How to Unban an IP properly with Fail2Ban

Question

I'm using Fail2Ban on a server and I'm wondering how to unban an IP properly.

I know I can work with IPTables directly: iptables -D fail2ban-ssh <number>

But is there not a way to do it with the fail2ban-client?

In the manuals it states something like: fail2ban-client get ssh actionunban <IP>. But that doesn't work.

Also, I don't want to /etc/init.d/fail2ban restart as that would lose all the bans in the list.

I accidentally locked myself out when I was trying to log into my Linode VPS, so now I have to stop Fail2Ban via the web console to log in with PuTTY. I hope the ban is not permanent as I want to continue logging in without having to disable fail2ban. — HeavenlyHarmony, Aug 21 '20 at 12:28
@HeavenlyHarmony one way you can avoid this in the future is to configure your jail to include your IP address in the `ignoreips` value. I've added my two VPN exit points as well as the SPF ranges for Google's network, since the box running fail2ban is a GCP Compute instance. Adding your IP address to that `ignoreips` attribute will allow you to run any nefarious command without banning yourself. — ingernet, Dec 21 '20 at 19:26
Note that this question is very old now, and it was using a pre-Systemd system. — Valerio Bozzolan, Mar 10 '22 at 12:14

score 407 · Accepted Answer · edited Apr 06 '21 at 15:58

407

With Fail2Ban before v0.8.8:

fail2ban-client get YOURJAILNAMEHERE actionunban IPADDRESSHERE

With Fail2Ban v0.8.8 and later:

fail2ban-client set YOURJAILNAMEHERE unbanip IPADDRESSHERE

The hard part is finding the right jail:

Use iptables -L -n to find the rule name...
...then use fail2ban-client status | grep "Jail list" | sed -E 's/^[^:]+:[ \t]+//' | sed 's/,//g' to get the actual jail names. The rule name and jail name may not be the same but it should be clear which one is related to which.

edited Apr 06 '21 at 15:58

Akhil

105
5

answered Nov 29 '11 at 21:59

ukoda

4,110
1
14
3

2

If you have the following error `'Invalid Action name'`, read [this answer](http://serverfault.com/a/475117/125960) – Morgan Courbet Aug 28 '14 at 08:04
43

With recent versions of `fail2ban` you should be using `fail2ban-client set JAIL_NAME unbanip 1.2.3.4`. – tftd Jan 29 '15 at 17:45
1

What is the default jail name? `/etc/fail2ban/jail.conf` doesn't work for me. – Alex W Jan 25 '16 at 14:33
4

You can find jail name in fail2ban log if you look for your IP – fred727 Sep 08 '16 at 18:54
8

sshd was the jail name for me. – agustaf Oct 09 '16 at 06:00
1

One tip: If you see chains called `fail2ban-xyz`, your jail name is `xyz`. Therefore, the command to run is `fail2ban-client set xyz unbanip `. (Tested this on Debian 8.6) – Ismael Miguel Feb 03 '17 at 16:14
Can't we just edit a file and remove a line somewhere (+ a reload)? It would be more easy this way (at least for me). – Overmind Mar 16 '17 at 08:22
Use `sudo iptables -L -n | less` to avoid long DNS lookups.. and get a quick scroll-able/searchable list. – B. Shea Oct 31 '17 at 17:36
1

Usefull command for displaying all bans `sudo fail2ban-client status | grep "Jail list:" | sed "s/ //g" | awk '{split($2,a,",");for(i in a) system("sudo fail2ban-client status " a[i])}' | grep "Status\|IP list"` from [this answer](https://askubuntu.com/a/893108/423684) .. slightly modified it (added two `sudo`s) for a normal user using sudo. – derHugo Nov 06 '17 at 12:16
Centos 7. `cat /var/log/fail2ban.log | grep IP#` there you have Jail Name. f2b 0.9+ – dstonek Jan 12 '20 at 21:57
In the latest versions of fail2ban you do not need the jail name: `fail2ban-client unban
` works
– Rory Dec 29 '20 at 18:42
You can also use `sudo fail2ban-client unban ` to unban from all jails – ReaperSoon Jun 18 '21 at 07:15

score 94 · Answer 2 · edited Jan 14 '16 at 15:12

94

Since v0.8.8 there is the unbanip option (actionunban isn't for this purpose) It can be triggered by the set command, if you look at the list of options, you will see the syntax is. So it will be (by heart, please check):

fail2ban-client set ssh-iptables unbanip IPADDRESSHERE

more generic:

fail2ban-client set JAILNAMEHERE unbanip IPADDRESSHERE

works for me

edited Jan 14 '16 at 15:12

StackzOfZtuff

1,754
12
21

answered Feb 04 '13 at 08:25

user157436

941
1
6
2

3

The unbanip command was added in version 0.8.8. The best solution if you are running 0.8.8 or later. – Alexander Garden Apr 11 '14 at 16:19
1

