9

I'm using fail2ban and it continues to block an IP even after I have whitelisted that IP.

In /etc/fail2ban/jail.conf there is a line like the following one:

ignoreip = 53.45.114.103

However fail2ban continues to block this IP. See the log:

2016-01-07 13:34:38,180 fail2ban.actions        [44813]: NOTICE  [ssh] Ban 53.45.114.103
2016-01-07 13:34:38,496 fail2ban.filter         [44813]: INFO    [ssh] Found 53.45.114.103
2016-01-07 13:34:38,515 fail2ban.filter         [44813]: INFO    [ssh] Found 53.45.114.103
2016-01-07 13:34:38,529 fail2ban.filter         [44813]: INFO    [ssh] Found 53.45.114.103
2016-01-07 13:34:38,534 fail2ban.filter         [44813]: INFO    [ssh] Found 53.45.114.103
2016-01-07 13:34:38,545 fail2ban.filter         [44813]: INFO    [ssh] Found 53.45.114.103
2016-01-07 13:34:38,546 fail2ban.filter         [44813]: INFO    [ssh] Found 53.45.114.103
2016-01-07 13:34:38,547 fail2ban.filter         [44813]: INFO    [ssh] Found 53.45.114.103
2016-01-07 13:34:38,563 fail2ban.filter         [44813]: INFO    [ssh] Found 53.45.114.103
2016-01-07 13:34:41,026 fail2ban.actions        [44813]: NOTICE  [ssh] 53.45.114.103 already banned
Valerio Bozz
  • 364
bearrito
  • 380
  • 3
  • 16
  • Have you restarted fail2ban after the change? and exactly where have you added the line? It should be under [DEFAULT] and also put it in the jail.local file. – Diamond Jan 07 '16 at 14:16
  • My issue was that I was only modifying the jail.conf file and the jail.local contained an entry for ignoreip. Create an answer and I'll select it. – bearrito Jan 10 '16 at 23:25

3 Answers3

8

You need to edit the jail.local file and add the appropriate entry under the [DEFAULT] block and it should work.

Diamond
  • 9,131
1

fail2ban-client get postfix ignoreip will return the active ignoreip list for the specified jail ("postfix" in this example). Useful for debugging.

gessel
  • 231
  • and ignoreip should use cidr notations like 1.2.3.4/32 afaik – djdomi Dec 31 '21 at 18:02
  • @djdomi I've checked the documentation and 1.2.3.4 without slash is fine. BTW maybe the answer is changed but now I don't see a connection between the answer and this comment. – Valerio Bozz Apr 12 '22 at 14:54
0

What you might also need to check on, is if the config option you are using also doesn't have an ignoreip option set. For example, I had postfix enabled, and it had ignoreip as well. My IP was being blocked, even though it was in the default section.

So if you have ignoreip, under say postfix as well, it will override what is in the default section.

I just had this problem, so sharing it.

Ian W
  • 1
  • 1