Fail2ban is a great tool for server owners to automatically ban suspicious IP addresses in server firewall.
But, sometimes, it can block valid connections too.
At Bobcares, we often receive requests from website owners to unban their IP address from Fail2ban as part of our Server Management Services for web hosts.
Today, let’s see the steps to unban an IP in Fail2ban.
What’s ‘fail2ban-client’ and ‘Fail2ban Jail’?
These are the 2 terms that we use frequently in this article.
So, before going into the details, let’s start with these terms.
fail2ban-client
Fail2ban scans server logs and ban IPs that show malicious signs like too many password failures, exploits, etc.
Server owners can run Fail2ban from command line using the command fail2ban-client.
For example, you can enter Fail2ban commands like this:
fail2ban-client COMMAND
Fail2ban Jails
A Fail2ban jail is a combination of a filter and actions.
Filter contains mainly regular expressions which are used to detect break-in attempts, password failures, etc.
And, Action define commands that are executed when the filter catches an abusive IP address.
In most of the servers, there are pre-configured jails for hosting services like web server, mail server, FTP, and so on.
Now, let’s see how our Server Support Engineers identify and unban an IP in Fail2ban.
How to unban an IP in Fail2ban?
When a valid user IP is blocked, the server owner may get a Connection timed out message for mail, web, SSH, etc.
For example, a blocked customer will see the below message, when he try to access the server via SSH.
ssh: connect to host server.hostname.com port 2022: Connection refused
But, we easily identify and unban the IP address from Fail2ban in 4 simple steps.
1) Check if IP address is blocked
Fail2ban uses iptables to block the traffic.
So, our Server Support Engineers first login to the server via SSH, and check for IP block with the following command.
iptables -n -L
If the IP is blocked by Fail2ban, then it will be listed in the Fail2ban chain like fail2ban-ssh.
2) Check the Fail2ban log
Fail2ban log on the server is at /var/log/fail2ban.log and this logs the details like IP addresses that are banned, the jail, and time they are blocked.
For example, a Fail2ban log looks like this:
2018-12-04 08:22:29,461 fail2ban.filter [3045]: INFO [ssh] Found 37.49.227.155
2018-12-04 08:23:23,713 fail2ban.filter [3045]: INFO [plesk-postfix] Found 51.38.70.151
2018-12-04 08:23:26,881 fail2ban.actions [3045]: NOTICE [plesk-modsecurity] Ban 45.245.13.23<.code>
Our Support Engineers check these logs to confirm if the IP is blocked by Fail2ban.
3) Get Jail name of blocked IP address
Next step is to confirm the jail name for this IP address is in.
For that, we use the command fail2ban-client status.
# fail2ban-client status
Status
|- Number of jail: 11
`- Jail list: plesk-apache, plesk-apache-badbot, plesk-dovecot, plesk-modsecurity, plesk-panel, plesk-postfix, plesk-proftpd, plesk-roundcube,
plesk-wordpress, recidive, ssh
Here, the Jail list in the output shows the Jail names set in Fail2ban.
4) Unban the IP address
Once we get the jail name, next step is to unban this IP address.
There is a slight difference in the unban commands depending on the Fail2ban version.
In Fail2ban version(before v0.8.8)
We use the below command to unban the IP address in Fail2ban versions before 0.8.8.
fail2ban-client get yourjailname actionunban youripaddress
Replace yourjailname with the corresponding jail name and youripaddress with the blocked IP address.
For example, to remove an IP address jailed within ssh, use the below command.
fail2ban-client get ssh actionunban 10.xx.15x.12x
In Fail2ban version v0.8.8 or later
We use the below command to unban the IP address in Fail2ban version 0.8.8 and later.
fail2ban-client set yourjailname unbanip youripaddress
Replace yourjailname with the corresponding jail name and youripaddress with blocked IP address.
For example, to remove an IP address jailed within ssh, use the below command.
fail2ban-client set ssh unbanip 10.xx.15x.12x
Alternatively, our Server Support Engineers use another method to unban the IP address instead of fail2ban-client.
For that, we first check for the blocked IP address, chain name and its corresponding line number with the following command.
iptables -n -L --line-numbers
Next, we use the below command to unban that IP address using the line-number and chain name.
iptables -D fail2ban-jailname
In plesk servers, they have integrated the Fail2ban feature aka IP Address Banning with the control panel.
So, server owners can easily unban the IP address in a single click.
Fail2ban in Plesk
Sometimes, we receive requests from server owners to unban multiple IP addresses from their servers.
During such situations, our Support Engineers create custom scripts to unban multiple IP addresses and make it a pain free process.
Conclusion
Fail2ban is a great tool for server owners to automatically ban suspicious IP addresses in server firewall. But, sometimes, it can block valid connections too. Today, we’ve discussed the steps followed by our Server Support Engineers to unban IP address from Fail2ban.
In Fail2Ban v0.9.3, the command to unban is “unbanip”
fail2ban-client set yourjailname unbanip youripaddress
Hello.
Thanks a lot for your article. It helped me write this small bash script to unban an ip from a fail2ban jail. The jail name is retrieved from /var/log/fail2ban.log if ip is found there. Otherwise, the fallback jail name is sshd.
#!/bin/bash
logfile=’/var/log/fail2ban.log’
fallbackjail=’sshd’
echo “Enter ip to unban:”
read ip
echo “Checking whether the ip is banned”
if [ 0 -lt `iptables -n -L|grep “REJECT”|grep “\”|wc -l` ]
then
echo “The ip $ip is banned”
else
echo “The ip $ip is not banned, ABORTING”
exit
fi
echo “Trying to guess the jail name from $logfile”
jail=`grep “Ban $ip$” $logfile|cut -d ‘[‘ -f 3|cut -d ‘]’ -f 1`
if [ 0 -lt ${#jail} ]
then
echo “Found jail $jail for this ip”
else
echo “No jail found assuming $fallbackjail”
jail=$fallbackjail
fi
echo “Checking that jail exists”
exists=`fail2ban-client status|grep “$jail”`
if [ 0 -lt ${#exists} ]
then
echo “Jail $jail exists”
else
echo “Jail $jail doesn’t exist, ABORTING”
exit
fi
echo “Unbanning ip $ip from jail $jail”
fail2ban-client set $jail unbanip $ip
Thank you for sharing the script Louis. 🙂
Thanks for sharing this script. It is a simple process to unban an IP based on great article but having a script is even better since I rarely unban an IP and I don’t need to run back to the article when I find myself needing to do this
Great stuff… saved me from insanity 🙂 explanation, information and solution.
toped of with a usable script … All around so helpfull.
Thank you all