The issue related to this in fail2ban tracker is this: https://github.com/fail2ban/fail2ban/issues/132 – aseques Apr 22 '14 at 15:50
this is the correct answer for current versions. thank you! – Eaten by a Grue Jul 06 '14 at 02:27
getting "Invalid command (no set action or not yet implemented)" – Tom Feb 01 '16 at 02:30
you need to state the correct jailname (for example sshd or sshd-dos, see your fail2ban log) – mirage Feb 13 '17 at 05:53

score 83 · Answer 3 · edited May 01 '18 at 16:02

83

Example for SSH in interactive mode.

type in bash:

fail2ban-client -i

then in interactive mode type read the status of a jail:

status sshd

you'll get:

Status for the jail: ssh
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 6
|  `- File list:    /var/log/auth.log
`- Actions
   |- Currently banned: 1
   |- Total banned: 2
   `- Banned IP list:   203.113.167.162

then type in fail2ban interactive mode:

set sshd unbanip 203.113.167.162

you'll get:

203.113.167.162

it means no longer 203.113.167.162 in ban list.

edited May 01 '18 at 16:02

Paebbels

135
2
9

answered Feb 28 '16 at 13:55

Amaroc

931
6
4

3

For me the jail name was `sshd` (Ubuntu 16) – scipilot Nov 16 '17 at 02:55
On mine, it says total banned: 6, but the list under banned ip is just empty :( have to trail through logs – William Hilsum Jan 09 '18 at 14:09
The answer is not coherent with the provided example. The `set sshd` can't work if the jail is called `ssh` without trailing `d` AFAIK. – Valerio Bozzolan Mar 10 '22 at 12:13
Perfect! After 2 hours of searching and head-bashing, finally an answer that works! Thanks a lot – Imtiaz Aug 24 '22 at 20:06

score 21 · Answer 4 · edited Jun 07 '15 at 11:06

The answer of ukoda is wrong:

Call fail2ban-client without parameters and you see a list of possible commands:

get JAIL actionunban ACT

This gets the unban command for the action ACT for JAIL.

Look into the action parameter of the jail you defined, you probably have an iptables action and maybe some more like sendmail, whois or whatever. so in case your action was iptables it will look like this:

fail2ban-client get JAIL actionunban iptables

and the answer will be:

iptables -D fail2ban-NAME -s IP -j DROP

It will only show you what you would have to write for an unban. There is no unban command itself.

Yeah, that worked for me, to unban from SSH jail `iptables -D fail2ban-ssh -s -j DROP`. Thanks ingo! — Deele, Mar 15 '13 at 12:02

score 10 · Answer 5 · edited Jun 11 '20 at 10:02

10

If 192.168.2.1 is banned

sudo iptables -L

Check which Chain it's banned in e.g.

Chain fail2ban-sasl (1 references)

DROP all -- 192.168.2.1 anywhere

Then:

# to view the proper command for un-banning
sudo fail2ban-client get sasl actionunban
# actual command
iptables -D fail2ban-sasl -s 192.168.2.1 -j DROP

edited Jun 11 '20 at 10:02

Community

1

answered Jan 24 '14 at 14:04

Lionel Broes

101
1
2

score 5 · Answer 6 · edited Oct 05 '20 at 08:03

5

If you are running version v0.10.2:

sudo fail2ban-client unban YOUR_IP_ADDRESS

This is from help:

unban <IP> ... <IP> unbans <IP> (in all jails and database)

Confirmed to work in my case when I most likely got banned due to ssh client logging in repeatedly with wrong password.

edited Oct 05 '20 at 08:03

Saaru Lindestøkke

115
4

answered May 16 '19 at 06:10

kashiraja

171
1
5

This is the most up-to-date answer – momeunier Feb 22 '21 at 13:23

score 4 · Answer 7 · edited May 29 '16 at 07:58

4

You first need to get the name of the jail. You can get the list (in most cases it will be only ssh jail):

fail2ban-client status

After getting the jail name you can check which IPs are being ignored.

