In my previous post about installing and configuring fail2ban, I went over the installation and configuring it. I will now go over the handy tool, fail2ban-client, that comes with fail2ban.
Sometimes fail2ban will block someone that has a legitimate need to login to the server or you want to ban an IP manually - welcome
To list the jails that are currently enabled, run the following:
sudo fail2ban-client status
An example output might look like this.
Status |- Number of jail: 2 `- Jail list: sshd, ssh-repeater
If you want to see more information about a particular jail, run this.
sudo fail2ban-client status ssh-repeater
This output might look like this.
Status for the jail: ssh-repeater |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/fail2ban.log.7.gz /var/log/fail2ban.log.5.gz /var/log/fail2ban.log.1 /var/log/fail2ban.log.9.gz /var/log/fail2ban.log.8.gz /var/log/fail2ban.log.2.gz /var/log/fail2ban.log /var/log/fail2ban.log.4.gz /var/log/fail2ban.log.6.gz /var/log/fail2ban.log.3.gz `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:
Of course, your system's output will look different and this machine has had some modifications so public IPs are not shown but after some time, a publicly facing machine will have some banned IPs.
To unban an IP address you will need to know which jail is initiating the ban so use the above two commands to locate the IP address in question. Something like the following should work for an example IP address of 3188.8.131.52 (not a real IP address :) ).
sudo fail2ban-client status <jail> | grep 3184.108.40.206
<jail> with one of the jails you have running, use
sudo fail2ban-client status for a list. If you get any output at all, you have found the jail in question.
The output of the above command will look like this.
Unban the IP with the following command.
sudo fail2ban-client set <jail> unbanip 3220.127.116.11
In the command above you would replace
<jail> with either
To block an IP, the command is very similar.
sudo fail2ban-client set <jail> banip 318.104.22.168
Be careful of the jail you use to block the IP address, if you followed the instructions in the fail2ban post, you may end up blocking it for a long time (i.e. ssh-repeater). Below are scripts that will do the job of banning and unbanning IP addresses for the ssh-repeater jail. Be sure to set them as executable and run them as a user with sudo permissions if you try them out.
Another good way to check if an IP has been banned is with IPTables. The following will show a list of blocked IPs and what rules (jails) have done the blocking.
sudo iptables -nL
The list will be pretty long on an active public server so you may want to filter the result with something like (using the same IP address from above)...
sudo iptables -nL | grep 322.214.171.124
But be sure to run it at least once without the filter so you can see what other information is provided in the output.