304

I'm using Fail2Ban on a server and I'm wondering how to unban an IP properly.

I know I can work with IPTables directly: iptables -D fail2ban-ssh <number>

But is there not a way to do it with the fail2ban-client?

In the manuals it states something like: fail2ban-client get ssh actionunban <IP>. But that doesn't work.

Also, I don't want to /etc/init.d/fail2ban restart as that would lose all the bans in the list.

psp
  • 3,303
  • I accidentally locked myself out when I was trying to log into my Linode VPS, so now I have to stop Fail2Ban via the web console to log in with PuTTY. I hope the ban is not permanent as I want to continue logging in without having to disable fail2ban. – HeavenlyHarmony Aug 21 '20 at 12:28
  • 1
    @HeavenlyHarmony one way you can avoid this in the future is to configure your jail to include your IP address in the ignoreips value. I've added my two VPN exit points as well as the SPF ranges for Google's network, since the box running fail2ban is a GCP Compute instance. Adding your IP address to that ignoreips attribute will allow you to run any nefarious command without banning yourself. – ingernet Dec 21 '20 at 19:26
  • Note that this question is very old now, and it was using a pre-Systemd system. – Valerio Bozz Mar 10 '22 at 12:14
  • Searchers in 2022: the accepted answer is no longer up to date, scroll down to @kashiraja's answer – ᴍᴇʜᴏᴠ Dec 09 '22 at 14:21

17 Answers17

431

With Fail2Ban before v0.8.8:

fail2ban-client get YOURJAILNAMEHERE actionunban IPADDRESSHERE

With Fail2Ban v0.8.8 and later:

fail2ban-client set YOURJAILNAMEHERE unbanip IPADDRESSHERE

The hard part is finding the right jail:

  1. Use iptables -L -n to find the rule name...
  2. ...then use fail2ban-client status | grep "Jail list" | sed -E 's/^[^:]+:[ \t]+//' | sed 's/,//g' to get the actual jail names. The rule name and jail name may not be the same but it should be clear which one is related to which.
Akhil
  • 105
ukoda
  • 4,350
  • 2
    If you have the following error 'Invalid Action name', read this answer – Morgan Courbet Aug 28 '14 at 08:04
  • 45
    With recent versions of fail2ban you should be using fail2ban-client set JAIL_NAME unbanip 1.2.3.4. – tftd Jan 29 '15 at 17:45
  • 2
    What is the default jail name? /etc/fail2ban/jail.conf doesn't work for me. – Alex W Jan 25 '16 at 14:33
  • 5
    You can find jail name in fail2ban log if you look for your IP – fred727 Sep 08 '16 at 18:54
  • 8
    sshd was the jail name for me. – agustaf Oct 09 '16 at 06:00
  • 1
    One tip: If you see chains called fail2ban-xyz, your jail name is xyz. Therefore, the command to run is fail2ban-client set xyz unbanip <ip>. (Tested this on Debian 8.6) – Ismael Miguel Feb 03 '17 at 16:14
  • Can't we just edit a file and remove a line somewhere (+ a reload)? It would be more easy this way (at least for me). – Overmind Mar 16 '17 at 08:22
  • Use sudo iptables -L -n | less to avoid long DNS lookups.. and get a quick scroll-able/searchable list. – B. Shea Oct 31 '17 at 17:36
  • 1
    Usefull command for displaying all bans sudo fail2ban-client status | grep "Jail list:" | sed "s/ //g" | awk '{split($2,a,",");for(i in a) system("sudo fail2ban-client status " a[i])}' | grep "Status\|IP list" from this answer .. slightly modified it (added two sudos) for a normal user using sudo. – derHugo Nov 06 '17 at 12:16
  • Centos 7. cat /var/log/fail2ban.log | grep IP# there you have Jail Name. f2b 0.9+ – dstonek Jan 12 '20 at 21:57
  • In the latest versions of fail2ban you do not need the jail name: fail2ban-client unban <address> works – Rory Dec 29 '20 at 18:42
  • You can also use sudo fail2ban-client unban <ip> to unban from all jails – ReaperSoon Jun 18 '21 at 07:15
  • If it's someone you wish to whitelist anyway, you can add them under ignoreip directive in jail.local. When you restart the service, it will also remove any IP bans found on anything under ignoreip. – B. Shea Oct 23 '23 at 20:33
  • even though it's been long since this question has been asked & this answer has been answered, just to add you can sudo fail2ban-client banned to get the list of jails along with the banned IPs. – NegassaB Mar 07 '24 at 13:35
101

