Fail2ban Manual Unban Single Host (for iptables)

UPDATE: Starting with version 0.8.8, the unban operations are now built-in, it is executed through the fail2ban-client app like this

# fail2ban-client set [ban-name] unbanip [ip]
# e.g. fail2ban-client set asterisk-iptables unbanip 8.8.8.

Check out the changelog here. Get version 0.8.8 here.  You really should be upgrading your fail2ban to that above version and use the built-in tool.     [WARNING- THESE BELOW ARE OUTDATED]

Fail2Ban is a great way to protect your server from malicious attempts of brute force and other events that are deemed a problem. It does by very smartly checking your logs and if a particular event is repeated n number of times, you can set actions such as blocking or unblocking using software such as iptables based or software based firewalls or even write scripts to modify an external firewall.
There’s one drawback about it and that is the ability to unban just one IP (many reasons why that might be needed). Just follow these instructions and get the necessary script and you will have an idea or a fully working unban function (if you use iptables to ban)
Version that you MUST USE: Fail2Ban v0.8.4. Download and install Fail2Ban version 0.8.4, for Asterisk fail2banning for SIP brute force attack. Some help with installation here. This guide was designed on a Debian system. Customization may be required. You can check the version after installing via cli like below
# fail2ban-client –V Create the unban script, you may need to modify certain settings that would then match your jail setting, actions (in this script its for iptables) and logging options.
# cd /usr/src
# wget
# chmod +x unban
Now, we change or manipulate the file from Fail2ban for proper handling of unban script unbanning. You may need to modify this if it is not IPtables you use for banning action. See the section def __checkBan in there’s a modification of an external check command there called mycheck. If mycheck condition is true (returned value 0) it will proceed to ban that IP. The issue we had by just unbaning using the unban script was that fail2ban didn’t know we unban manually using cli. This caused fail2ban to never ban again the IP you just banned because it think that IP is still in its ban list. This “fix” ensures that the process/procedure will check against iptables (or any of your ban action) and reissue a ban if it doesn’t have the IP in its entry (like doing a iptables –n –-list)
# cd /usr/share/fail2ban/server/
# mv
# wget
# /etc/init.d/fail2ban restart
Try it out for yourself to unban some IP
# unban
If you do not specify an IP, it will list all banned IPs inside the Jailed context.


  1. Hi Due ,

    Thanks for the script .
    I am going to use this script on my CentOS Box .Can i follow the same procedure to use this script ?

    What needs to change for the CentOS ?

    I installed the fail2ban through source file .really works great

    Thanks in advance for your reply


  2. Hi dude ,

    I think i need your help

    previously it was working fine . after changing your things ( unban script ) looks like below
    Kindly help me

    MY OS – CentOS5.5
    Asterisk -1.4

    [root@AST-COMM-02 ~]# /etc/init.d/fail2ban start
    -bash: /etc/init.d/fail2ban: No such file or directory
    [root@AST-COMM-02 ~]# cd /etc/init.d/asterisk
    anaconda-ks.cfg .bashrc .esd_auth .gnome2_private/ install.log.syslog .subversion/
    .asterisk_history .cshrc .gconf/ .gstreamer-0.10/ .metacity/ .tcshrc
    .bash_history Desktop/ .gconfd/ .gtkrc-1.2-gnome2 .nautilus/ .Trash/
    .bash_logout .dmrc .gnome/ .ICEauthority .redhat/
    .bash_profile .eggcups/ .gnome2/ install.log .ssh/
    [root@AST-COMM-02 ~]# cd /etc/init.d/asterisk

    [root@AST-COMM-02 ~]# fail2ban-client status
    |- Number of jail: 1
    `- Jail list: asterisk-iptables
    [root@AST-COMM-02 ~]#
    [root@AST-COMM-02 ~]#
    [root@AST-COMM-02 ~]#
    [root@AST-COMM-02 ~]# iptables -L -v
    Chain INPUT (policy ACCEPT 786K packets, 224M bytes)
    pkts bytes target prot opt in out source destination

    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination

    Chain OUTPUT (policy ACCEPT 842K packets, 232M bytes)
    pkts bytes target prot opt in out source destination
    [root@AST-COMM-02 ~]#fail2ban-client -V
    Fail2Ban v0.8.4

    Copyright (c) 2004-2008 Cyril Jaquier
    Copyright of modifications held by their respective authors.
    Licensed under the GNU General Public License v2 (GPL).

    Written by Cyril Jaquier .
    Many contributions by Yaroslav O. Halchenko .
    [root@AST-COMM-02 ~]#
    [root@AST-COMM-02 ~]#
    [root@AST-COMM-02 ~]#
    [root@AST-COMM-02 ~]# uname -a
    Linux AST-COMM-02.localdomain 2.6.18-194.32.1.el5 #1 SMP Wed Jan 5 17:53:09 EST 2011 i686 i686 i386 GNU/Linux
    [root@AST-COMM-02 ~]# uname -o
    [root@AST-COMM-02 ~]#
    [root@AST-COMM-02 ~]#
    [root@AST-COMM-02 ~]#


  3. Log information for you

    [root@AST-COMM-02 ~]#tail -f /var/log/fail2ban.log
    2011-01-18 15:49:44,579 fail2ban.jail : INFO Creating new jail 'asterisk-iptables'
    2011-01-18 15:49:44,580 fail2ban.jail : INFO Jail 'asterisk-iptables' uses poller
    2011-01-18 15:49:44,627 fail2ban.filter : INFO Added logfile = /var/log/asterisk/full
    2011-01-18 15:49:44,628 fail2ban.filter : INFO Set maxRetry = 3
    2011-01-18 15:49:44,636 fail2ban.filter : INFO Set findtime = 600
    2011-01-18 15:49:44,637 fail2ban.actions: INFO Set banTime = 259200
    2011-01-18 15:49:44,687 fail2ban.jail : INFO Jail 'asterisk-iptables' started
    2011-01-18 15:49:44,694 fail2ban.actions.action: ERROR iptables -N fail2ban-ASTERISK
    iptables -A fail2ban-ASTERISK -j RETURN
    iptables -I INPUT -p all -j fail2ban-ASTERISK returned 7f00

    –Thanks in advance

Comments are closed.