How To Manually Unban Ip Blocked By Fail2ban | Howtoforge

Log in or Sign up

Howtoforge - Linux Howtos and TutorialsHome Forums > ISPConfig 3 > Tips/Tricks/Mods >How to manually unban ip blocked by fail2ban

Discussion in 'Tips/Tricks/Mods' started by drewb0y, Feb 10, 2011.

1. 

   drewb0y Member

   I ran into an issue today where my office router somehow got blocked by fail2ban. I searched high and low to find an answer to unblock it so I did not have to wait for the ban to expire.Here is what I found:when I executedCode:iptables -LI saw that my IP was in the jail named postfix-spamers550to remove it I executed the following commandCode:fail2ban-client get postfix-spamers550 actionunban 111.222.333.444 Success 

   drewb0y, Feb 10, 2011#1
2. 

   cbj4074 Member

   I am trying to do the same (manually un-ban a single IP address), but when I issue the command you cited, I receive the following in fail2ban's log:Code:fail2ban-client get sasl actionunban XXX.XXX.XXX.XXX Code:2012-04-05 14:50:48,671 fail2ban.comm : WARNING Invalid command: ['get', 'sasl', 'actionunban', 'XXX.XXX.XXX.XXX'] (Note: the XXXs represent an actual IP address)To make matters more confusing, according to the fail2ban Wiki ( http://www.fail2ban.org/wiki/index.php/Features ), manual actions, including un-banning, are not possible in version 0.8 (these features are on the road-map for 0.9):

   Manual control of ban list (ban, unban, reset). You currently have to restart the daemon to unban.Click to expand...

   Yet, the "fail2ban-client --help" output corroborates the availability of this command:

   get <JAIL> actionunban <ACT> gets the unban command for theaction <ACT> for <JAIL>Click to expand...

   I am using fail2ban 0.8.6.I know the jail name ("sasl") is correct, because the client throws a different error (e.g., "Sorry but the jail 'fail2ban-sasl' does not exist") when the jail name is incorrect.Am I missing the "unban" action in fail2ban's "action.d" directory? If so, from where did you acquire that file? And do you mind sharing it?Any thoughts? Thanks in advance. 

   Last edited: Apr 6, 2012cbj4074, Apr 6, 2012#2
3. 

   ehansen New Member

   drewb0y said: ↑

   I ran into an issue today where my office router somehow got blocked by fail2ban. I searched high and low to find an answer to unblock it so I did not have to wait for the ban to expire.Here is what I found:when I executedCode:iptables -LI saw that my IP was in the jail named postfix-spamers550to remove it I executed the following commandCode:fail2ban-client get postfix-spamers550 actionunban 111.222.333.444 SuccessClick to expand...

   Another option, though may not be for the best, is:Code:iptables -D <chain> <chain number>The information can be found by running this: iptables -L --line-numbers 

   ehansen, Apr 8, 2012#3biforme likes this.
4. 

   cbj4074 Member

   Thank you for the reply, ehansen.My concern with that approach is that fail2ban will attempt to restore iptables rules whenever it is restarted.In other words, if I were to remove the banned IP address directly, and then fail2ban had to be restarted for any reason, the IP address would again be added to the blacklist. 

   cbj4074, Apr 9, 2012#4
5. 

   ehansen New Member

   fail2ban doesn't start/stop the firewall as far as I know. Even if it did, however, as long as the firewall rules are saved (iptables-save) before a shutdown the restore will just load up the most recent saved rules. 

   ehansen, Apr 9, 2012#5
6. 

   cbj4074 Member

   Right; I don't think that fail2ban starts or stops the firewall either.But as far as I know, fail2ban does re-parse logs when it is started, and adds any qualifying entries to the iptables rules (if not already present).If this is, in fact, how fail2ban behaves, wouldn't it re-add the IP address in question as soon as fail2ban is restarted? 

   cbj4074, Apr 9, 2012#6
7. 

   ehansen New Member

   cbj4074 said: ↑

   Right; I don't think that fail2ban starts or stops the firewall either.But as far as I know, fail2ban does re-parse logs when it is started, and adds any qualifying entries to the iptables rules (if not already present).If this is, in fact, how fail2ban behaves, wouldn't it re-add the IP address in question as soon as fail2ban is restarted?Click to expand...

