In my previous post about installing and configuring fail2ban, I went over the installation and configuring it. I will now go over the handy tool, fail2ban-client, that comes with fail2ban.
Sometimes fail2ban will block someone that has a legitimate need to login to the server or you want to ban an IP manually - welcome fail2ban client.
To list the jails that are currently enabled, run the following:
sudo fail2ban-client status
An example output might look like this.
Status |- Number of jail: 2 `- Jail list: sshd, ssh-repeater
If you want to see more information about a particular jail, run this.
sudo fail2ban-client status ssh-repeater
This output might look like this.
Status for the jail: ssh-repeater |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/fail2ban.log.7.gz /var/log/fail2ban.log.5.gz /var/log/fail2ban.log.1 /var/log/fail2ban.log.9.gz /var/log/fail2ban.log.8.gz /var/log/fail2ban.log.2.gz /var/log/fail2ban.log /var/log/fail2ban.log.4.gz /var/log/fail2ban.log.6.gz /var/log/fail2ban.log.3.gz `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:
Of course, your system's output will look different and this machine has had some modifications so public IPs are not shown but after some time, a publicly facing machine will have some banned IPs.
To unban an IP address you will need to know which jail is initiating the ban so use the above two commands to locate the IP address in question. Something like the following should work for an example IP address of 3184.108.40.206 (not a real IP address :) ).
sudo fail2ban-client status jail | grep 3220.127.116.11
jail with one of the jails you have running, use
sudo fail2ban-client status for a list. If you get any output at all, you have found the jail in question. You may need to try multiple jails to locate which one is initiating the block. Unban the IP with the following command.
sudo fail2ban-client set jail unbanip 318.104.22.168
To block an IP, the command is very similar.
sudo fail2ban-client set jail banip 322.214.171.124
Be careful of the jail you use to block the IP address, if you followed the instructions in the fail2ban post, you may end up blocking it for a long time (i.e. ssh-repeater).
Another good way to check if an IP has been banned is with IPTables. The following will show a list of blocked IPs and what rules (jails) have done the blocking.
sudo iptables -nL
The list will be pretty long on an active public server so you may want to filter the result with something like (using the same IP address from above)...
sudo iptables -nL | grep 3126.96.36.199
But be sure to run it at least once without the filter so you can see what other information is provided in the output.