I ran into an issue today where my office router somehow got blocked by fail2ban. I searched high and low to find an answer to unblock it so I did not have to wait for the ban to expire.

Here is what I found:

when I executed iptables -L I saw that my IP was in the jail named postfix-spamers550

to remove it I executed the following command


fail2ban-client get postfix-spamers550 actionunban 111.222.333.444


Success

I am trying to do the same (manually un-ban a single IP address), but when I issue the command you cited, I receive the following in fail2ban's log:


fail2ban-client get sasl actionunban XXX.XXX.XXX.XXX



2012-04-05 14:50:48,671 fail2ban.comm : WARNING Invalid command: ['get', 'sasl', 'actionunban', 'XXX.XXX.XXX.XXX']


(Note: the XXXs represent an actual IP address)

To make matters more confusing, according to the fail2ban Wiki ( http://www.fail2ban.org/wiki/index.php/Features ), manual actions, including un-banning, are not possible in version 0.8 (these features are on the road-map for 0.9):


Manual control of ban list (ban, unban, reset). You currently have to restart the daemon to unban.


Yet, the "fail2ban-client --help" output corroborates the availability of this command:


get <JAIL> actionunban <ACT> gets the unban command for the
action <ACT> for <JAIL>


I am using fail2ban 0.8.6.

I know the jail name ("sasl") is correct, because the client throws a different error (e.g., "Sorry but the jail 'fail2ban-sasl' does not exist") when the jail name is incorrect.

Am I missing the "unban" action in fail2ban's "action.d" directory? If so, from where did you acquire that file? And do you mind sharing it?

Any thoughts? Thanks in advance.

I ran into an issue today where my office router somehow got blocked by fail2ban. I searched high and low to find an answer to unblock it so I did not have to wait for the ban to expire.

Here is what I found:

when I executed iptables -L I saw that my IP was in the jail named postfix-spamers550

to remove it I executed the following command


fail2ban-client get postfix-spamers550 actionunban 111.222.333.444


Success

Another option, though may not be for the best, is:
iptables -D <chain> <chain number>

The information can be found by running this: iptables -L --line-numbers

Thank you for the reply, ehansen.

My concern with that approach is that fail2ban will attempt to restore iptables rules whenever it is restarted.

In other words, if I were to remove the banned IP address directly, and then fail2ban had to be restarted for any reason, the IP address would again be added to the blacklist.

fail2ban doesn't start/stop the firewall as far as I know. Even if it did, however, as long as the firewall rules are saved (iptables-save) before a shutdown the restore will just load up the most recent saved rules.

Right; I don't think that fail2ban starts or stops the firewall either.

But as far as I know, fail2ban does re-parse logs when it is started, and adds any qualifying entries to the iptables rules (if not already present).

If this is, in fact, how fail2ban behaves, wouldn't it re-add the IP address in question as soon as fail2ban is restarted?

Right; I don't think that fail2ban starts or stops the firewall either.

But as far as I know, fail2ban does re-parse logs when it is started, and adds any qualifying entries to the iptables rules (if not already present).

If this is, in fact, how fail2ban behaves, wouldn't it re-add the IP address in question as soon as fail2ban is restarted?

I wouldn't think so but I don't know the inner workings of fail2ban. I mean I've had my server restarted after fail2ban put in some IPs and seemed like only the rules themselves were loaded. Someone who is more familiar with how it works wil probably be able to better answer it though.

As far as I know, fail2ban will not reload the rules and the firewall creates new rules based on its config files and not based on the iptables rules before the reboot. So when you unban a IP with iptables -D, it will not be added again after reboot automatically.

I wouldn't think so but I don't know the inner workings of fail2ban. I mean I've had my server restarted after fail2ban put in some IPs and seemed like only the rules themselves were loaded. Someone who is more familiar with how it works wil probably be able to better answer it though.

You are correct, restarting iptables clears out anything added by fail2ban, in fact thats how I used to unban myself :)

I checked with the fail2ban mailing list and here's the official word from Yaroslav Halchenko (current project maintainer, I believe):


there is no explicit guaranteed rebanning upon restart in place ATM

if your original scanned logs still happen to have those entries
within findtime from now, they should get banned upon restart

relevant (the oldest open) issue on github:
https://github.com/fail2ban/fail2ban/issues/2


So, there is the potential for IP addresses to be re-banned after service stop/start/restart.

I believe that this behavior was introduced in version 0.8.6.

A follow-up as to whether or not it is possible un-ban an IP address, manually, in fail2ban: the short answer is, "No."

I'm not sure how drewb0y was able to un-ban an IP address, manually, with the command he cited, because according to an authoritative source (Yaroslav Halchenko), "actionunban" does not work that way (which explains why I received "Invalid command" errors).

From Yaroslav's response to my mailing-list inquiry:


actionunban specifies the command for the action, .e.g like in a config
file -- it is not to call it, e.g. like it would be 'unbanip' command to
supplement 'banip'

in those rare cases I need to do it I just iptables -D it manually

but it is a valid feature request -- feel free to submit an issue on
github


So, there you have it, folks. As of fail2ban 0.8.6:

a.) The recommended means by which to un-ban individual IP addresses is to use the "iptables -D" command.

b.) There is a chance that if fail2ban is restarted after removing the rule, the rule will be re-added to iptables. (This will occur if "your original scanned logs still happen to have those entries within findtime from now".)