Since v0.8.8 there is the unbanip option (actionunban isn't for this purpose) It can be triggered by the set command, if you look at the list of options, you will see the syntax is. So it will be (by heart, please check):

fail2ban-client set ssh-iptables unbanip IPADDRESSHERE

more generic:

fail2ban-client set JAILNAMEHERE unbanip IPADDRESSHERE

works for me

StackzOfZtuff
  • 1,920
user157436
  • 1,011
95

Example for SSH in interactive mode.

type in bash:

fail2ban-client -i

then in interactive mode type read the status of a jail:

status sshd

you'll get:

Status for the jail: ssh
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 6
|  `- File list:    /var/log/auth.log
`- Actions
   |- Currently banned: 1
   |- Total banned: 2
   `- Banned IP list:   203.113.167.162

then type in fail2ban interactive mode:

set sshd unbanip 203.113.167.162

you'll get:

203.113.167.162

it means no longer 203.113.167.162 in ban list.

Paebbels
  • 145
Amaroc
  • 1,051
21

The answer of ukoda is wrong:

Call fail2ban-client without parameters and you see a list of possible commands:

get JAIL actionunban ACT

This gets the unban command for the action ACT for JAIL.

Look into the action parameter of the jail you defined, you probably have an iptables action and maybe some more like sendmail, whois or whatever. so in case your action was iptables it will look like this:

fail2ban-client get JAIL actionunban iptables

and the answer will be:

iptables -D fail2ban-NAME -s IP -j DROP

It will only show you what you would have to write for an unban. There is no unban command itself.

sebix
  • 4,403
ingo
  • 211
  • 4
    Yeah, that worked for me, to unban from SSH jail iptables -D fail2ban-ssh -s <IP> -j DROP. Thanks ingo! – Deele Mar 15 '13 at 12:02
11

If you are running version v0.10.2:

sudo fail2ban-client unban YOUR_IP_ADDRESS

This is from help:

unban <IP> ... <IP> unbans <IP> (in all jails and database)

Confirmed to work in my case when I most likely got banned due to ssh client logging in repeatedly with wrong password.

Saaru Lindestøkke
  • 134
kashiraja
  • 231
10

If 192.168.2.1 is banned

sudo iptables -L

Check which Chain it's banned in e.g.

Chain fail2ban-sasl (1 references)

DROP all -- 192.168.2.1 anywhere

Then:

# to view the proper command for un-banning
sudo fail2ban-client get sasl actionunban
# actual command
iptables -D fail2ban-sasl -s 192.168.2.1 -j DROP
Community
  • 1
Lionel Broes
  • 101
  • 1
  • 2
4

You first need to get the name of the jail. You can get the list (in most cases it will be only ssh jail):

fail2ban-client status

After getting the jail name you can check which IPs are being ignored.

fail2ban-client get ssh ignoreip

If your IP is in ignore list, you can delete it via:

fail2ban-client set ssh delignoreip your_ip_address
vi /etc/hosts.deny

Remove your host entry:

fail2ban-client reload
techraf
  • 4,343
zainengineer
  • 148
  • 2
    The ignore list is a list of IPs to never ban. That's totally unrelated to the list of currently banned IPs, which is the list that OP wants to remove an IP from. – jlh Nov 24 '15 at 18:10
3

Using fail2ban v.0.8.6:

