:

unbanip

Answer 12

fail2ban-client set sshd unbanip ip_here

would work.

Answer 13

You can use my simply script :D

echo "Display all service"
#Edit and Add/Del your service
sudo fail2ban-client status phpmyadmin-syslog
sudo fail2ban-client status apache-fakegooglebot
sudo fail2ban-client status apache-noscript
sudo fail2ban-client status apache-overflows
sudo fail2ban-client status apache-auth
sudo fail2ban-client status  apache-badbots
sudo fail2ban-client status  mysqld-auth
sudo fail2ban-client status  proftpd
sudo fail2ban-client status  sshd
echo "Choose service to unban"
read service
echo "Status of Service"
sudo fail2ban-client status $service
echo "Enter ip to be unban"
read ip
sudo fail2ban-client set $service unbanip $ip
echo "Status of service after unban"
sudo fail2ban-client status $service

Save and enter 'sh yourfilename.sh'

Optional, if you want received resultat by mail you can use this :)

#Empty file log
echo "" > /home/pi/Scripts/log/ban.log
#Add Date to log
date >> /home/pi/Scripts/log/ban.log

#Add status service on log
sudo fail2ban-client status phpmyadmin-syslog >> /home/pi/Scripts/log/ban.log
sudo fail2ban-client status apache-fakegooglebot >> /home/pi/Scripts/log/ban.log
sudo fail2ban-client status apache-noscript >> /home/pi/Scripts/log/ban.log
sudo fail2ban-client status apache-overflows >> /home/pi/Scripts/log/ban.log
sudo fail2ban-client status apache-auth >> /home/pi/Scripts/log/ban.log
sudo fail2ban-client status  apache-badbots >> /home/pi/Scripts/log/ban.log
sudo fail2ban-client status  mysqld-auth >> /home/pi/Scripts/log/ban.log
sudo fail2ban-client status  proftpd >> /home/pi/Scripts/log/ban.log
sudo fail2ban-client status  sshd >> /home/pi/Scripts/log/ban.log

#Send mail 
mutt -b "yourname@gmail.com" -s "Sujet: Log Fail2Ban" < /home/pi/Scripts/log/ban.log ```

Answer 14

If you don't care about removing the ban from a specific jail, the current incarnation of Fail2Ban allows a very simple command:

fail2ban-client unban IPADDRESS

This will remove the IP from all jails. Super easy!

Answer 15

I find the fail by doing grep 10.20.30.40 /var/log/fail2ban.log

which gives an output like

2021-08-23 10:09:17,394 fail2ban.filter         [581]: INFO    [ssh] Found 10.20.30.40 - 2021-08-23 10:09:17
2021-08-23 10:09:17,395 fail2ban.filter         [581]: INFO    [sshd] Found 10.20.30.40 - 2021-08-23 10:09:17
2021-08-23 10:09:20,936 fail2ban.filter         [581]: INFO    [sshd] Found 10.20.30.40 - 2021-08-23 10:09:20
2021-08-23 10:09:20,940 fail2ban.filter         [581]: INFO    [ssh] Found 10.20.30.40 - 2021-08-23 10:09:20
2021-08-23 10:09:22,654 fail2ban.filter         [581]: INFO    [ssh] Found 10.20.30.40 - 2021-08-23 10:09:22
2021-08-23 10:09:22,655 fail2ban.filter         [581]: INFO    [sshd] Found 10.20.30.40 - 2021-08-23 10:09:22
2021-08-23 10:09:22,917 fail2ban.actions        [581]: NOTICE  [ssh] Ban 10.20.30.40
2021-08-23 10:09:23,085 fail2ban.filter         [581]: INFO    [recidive] Found 10.20.30.40 - 2021-08-23 10:09:22
2021-08-23 10:09:23,384 fail2ban.actions        [581]: NOTICE  [sshd] Ban 10.20.30.40
2021-08-23 10:09:24,084 fail2ban.actions        [581]: NOTICE  [recidive] Ban 10.20.30.40
2021-08-23 10:09:24,099 fail2ban.filter         [581]: INFO    [recidive] Found 10.20.30.40 - 2021-08-23 10:09:23

From this I can see that I have to unban the IP from three jails:
fail2ban-client set sshd unbanip 10.20.30.40
fail2ban-client set ssh unbanip 10.20.30.40
fail2ban-client set recidive unbanip 10.20.30.40

Answer 16

If an IP is in multiple jails this becomes a pain.

one-liner to remove 192.168.1.2 from all jails:

 for jail in $(fail2ban-client status | grep 'Jail list:' | sed 's/.*Jail list://' | sed 's/,//g'); do fail2ban-client set $jail unbanip 192.168.1.2; done

a script to do the same https://gist.github.com/yolabingo/c810db6fe7f8bfcb9eb4f6ffc531e474

Answer 17

if you wish to find the IP first, you can do sudo fail2ban-client banned. This will show you the list of jails as well as the IPs inside them. Then you can either do sudo fail2ban-client unban <IP> or sudo fail2ban-client set <JAIL> unbanip <IP>.