Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Tips/Tricks/Mods

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #11  
Old 9th May 2012, 23:16
cbj4074 cbj4074 is offline
Senior Member
 
Join Date: Nov 2010
Posts: 395
Thanks: 30
Thanked 58 Times in 50 Posts
Default

A follow-up as to whether or not it is possible un-ban an IP address, manually, in fail2ban: the short answer is, "No."

I'm not sure how drewb0y was able to un-ban an IP address, manually, with the command he cited, because according to an authoritative source (Yaroslav Halchenko), "actionunban" does not work that way (which explains why I received "Invalid command" errors).

From Yaroslav's response to my mailing-list inquiry:

Quote:
actionunban specifies the command for the action, .e.g like in a config
file -- it is not to call it, e.g. like it would be 'unbanip' command to
supplement 'banip'

in those rare cases I need to do it I just iptables -D it manually

but it is a valid feature request -- feel free to submit an issue on
github
So, there you have it, folks. As of fail2ban 0.8.6:

a.) The recommended means by which to un-ban individual IP addresses is to use the "iptables -D" command.

b.) There is a chance that if fail2ban is restarted after removing the rule, the rule will be re-added to iptables. (This will occur if "your original scanned logs still happen to have those entries within findtime from now".)
Reply With Quote
The Following User Says Thank You to cbj4074 For This Useful Post:
falko (11th May 2012)
Sponsored Links
  #12  
Old 19th October 2012, 17:45
cbj4074 cbj4074 is offline
Senior Member
 
Join Date: Nov 2010
Posts: 395
Thanks: 30
Thanked 58 Times in 50 Posts
Default

Given that this has become the authoritative thread on this subject, I thought I'd add an example, for my own reference, if no one else's.

To unban an IP address manually, it is necessary to know the chain name and the rule number. As suggested elsewhere in this thread, the following command can be used to acquire this information:

Code:
# iptables -L --line-numbers
The relevant bits are at the end of the output. Here is an example chain with attendant rules:

Code:
Chain fail2ban-ssh (1 references)
num  target     prot opt source               destination
1    DROP       all  --  204.110.13.107       anywhere
2    DROP       all  --  1.234.20.21          anywhere
3    DROP       all  --  gw-tair-rp.rel.com.ua  anywhere
4    RETURN     all  --  anywhere             anywhere
In this example, three (3) IP addresses have been banned via the SSH jail (these are the DROP rules).

To unban the IP address 1.234.20.21, the command would be:

Code:
# iptables -D fail2ban-ssh 2
Don't forget that if fail2ban is restarted after this change to iptables, there is the potential for the same IP address to be re-banned. The reason for this is discussed earlier in this thread.

Good luck!

Last edited by cbj4074; 19th October 2012 at 17:49. Reason: Clarified example.
Reply With Quote
The Following User Says Thank You to cbj4074 For This Useful Post:
falko (21st October 2012)
  #13  
Old 22nd October 2012, 11:35
florian030 florian030 is offline
Senior Member
 
Join Date: Oct 2012
Posts: 281
Thanks: 8
Thanked 74 Times in 65 Posts
Default

I prefer xt_recent instead of adding each banned ip using iptables -I (...).

You need only something like

$IPTABLES_BIN -A INPUT -j DenyAccess
$IPTABLES_BIN -A INPUT -m recent --update --seconds 86400 --name DenyAccess --hitcount 1 -j DROP

and can then add blocked ips with "echo 1.2.3.4 > /proc/net/xt_recent/DenyAccess"

To remove a single ip, "echo -1.2.3.4 > /proc/net/xt_recent/DenyAccess" will do the job.

Maybe you need to increase the amount of "/sys/module/xt_recent/parameters/ip_list_tot".

regards
Florian
Reply With Quote
  #14  
Old 6th November 2013, 00:56
mazhar996 mazhar996 is offline
Junior Member
 
Join Date: Nov 2013
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by cbj4074 View Post
A follow-up as to whether or not it is possible un-ban an IP address, manually, in fail2ban: the short answer is, "No."

I'm not sure how drewb0y was able to un-ban an IP address, manually, with the command he cited, because according to an authoritative source (Yaroslav Halchenko), "actionunban" does not work that way (which explains why I received "Invalid command" errors).

From Yaroslav's response to my mailing-list inquiry:



So, there you have it, folks. As of fail2ban 0.8.6:

a.) The recommended means by which to un-ban individual IP addresses is to use the "iptables -D" command.

b.) There is a chance that if fail2ban is restarted after removing the rule, the rule will be re-added to iptables. (This will occur if "your original scanned logs still happen to have those entries within findtime from now".)
although this post is over an year old, but i thought i should add to it.

manual unban and ban works for sure (at least in new versions 0.8.x)

for example

use fail2ban-client status
to get the jail names

lets say the jail name is ssh-iptables
fail2ban-client set ssh-iptables unbanip [ip_to_unban)

similarly manual ban the ip manually use

fail2ban-client set ssh-iptables banip [ip_to_ban)

BR
mazhar
Reply With Quote
  #15  
Old 31st December 2013, 22:44
cbj4074 cbj4074 is offline
Senior Member
 
Join Date: Nov 2010
Posts: 395
Thanks: 30
Thanked 58 Times in 50 Posts
 
Default

I can confirm mazhar's comment; the inbuilt unbanning mechanism works in later versions (I'm not sure when it was implemented, but it works for me in 0.8.11).

Example:

Code:
fail2ban-client set dovecot unbanip 1.2.3.4
(where "dovecot" is the name of the jail, per the fail2ban configuration)

It is unknown whether or not the "findtime" caveat (the possibility that an IP address will be re-banned if fail2ban is restarted after the IP address was unbanned manually) discussed earlier in this thread still applies.

Last edited by cbj4074; 31st December 2013 at 22:46.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Help with Fail2ban florix.net Installation/Configuration 4 26th January 2011 01:53
Fail2ban attacker Toucan General 2 6th October 2010 00:00
fail2ban is doing nothing? rlischer Server Operation 16 29th June 2010 08:29
Fail2ban only ban on first time. ivomendonca Installation/Configuration 1 30th October 2009 19:48
Need help with fail2ban on centos 5.3 rlischer Installation/Configuration 3 14th August 2009 12:47


All times are GMT +2. The time now is 09:23.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.