$ sudo fail2ban-client status # to reveal your JAIL name (mine is ssh)
$ sudo fail2ban-client set ssh delignoreip your_ip_address
$ sudo nano /etc/hosts.deny # delete your ip address
$ sudo fail2ban-client reload
Pierre-Yves Gillier
  • 736
take
  • 39
  • This assumes that hosts.deny was the action used.... But it is still more useful than things that try to change the method of unbanning IPs on the older versions by using actionunban... – Gert van den Berg Jul 17 '18 at 10:28
  • The delignoreip action is not removing an IP from a ban, it is removing an IP from the list of ignored IP (i.e. IP that will never get banned). – Lætitia Apr 02 '19 at 11:49
2

From version 0.8.8 this could be a handy script for you - could easily be tweaked to unban from all jails.

I just call it "getf2bstatus.sh"

Example usage ./getf2bstatus.sh 1.2.3.4

#!/bin/bash
echo "Jails where $1 is locked up:"
JAILS=`fail2ban-client status | grep "Jail list" | sed -E 's/^[^:]+:[ \t]+//' | sed 's/,//g'`
for JAIL in $JAILS
do
  currentjail=`fail2ban-client status $JAIL | grep -B 8 $1 | grep Status | awk '{printf $5}'`
  if [[ ${#currentjail} -gt a ]] ; then
        echo $currentjail
  fi
done
echo
echo "To unban $1 use the following commands:"
for JAIL in $JAILS
do
  currentjail=`fail2ban-client status $JAIL | grep -B 8 $1 | grep Status | awk '{printf $5}'`
  if [[ ${#currentjail} -gt a ]] ; then
        echo "fail2ban-client set $currentjail unbanip $1"
   fi
done

Output?

Jails where 1.2.3.4 is locked up:
ssh

To unban 1.2.3.4 use the following commands:
fail2ban-client set ssh unbanip 1.2.3.4
mack
  • 21
2

Simplest possible way for all jails is like this:

fail2ban-client unban 10.20.30.40

It will return an integer:

0 = ip was not banned (no action was performed)
1 = ip was cleared from the ban list (if ip was in more than 1 jail this number will increase)

Good idea is to add ip to ignore list (no restart required) so that you will not run into this problem again:

fail2ban-client set JAILNAME addignoreip 10.20.30.40

When done working on this ip:

fail2ban-client set JAILNAME delignoreip 10.20.30.40
stawiu
  • 39
2

unfortunately with version 0.8.2 of fail2ban-client the command:

fail2ban-client get jail actionunban ipaddress

does not run. To solve the problem, best choice is upgrade fail2ban to latest version and use new option:

unbanip
Pol Hallen
  • 1,113
2
fail2ban-client set sshd unbanip ip_here

would work.

abhijithvijayan
  • 121
1

You can use my simply script :D

echo "Display all service"
#Edit and Add/Del your service
sudo fail2ban-client status phpmyadmin-syslog
sudo fail2ban-client status apache-fakegooglebot
sudo fail2ban-client status apache-noscript
sudo fail2ban-client status apache-overflows
sudo fail2ban-client status apache-auth
sudo fail2ban-client status  apache-badbots
sudo fail2ban-client status  mysqld-auth
sudo fail2ban-client status  proftpd
sudo fail2ban-client status  sshd
echo "Choose service to unban"
read service
echo "Status of Service"
sudo fail2ban-client status $service
echo "Enter ip to be unban"
read ip
sudo fail2ban-client set $service unbanip $ip
echo "Status of service after unban"
sudo fail2ban-client status $service

Save and enter 'sh yourfilename.sh'

Optional, if you want received resultat by mail you can use this :)

#Empty file log
echo "" > /home/pi/Scripts/log/ban.log
#Add Date to log
date >> /home/pi/Scripts/log/ban.log