fail2ban-client get ssh ignoreip

If your IP is in ignore list, you can delete it via:

fail2ban-client set ssh delignoreip your_ip_address
vi /etc/hosts.deny

Remove your host entry:

fail2ban-client reload

edited May 29 '16 at 07:58

techraf

4,163
8
27
44

answered Sep 09 '15 at 11:20

zainengineer

148
1
3

2

The ignore list is a list of IPs to never ban. That's totally unrelated to the list of currently banned IPs, which is the list that OP wants to remove an IP from. – jlh Nov 24 '15 at 18:10

score 3 · Answer 8 · edited Sep 30 '14 at 13:12

3

Using fail2ban v.0.8.6:

$ sudo fail2ban-client status # to reveal your JAIL name (mine is ssh)
$ sudo fail2ban-client set ssh delignoreip your_ip_address
$ sudo nano /etc/hosts.deny # delete your ip address
$ sudo fail2ban-client reload

edited Sep 30 '14 at 13:12

Pierre-Yves Gillier

726
6
15

answered Sep 30 '14 at 12:18

take

39
1

This assumes that hosts.deny was the action used.... But it is still more useful than things that try to change the method of unbanning IPs on the older versions by using `actionunban`... – Gert van den Berg Jul 17 '18 at 10:28
The `delignoreip` action is **not** removing an IP from a ban, it is removing an IP from the list of ignored IP (i.e. IP that will never get banned). – Læti Apr 02 '19 at 11:49

score 2 · Answer 9 · answered Jun 21 '14 at 18:35

2

unfortunately with version 0.8.2 of fail2ban-client the command:

fail2ban-client get jail actionunban ipaddress

does not run. To solve the problem, best choice is upgrade fail2ban to latest version and use new option:

unbanip

answered Jun 21 '14 at 18:35

Pol Hallen

1,055
2
13
22

score 2 · Answer 10 · answered Jan 05 '19 at 13:08

2

fail2ban-client set sshd unbanip ip_here

would work.

answered Jan 05 '19 at 13:08

abhijithvijayan

121
2

Billou · Answer 11 · 2020-05-20T14:49:40.597

You can use my simply script :D

echo "Display all service"
#Edit and Add/Del your service
sudo fail2ban-client status phpmyadmin-syslog
sudo fail2ban-client status apache-fakegooglebot
sudo fail2ban-client status apache-noscript
sudo fail2ban-client status apache-overflows
sudo fail2ban-client status apache-auth
sudo fail2ban-client status  apache-badbots
sudo fail2ban-client status  mysqld-auth
sudo fail2ban-client status  proftpd
sudo fail2ban-client status  sshd
echo "Choose service to unban"
read service
echo "Status of Service"
sudo fail2ban-client status $service
echo "Enter ip to be unban"
read ip
sudo fail2ban-client set $service unbanip $ip
echo "Status of service after unban"
sudo fail2ban-client status $service

Save and enter 'sh yourfilename.sh'

Optional, if you want received resultat by mail you can use this :)

#Empty file log
echo "" > /home/pi/Scripts/log/ban.log
#Add Date to log
date >> /home/pi/Scripts/log/ban.log

#Add status service on log
sudo fail2ban-client status phpmyadmin-syslog >> /home/pi/Scripts/log/ban.log
sudo fail2ban-client status apache-fakegooglebot >> /home/pi/Scripts/log/ban.log
sudo fail2ban-client status apache-noscript >> /home/pi/Scripts/log/ban.log
sudo fail2ban-client status apache-overflows >> /home/pi/Scripts/log/ban.log
sudo fail2ban-client status apache-auth >> /home/pi/Scripts/log/ban.log
sudo fail2ban-client status  apache-badbots >> /home/pi/Scripts/log/ban.log
sudo fail2ban-client status  mysqld-auth >> /home/pi/Scripts/log/ban.log
sudo fail2ban-client status  proftpd >> /home/pi/Scripts/log/ban.log
sudo fail2ban-client status  sshd >> /home/pi/Scripts/log/ban.log

#Send mail 
mutt -b "yourname@gmail.com" -s "Sujet: Log Fail2Ban" < /home/pi/Scripts/log/ban.log ```

score 1 · Answer 12 · answered Jun 26 '20 at 09:47

From version 0.8.8 this could be a handy script for you - could easily be tweaked to unban from all jails.