   I wouldn't think so but I don't know the inner workings of fail2ban. I mean I've had my server restarted after fail2ban put in some IPs and seemed like only the rules themselves were loaded. Someone who is more familiar with how it works wil probably be able to better answer it though. 

   ehansen, Apr 9, 2012#7
8. 

   till Super Moderator Staff Member ISPConfig Developer

   As far as I know, fail2ban will not reload the rules and the firewall creates new rules based on its config files and not based on the iptables rules before the reboot. So when you unban a IP with iptables -D, it will not be added again after reboot automatically. 

   till, Apr 11, 2012#8
9. 

   yucktoufoo Member

   ehansen said: ↑

   I wouldn't think so but I don't know the inner workings of fail2ban. I mean I've had my server restarted after fail2ban put in some IPs and seemed like only the rules themselves were loaded. Someone who is more familiar with how it works wil probably be able to better answer it though.Click to expand...

   You are correct, restarting iptables clears out anything added by fail2ban, in fact thats how I used to unban myself  

   yucktoufoo, May 8, 2012#9
10. 

    cbj4074 Member

    I checked with the fail2ban mailing list and here's the official word from Yaroslav Halchenko (current project maintainer, I believe):

    there is no explicit guaranteed rebanning upon restart in place ATMif your original scanned logs still happen to have those entrieswithin findtime from now, they should get banned upon restartrelevant (the oldest open) issue on github:https://github.com/fail2ban/fail2ban/issues/2Click to expand...

    So, there is the potential for IP addresses to be re-banned after service stop/start/restart.I believe that this behavior was introduced in version 0.8.6. 

    Last edited: May 9, 2012cbj4074, May 9, 2012#10
11. 

    cbj4074 Member

    A follow-up as to whether or not it is possible un-ban an IP address, manually, in fail2ban: the short answer is, "No."I'm not sure how drewb0y was able to un-ban an IP address, manually, with the command he cited, because according to an authoritative source (Yaroslav Halchenko), "actionunban" does not work that way (which explains why I received "Invalid command" errors).From Yaroslav's response to my mailing-list inquiry:

    actionunban specifies the command for the action, .e.g like in a configfile -- it is not to call it, e.g. like it would be 'unbanip' command tosupplement 'banip'in those rare cases I need to do it I just iptables -D it manuallybut it is a valid feature request -- feel free to submit an issue ongithubClick to expand...

    So, there you have it, folks. As of fail2ban 0.8.6:a.) The recommended means by which to un-ban individual IP addresses is to use the "iptables -D" command.b.) There is a chance that if fail2ban is restarted after removing the rule, the rule will be re-added to iptables. (This will occur if "your original scanned logs still happen to have those entries within findtime from now".) 

    cbj4074, May 9, 2012#11
12. 

    cbj4074 Member

    Given that this has become the authoritative thread on this subject, I thought I'd add an example, for my own reference, if no one else's.To unban an IP address manually, it is necessary to know the chain name and the rule number. As suggested elsewhere in this thread, the following command can be used to acquire this information:Code:# iptables -L --line-numbers The relevant bits are at the end of the output. Here is an example chain with attendant rules:Code:Chain fail2ban-ssh (1 references) num target prot opt source destination 1 DROP all -- 204.110.13.107 anywhere 2 DROP all -- 1.234.20.21 anywhere 3 DROP all -- gw-tair-rp.rel.com.ua anywhere 4 RETURN all -- anywhere anywhere In this example, three (3) IP addresses have been banned via the SSH jail (these are the DROP rules).To unban the IP address 1.234.20.21, the command would be:Code:# iptables -D fail2ban-ssh 2 Don't forget that if fail2ban is restarted after this change to iptables, there is the potential for the same IP address to be re-banned. The reason for this is discussed earlier in this thread.Good luck! 