#Add status service on log
sudo fail2ban-client status phpmyadmin-syslog >> /home/pi/Scripts/log/ban.log
sudo fail2ban-client status apache-fakegooglebot >> /home/pi/Scripts/log/ban.log
sudo fail2ban-client status apache-noscript >> /home/pi/Scripts/log/ban.log
sudo fail2ban-client status apache-overflows >> /home/pi/Scripts/log/ban.log
sudo fail2ban-client status apache-auth >> /home/pi/Scripts/log/ban.log
sudo fail2ban-client status  apache-badbots >> /home/pi/Scripts/log/ban.log
sudo fail2ban-client status  mysqld-auth >> /home/pi/Scripts/log/ban.log
sudo fail2ban-client status  proftpd >> /home/pi/Scripts/log/ban.log
sudo fail2ban-client status  sshd >> /home/pi/Scripts/log/ban.log

#Send mail 
mutt -b "yourname@gmail.com" -s "Sujet: Log Fail2Ban" < /home/pi/Scripts/log/ban.log ```
Billou
  • 11
  • 2
1

If you don't care about removing the ban from a specific jail, the current incarnation of Fail2Ban allows a very simple command:

fail2ban-client unban IPADDRESS

This will remove the IP from all jails. Super easy!

kittonian
  • 111
1

If an IP is in multiple jails this becomes a pain.

one-liner to remove 192.168.1.2 from all jails: 

 for jail in $(fail2ban-client status | grep 'Jail list:' | sed 's/.*Jail list://' | sed 's/,//g'); do fail2ban-client set $jail unbanip 192.168.1.2; done

a script to do the same https://gist.github.com/yolabingo/c810db6fe7f8bfcb9eb4f6ffc531e474

yolabingo
  • 11
0

I find the fail by doing grep 10.20.30.40 /var/log/fail2ban.log

which gives an output like

2021-08-23 10:09:17,394 fail2ban.filter         [581]: INFO    [ssh] Found 10.20.30.40 - 2021-08-23 10:09:17
2021-08-23 10:09:17,395 fail2ban.filter         [581]: INFO    [sshd] Found 10.20.30.40 - 2021-08-23 10:09:17
2021-08-23 10:09:20,936 fail2ban.filter         [581]: INFO    [sshd] Found 10.20.30.40 - 2021-08-23 10:09:20
2021-08-23 10:09:20,940 fail2ban.filter         [581]: INFO    [ssh] Found 10.20.30.40 - 2021-08-23 10:09:20
2021-08-23 10:09:22,654 fail2ban.filter         [581]: INFO    [ssh] Found 10.20.30.40 - 2021-08-23 10:09:22
2021-08-23 10:09:22,655 fail2ban.filter         [581]: INFO    [sshd] Found 10.20.30.40 - 2021-08-23 10:09:22
2021-08-23 10:09:22,917 fail2ban.actions        [581]: NOTICE  [ssh] Ban 10.20.30.40
2021-08-23 10:09:23,085 fail2ban.filter         [581]: INFO    [recidive] Found 10.20.30.40 - 2021-08-23 10:09:22
2021-08-23 10:09:23,384 fail2ban.actions        [581]: NOTICE  [sshd] Ban 10.20.30.40
2021-08-23 10:09:24,084 fail2ban.actions        [581]: NOTICE  [recidive] Ban 10.20.30.40
2021-08-23 10:09:24,099 fail2ban.filter         [581]: INFO    [recidive] Found 10.20.30.40 - 2021-08-23 10:09:23

From this I can see that I have to unban the IP from three jails:
fail2ban-client set sshd unbanip 10.20.30.40
fail2ban-client set ssh unbanip 10.20.30.40
fail2ban-client set recidive unbanip 10.20.30.40

JoSSte
  • 109
0

if you wish to find the IP first, you can do sudo fail2ban-client banned. This will show you the list of jails as well as the IPs inside them. Then you can either do sudo fail2ban-client unban <IP> or sudo fail2ban-client set <JAIL> unbanip <IP>.

NegassaB
  • 101
  • 1
    you have to think about a question and Software which is 13 years old. previously it was not such easy ;) but the author of fail2ban is jumping here around and may correct me if I been wrong – djdomi Mar 10 '24 at 09:33