How to Unban an IP properly with Fail2Ban

firewall iptables fail2ban

622,051

Solution 1

With Fail2Ban before v0.8.8:

fail2ban-client get YOURJAILNAMEHERE actionunban IPADDRESSHERE

With Fail2Ban v0.8.8 and later:

fail2ban-client set YOURJAILNAMEHERE unbanip IPADDRESSHERE

The hard part is finding the right jail:

Use iptables -L -n to find the rule name...
...then use fail2ban-client status | grep "Jail list" | sed -E 's/^[^:]+:[ \t]+//' | sed 's/,//g' to get the actual jail names. The rule name and jail name may not be the same but it should be clear which one is related to which.

Solution 2

Since v0.8.8 there is the unbanip option (actionunban isn't for this purpose) It can be triggered by the set command, if you look at the list of options, you will see the syntax is. So it will be (by heart, please check):

fail2ban-client set ssh-iptables unbanip IPADDRESSHERE

more generic:

fail2ban-client set JAILNAMEHERE unbanip IPADDRESSHERE

works for me

Solution 3

Example for SSH in interactive mode.

type in bash:

fail2ban-client -i

then in interactive mode type read the status of a jail:

status sshd

you'll get:

Status for the jail: ssh
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 6
|  `- File list:    /var/log/auth.log
`- Actions
   |- Currently banned: 1
   |- Total banned: 2
   `- Banned IP list:   203.113.167.162

then type in fail2ban interactive mode:

set sshd unbanip 203.113.167.162

you'll get:

203.113.167.162

it means no longer 203.113.167.162 in ban list.

Solution 4

The answer of ukoda is wrong:

Call fail2ban-client without parameters and you see a list of possible commands:

get JAIL actionunban ACT

This gets the unban command for the action ACT for JAIL.

Look into the action parameter of the jail you defined, you probably have an iptables action and maybe some more like sendmail, whois or whatever. so in case your action was iptables it will look like this:

fail2ban-client get JAIL actionunban iptables

and the answer will be:

iptables -D fail2ban-NAME -s IP -j DROP

It will only show you what you would have to write for an unban. There is no unban command itself.

Solution 5

If 192.168.2.1 is banned

sudo iptables -L

Check which Chain it's banned in e.g.

Chain fail2ban-sasl (1 references)

DROP all -- 192.168.2.1 anywhere

Then:

# to view the proper command for un-banning
sudo fail2ban-client get sasl actionunban
# actual command
iptables -D fail2ban-sasl -s 192.168.2.1 -j DROP

View more solutions

622,051

psp

Updated on September 18, 2022

Comments

psp almost 2 years

I'm using Fail2Ban on a server and I'm wondering how to unban an IP properly.

I know I can work with IPTables directly: iptables -D fail2ban-ssh <number>

But is there not a way to do it with the fail2ban-client?

In the manuals it states something like: fail2ban-client get ssh actionunban <IP>. But that doesn't work.

Also, I don't want to /etc/init.d/fail2ban restart as that would lose all the bans in the list.
- HeavenlyHarmony almost 4 years
  
  I accidentally locked myself out when I was trying to log into my Linode VPS, so now I have to stop Fail2Ban via the web console to log in with PuTTY. I hope the ban is not permanent as I want to continue logging in without having to disable fail2ban.
- ingernet over 3 years
  
  @HeavenlyHarmony one way you can avoid this in the future is to configure your jail to include your IP address in the ignoreips value. I've added my two VPN exit points as well as the SPF ranges for Google's network, since the box running fail2ban is a GCP Compute instance. Adding your IP address to that ignoreips attribute will allow you to run any nefarious command without banning yourself.
- Valerio Bozzolan over 2 years
  
  Note that this question is very old now, and it was using a pre-Systemd system.
Deele over 11 years

Yeah, that worked for me, to unban from SSH jail iptables -D fail2ban-ssh -s <IP> -j DROP. Thanks ingo!
Alexander Garden about 10 years

The unbanip command was added in version 0.8.8. The best solution if you are running 0.8.8 or later.
aseques about 10 years

The issue related to this in fail2ban tracker is this: github.com/fail2ban/fail2ban/issues/132
Eaten by a Grue almost 10 years

this is the correct answer for current versions. thank you!
Morgan Courbet almost 10 years

If you have the following error 'Invalid Action name', read this answer
tftd over 9 years

With recent versions of fail2ban you should be using fail2ban-client set JAIL_NAME unbanip 1.2.3.4.
jlh over 8 years

The ignore list is a list of IPs to never ban. That's totally unrelated to the list of currently banned IPs, which is the list that OP wants to remove an IP from.
Alex W over 8 years

What is the default jail name? /etc/fail2ban/jail.conf doesn't work for me.
Tom over 8 years

getting "Invalid command (no set action or not yet implemented)"
fred727 almost 8 years

You can find jail name in fail2ban log if you look for your IP
agustaf over 7 years

sshd was the jail name for me.
Ismael Miguel over 7 years

One tip: If you see chains called fail2ban-xyz, your jail name is xyz. Therefore, the command to run is fail2ban-client set xyz unbanip <ip>. (Tested this on Debian 8.6)
mirage over 7 years

you need to state the correct jailname (for example sshd or sshd-dos, see your fail2ban log)
Overmind over 7 years

Can't we just edit a file and remove a line somewhere (+ a reload)? It would be more easy this way (at least for me).
B. Shea over 6 years

Use sudo iptables -L -n | less to avoid long DNS lookups.. and get a quick scroll-able/searchable list.
derHugo over 6 years

Usefull command for displaying all bans sudo fail2ban-client status | grep "Jail list:" | sed "s/ //g" | awk '{split($2,a,",");for(i in a) system("sudo fail2ban-client status " a[i])}' | grep "Status\|IP list" from this answer .. slightly modified it (added two sudos) for a normal user using sudo.
scipilot over 6 years

For me the jail name was sshd (Ubuntu 16)
William Hilsum over 6 years

On mine, it says total banned: 6, but the list under banned ip is just empty :( have to trail through logs
Gert van den Berg almost 6 years

This assumes that hosts.deny was the action used.... But it is still more useful than things that try to change the method of unbanning IPs on the older versions by using actionunban...
Læti about 5 years

The delignoreip action is not removing an IP from a ban, it is removing an IP from the list of ignored IP (i.e. IP that will never get banned).
dstonek over 4 years

Centos 7. cat /var/log/fail2ban.log | grep IP# there you have Jail Name. f2b 0.9+
Rory over 3 years

In the latest versions of fail2ban you do not need the jail name: fail2ban-client unban <address> works
momeunier over 3 years

This is the most up-to-date answer
ReaperSoon about 3 years

You can also use sudo fail2ban-client unban <ip> to unban from all jails
Valerio Bozzolan over 2 years

The answer is not coherent with the provided example. The set sshd can't work if the jail is called ssh without trailing d AFAIK.