I just call it "getf2bstatus.sh"

Example usage ./getf2bstatus.sh 1.2.3.4

#!/bin/bash
echo "Jails where $1 is locked up:"
JAILS=`fail2ban-client status | grep "Jail list" | sed -E 's/^[^:]+:[ \t]+//' | sed 's/,//g'`
for JAIL in $JAILS
do
  currentjail=`fail2ban-client status $JAIL | grep -B 8 $1 | grep Status | awk '{printf $5}'`
  if [[ ${#currentjail} -gt a ]] ; then
        echo $currentjail
  fi
done
echo
echo "To unban $1 use the following commands:"
for JAIL in $JAILS
do
  currentjail=`fail2ban-client status $JAIL | grep -B 8 $1 | grep Status | awk '{printf $5}'`
  if [[ ${#currentjail} -gt a ]] ; then
        echo "fail2ban-client set $currentjail unbanip $1"
   fi
done

Output?

Jails where 1.2.3.4 is locked up:
ssh

To unban 1.2.3.4 use the following commands:
fail2ban-client set ssh unbanip 1.2.3.4

kittonian · Answer 13 · 2021-08-29T17:39:03.327

1

If you don't care about removing the ban from a specific jail, the current incarnation of Fail2Ban allows a very simple command:

fail2ban-client unban IPADDRESS

This will remove the IP from all jails. Super easy!

edited Aug 29 '21 at 17:39

answered Aug 20 '21 at 13:55

kittonian

111
3

score 1 · Answer 14 · answered Nov 02 '17 at 20:59

If an IP is in multiple jails this becomes a pain.

one-liner to remove 192.168.1.2 from all jails:

 for jail in $(fail2ban-client status | grep 'Jail list:' | sed 's/.*Jail list://' | sed 's/,//g'); do fail2ban-client set $jail unbanip 192.168.1.2; done

a script to do the same https://gist.github.com/yolabingo/c810db6fe7f8bfcb9eb4f6ffc531e474

score 0 · Answer 15 · answered Aug 23 '21 at 08:44

I find the fail by doing grep 10.20.30.40 /var/log/fail2ban.log

which gives an output like

2021-08-23 10:09:17,394 fail2ban.filter         [581]: INFO    [ssh] Found 10.20.30.40 - 2021-08-23 10:09:17
2021-08-23 10:09:17,395 fail2ban.filter         [581]: INFO    [sshd] Found 10.20.30.40 - 2021-08-23 10:09:17
2021-08-23 10:09:20,936 fail2ban.filter         [581]: INFO    [sshd] Found 10.20.30.40 - 2021-08-23 10:09:20
2021-08-23 10:09:20,940 fail2ban.filter         [581]: INFO    [ssh] Found 10.20.30.40 - 2021-08-23 10:09:20
2021-08-23 10:09:22,654 fail2ban.filter         [581]: INFO    [ssh] Found 10.20.30.40 - 2021-08-23 10:09:22
2021-08-23 10:09:22,655 fail2ban.filter         [581]: INFO    [sshd] Found 10.20.30.40 - 2021-08-23 10:09:22
2021-08-23 10:09:22,917 fail2ban.actions        [581]: NOTICE  [ssh] Ban 10.20.30.40
2021-08-23 10:09:23,085 fail2ban.filter         [581]: INFO    [recidive] Found 10.20.30.40 - 2021-08-23 10:09:22
2021-08-23 10:09:23,384 fail2ban.actions        [581]: NOTICE  [sshd] Ban 10.20.30.40
2021-08-23 10:09:24,084 fail2ban.actions        [581]: NOTICE  [recidive] Ban 10.20.30.40
2021-08-23 10:09:24,099 fail2ban.filter         [581]: INFO    [recidive] Found 10.20.30.40 - 2021-08-23 10:09:23

From this I can see that I have to unban the IP from three jails:
fail2ban-client set sshd unbanip 10.20.30.40
fail2ban-client set ssh unbanip 10.20.30.40
fail2ban-client set recidive unbanip 10.20.30.40

How to Unban an IP properly with Fail2Ban

15 Answers15

Linked