Menu
Article

fail2ban-client

µa8-1

• 2 min read

In my previous post about installing and configuring fail2ban, I went over the installation and configuring it. I will now go over the handy tool, fail2ban-client, that comes with fail2ban.

Sometimes fail2ban will block someone that has a legitimate need to login to the server or you want to ban an IP manually - welcome fail2ban-client.

To list the jails that are currently enabled, run the following:

sudo fail2ban-client status

An example output might look like this.

Status
|- Number of jail:	2
`- Jail list:	sshd, ssh-repeater

If you want to see more information about a particular jail, run this.

sudo fail2ban-client status ssh-repeater

This output might look like this.

Status for the jail: ssh-repeater
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- File list:	/var/log/fail2ban.log.7.gz /var/log/fail2ban.log.5.gz /var/log/fail2ban.log.1 /var/log/fail2ban.log.9.gz /var/log/fail2ban.log.8.gz /var/log/fail2ban.log.2.gz /var/log/fail2ban.log /var/log/fail2ban.log.4.gz /var/log/fail2ban.log.6.gz /var/log/fail2ban.log.3.gz
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:

Of course, your system's output will look different and this machine has had some modifications so public IPs are not shown but after some time, a publicly facing machine will have some banned IPs.

To unban an IP address you will need to know which jail is initiating the ban so use the above two commands to locate the IP address in question. Something like the following should work for an example IP address of 345.34.65.85 (not a real IP address :) ).

sudo fail2ban-client status <jail> | grep 345.34.65.85

Replace <jail> with one of the jails you have running, use  sudo fail2ban-client status for a list. If you get any output at all, you have found the jail in question.

The output of the above command will look like this.

Unban the IP with the following command.

sudo fail2ban-client set <jail> unbanip 345.34.65.85

In the command above you would replace <jail> with either ssh-repeater or sshd.

To block an IP, the command is very similar.

sudo fail2ban-client set <jail> banip 345.34.65.85

Be careful of the jail you use to block the IP address, if you followed the instructions in the fail2ban post, you may end up blocking it for a long time (i.e. ssh-repeater). Below are scripts that will do the job of banning and unbanning IP addresses for the ssh-repeater jail. Be sure to set them as executable and run them as a user with sudo permissions if you try them out.

Banip
banip.sh
502 Bytes
download-circle
Unbanip
unbanip.sh
508 Bytes
download-circle

Another good way to check if an IP has been banned is with IPTables. The following will show a list of blocked IPs and what rules (jails) have done the blocking.

sudo iptables -nL

The list will be pretty long on an active public server so you may want to filter the result with something like (using the same IP address from above)...

sudo iptables -nL | grep 345.34.65.85

But be sure to run it at least once without the filter so you can see what other information is provided in the output.

Share