Unbanning An IP Address Banned With Fail2ban - MoonPoint Support

Unbanning an IP address banned with fail2ban Unbanning an IP address banned with fail2ban

I needed to remove an IP address from the "jail" it was placed in by fail2ban, which is intrusion prevention sotware, due to an incorrect password being entered too many times by a legitimate user of the system during attempts to log into a CentOS Linux system that runs fail2ban. The attempted logins were made via Secure Shell (SSH). After the number of attempts with an incorrect password reached the cutoff for fail2ban to automatically ban the IP address from which the login attempts were originating, the user then got the following error message on subsequent login attempts:

$ ssh [email protected] ssh: connect to host example.com port 22: Connection refused $

The fail2ban log on the system is at /var/log/fail2ban.log. You can check that log to see which IP addresses were banned and the time any bans went into effect. So I first verified the IP address from which the login attempts were made.

Learning Network Technology and Security

# tail -n 3 /var/log/fail2ban.log 2017-07-13 21:59:06,304 fail2ban.filter [1664]: INFO [sshd] Found 192.168.1.21 2017-07-13 21:59:06,818 fail2ban.actions [1664]: NOTICE [sshd] Ban 192.168.1.21 2017-07-13 21:59:11,538 fail2ban.filter [1664]: INFO [sshd] Found 192.168.1.21 #

You can determine the name for the jail the IP address is in by issuing the command fail2ban-client status. # fail2ban-client status Status |- Number of jail: 1 `- Jail list: sshd #

You can then use the name of the jail, in this case "sshd", to manually unban the IP address with the command fail2ban-client set jail_name unbanip xxx.xxx.xxx.xxx where jail_name is the name of the jail in which the IP addres has been placed and xxx.xxx.xxx.xxx is the IP address of the banned system. E.g.:

# fail2ban-client set sshd unbanip 192.168.1.21 192.168.1.21 #

When I issued that command, an unban entry was then placed in the fail2ban log.

# tail -n 1 /var/log/fail2ban.log 2017-07-13 22:32:55,751 fail2ban.actions [1664]: NOTICE [sshd] Unban 192.168.1.21

If you attempt to unban an IP address that isn't banned, perhaps because it was already unbanned manually or due to the ban period expiring, you will see a message similar to the one below:

# fail2ban-client set sshd unbanip 192.168.1.21 ERROR NOK: ('IP 192.168.1.210 is not banned',) IP 192.168.1.210 is not banned #

Related articles:

1. Using fail2ban on a CentOS 7 system
2. Fail2ban Logging
3. Problem with Fail2Ban blocking after FirewallD restart
4. SSH break-in attempt from 221.229.172.35
5. SSH brute-force break-in attempts from 49.116.40.31
6. SSH break-in attempts from 116.31.116.xxx IP addresses