    Last edited: Oct 19, 2012cbj4074, Oct 19, 2012#12
13. 

    florian030 Well-Known Member HowtoForge Supporter

    I prefer xt_recent instead of adding each banned ip using iptables -I (...).You need only something like$IPTABLES_BIN -A INPUT -j DenyAccess$IPTABLES_BIN -A INPUT -m recent --update --seconds 86400 --name DenyAccess --hitcount 1 -j DROPand can then add blocked ips with "echo 1.2.3.4 > /proc/net/xt_recent/DenyAccess"To remove a single ip, "echo -1.2.3.4 > /proc/net/xt_recent/DenyAccess" will do the job.Maybe you need to increase the amount of "/sys/module/xt_recent/parameters/ip_list_tot".regardsFlorian 

    florian030, Oct 22, 2012#13
14. 

    mazhar996 New Member

    cbj4074 said: ↑

    A follow-up as to whether or not it is possible un-ban an IP address, manually, in fail2ban: the short answer is, "No."I'm not sure how drewb0y was able to un-ban an IP address, manually, with the command he cited, because according to an authoritative source (Yaroslav Halchenko), "actionunban" does not work that way (which explains why I received "Invalid command" errors).From Yaroslav's response to my mailing-list inquiry:So, there you have it, folks. As of fail2ban 0.8.6:a.) The recommended means by which to un-ban individual IP addresses is to use the "iptables -D" command.b.) There is a chance that if fail2ban is restarted after removing the rule, the rule will be re-added to iptables. (This will occur if "your original scanned logs still happen to have those entries within findtime from now".)Click to expand...

    although this post is over an year old, but i thought i should add to it.manual unban and ban works for sure (at least in new versions 0.8.x)for exampleuse fail2ban-client statusto get the jail nameslets say the jail name is ssh-iptablesfail2ban-client set ssh-iptables unbanip [ip_to_unban)similarly manual ban the ip manually usefail2ban-client set ssh-iptables banip [ip_to_ban)BRmazhar 

    mazhar996, Nov 5, 2013#14
15. 

    cbj4074 Member

    I can confirm mazhar's comment; the inbuilt unbanning mechanism works in later versions (I'm not sure when it was implemented, but it works for me in 0.8.11).Example:Code:fail2ban-client set dovecot unbanip 1.2.3.4 (where "dovecot" is the name of the jail, per the fail2ban configuration)It is unknown whether or not the "findtime" caveat (the possibility that an IP address will be re-banned if fail2ban is restarted after the IP address was unbanned manually) discussed earlier in this thread still applies. 

    Last edited: Dec 31, 2013cbj4074, Dec 31, 2013#15
16. 

    ztk.me Well-Known Member HowtoForge Supporter

    https://github.com/extremeshok/fail2ban-remove-banis also a nice handy script 

    ztk.me, Oct 6, 2017#16
17. 

    concept21 Active Member

    Add your own IPs to the whitelist in the file jail.local. That's all.  

    concept21, Oct 7, 2017#17

(You must log in or sign up to reply here.)Show Ignored Content

Share This Page

Tweet

• Log in with Facebook

Your name or email address:Do you already have an account?

• No, create an account now.
• Yes, my password is:
• Forgot your password?

Stay logged in Sign up now!

Forum Statistics

Discussions:71,270Messages:398,186Members:107,003Latest Member:odir Mendez

Howtoforge Newsletter

Subscribe to our free weekly HowtoForge newsletter to receive a digest of the latest HowtoForge tutorials by email. Howtoforge - Linux Howtos and TutorialsHome Forums > ISPConfig 3 > Tips/Tricks/Mods >