How to Unban an IP properly with Fail2Ban
Solution 1
With Fail2Ban before v0.8.8:
fail2ban-client get YOURJAILNAMEHERE actionunban IPADDRESSHERE
With Fail2Ban v0.8.8 and later:
fail2ban-client set YOURJAILNAMEHERE unbanip IPADDRESSHERE
The hard part is finding the right jail:
- Use
iptables -L -n
to find the rule name... - ...then use
fail2ban-client status | grep "Jail list" | sed -E 's/^[^:]+:[ \t]+//' | sed 's/,//g'
to get the actual jail names. The rule name and jail name may not be the same but it should be clear which one is related to which.
Solution 2
Since v0.8.8 there is the unbanip
option (actionunban
isn't for this purpose)
It can be triggered by the set
command, if you look at the list of options, you will see the syntax is.
So it will be (by heart, please check):
fail2ban-client set ssh-iptables unbanip IPADDRESSHERE
more generic:
fail2ban-client set JAILNAMEHERE unbanip IPADDRESSHERE
works for me
Solution 3
Example for SSH in interactive mode.
type in bash:
fail2ban-client -i
then in interactive mode type read the status of a jail:
status sshd
you'll get:
Status for the jail: ssh
|- Filter
| |- Currently failed: 0
| |- Total failed: 6
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 1
|- Total banned: 2
`- Banned IP list: 203.113.167.162
then type in fail2ban interactive mode:
set sshd unbanip 203.113.167.162
you'll get:
203.113.167.162
it means no longer 203.113.167.162
in ban list.
Solution 4
The answer of ukoda is wrong:
Call fail2ban-client
without parameters and you see a list of possible commands:
get JAIL actionunban ACT
This gets the unban command for the action ACT for JAIL.
Look into the action parameter of the jail you defined, you probably have an iptables action and maybe some more like sendmail, whois or whatever. so in case your action was iptables it will look like this:
fail2ban-client get JAIL actionunban iptables
and the answer will be:
iptables -D fail2ban-NAME -s IP -j DROP
It will only show you what you would have to write for an unban. There is no unban command itself.
Solution 5
If 192.168.2.1 is banned
sudo iptables -L
Check which Chain it's banned in e.g.
Chain fail2ban-sasl (1 references)
DROP all -- 192.168.2.1 anywhere
Then:
# to view the proper command for un-banning
sudo fail2ban-client get sasl actionunban
# actual command
iptables -D fail2ban-sasl -s 192.168.2.1 -j DROP
Related videos on Youtube
psp
Updated on September 18, 2022Comments
-
psp almost 2 years
I'm using Fail2Ban on a server and I'm wondering how to unban an IP properly.
I know I can work with IPTables directly:
iptables -D fail2ban-ssh <number>
But is there not a way to do it with the
fail2ban-client
?In the manuals it states something like:
fail2ban-client get ssh actionunban <IP>
. But that doesn't work.Also, I don't want to
/etc/init.d/fail2ban restart
as that would lose all the bans in the list.-
HeavenlyHarmony almost 4 yearsI accidentally locked myself out when I was trying to log into my Linode VPS, so now I have to stop Fail2Ban via the web console to log in with PuTTY. I hope the ban is not permanent as I want to continue logging in without having to disable fail2ban.
-
ingernet over 3 years@HeavenlyHarmony one way you can avoid this in the future is to configure your jail to include your IP address in the
ignoreips
value. I've added my two VPN exit points as well as the SPF ranges for Google's network, since the box running fail2ban is a GCP Compute instance. Adding your IP address to thatignoreips
attribute will allow you to run any nefarious command without banning yourself. -
Valerio Bozzolan over 2 yearsNote that this question is very old now, and it was using a pre-Systemd system.
-
-
Deele over 11 yearsYeah, that worked for me, to unban from SSH jail
iptables -D fail2ban-ssh -s <IP> -j DROP
. Thanks ingo! -
Alexander Garden about 10 yearsThe unbanip command was added in version 0.8.8. The best solution if you are running 0.8.8 or later.
-
aseques about 10 yearsThe issue related to this in fail2ban tracker is this: github.com/fail2ban/fail2ban/issues/132
-
Eaten by a Grue almost 10 yearsthis is the correct answer for current versions. thank you!
-
Morgan Courbet almost 10 yearsIf you have the following error
'Invalid Action name'
, read this answer -
tftd over 9 yearsWith recent versions of
fail2ban
you should be usingfail2ban-client set JAIL_NAME unbanip 1.2.3.4
. -
jlh over 8 yearsThe ignore list is a list of IPs to never ban. That's totally unrelated to the list of currently banned IPs, which is the list that OP wants to remove an IP from.
-
Alex W over 8 yearsWhat is the default jail name?
/etc/fail2ban/jail.conf
doesn't work for me. -
Tom over 8 yearsgetting "Invalid command (no set action or not yet implemented)"
-
fred727 almost 8 yearsYou can find jail name in fail2ban log if you look for your IP
-
agustaf over 7 yearssshd was the jail name for me.
-
Ismael Miguel over 7 yearsOne tip: If you see chains called
fail2ban-xyz
, your jail name isxyz
. Therefore, the command to run isfail2ban-client set xyz unbanip <ip>
. (Tested this on Debian 8.6) -
mirage over 7 yearsyou need to state the correct jailname (for example sshd or sshd-dos, see your fail2ban log)
-
Overmind over 7 yearsCan't we just edit a file and remove a line somewhere (+ a reload)? It would be more easy this way (at least for me).
-
B. Shea over 6 yearsUse
sudo iptables -L -n | less
to avoid long DNS lookups.. and get a quick scroll-able/searchable list. -
derHugo over 6 yearsUsefull command for displaying all bans
sudo fail2ban-client status | grep "Jail list:" | sed "s/ //g" | awk '{split($2,a,",");for(i in a) system("sudo fail2ban-client status " a[i])}' | grep "Status\|IP list"
from this answer .. slightly modified it (added twosudo
s) for a normal user using sudo. -
scipilot over 6 yearsFor me the jail name was
sshd
(Ubuntu 16) -
William Hilsum over 6 yearsOn mine, it says total banned: 6, but the list under banned ip is just empty :( have to trail through logs
-
Gert van den Berg almost 6 yearsThis assumes that hosts.deny was the action used.... But it is still more useful than things that try to change the method of unbanning IPs on the older versions by using
actionunban
... -
Læti about 5 yearsThe
delignoreip
action is not removing an IP from a ban, it is removing an IP from the list of ignored IP (i.e. IP that will never get banned). -
dstonek over 4 yearsCentos 7.
cat /var/log/fail2ban.log | grep IP#
there you have Jail Name. f2b 0.9+ -
Rory over 3 yearsIn the latest versions of fail2ban you do not need the jail name:
fail2ban-client unban <address>
works -
momeunier over 3 yearsThis is the most up-to-date answer
-
ReaperSoon about 3 yearsYou can also use
sudo fail2ban-client unban <ip>
to unban from all jails -
Valerio Bozzolan over 2 yearsThe answer is not coherent with the provided example. The
set sshd
can't work if the jail is calledssh
without trailingd
AFAIK.