How to view and remove banned IP's from Fail2ban on Ubuntu 10.04

Printer-friendly versionPDF version

If you followed the tutorial, "How to Install and Configure fail2ban on Ubuntu 10.04 for SSH and Pure-FTPd" then you should have Fail2ban installed and configured  for SSH and Pure-FTPd. You may be curious how to view which IP's are banned or blocked by Fail2ban, or you may wan't to remove some of them from the banned list. To view all addresses that are blocked, run the following command:

sudo iptables -L -n

Banned SSH IP's look like this:

Chain fail2ban-ssh (1 references)

target     prot opt source               destination         

DROP       all  --           

RETURN     all  --  


Banned ftp IP's look like this:

Chain fail2ban-pure-ftpd (1 references)

target     prot opt source               destination         

DROP       all  --

To remove an IP address from the banned SSH list, run the following command:

sudo iptables -D fail2ban-ssh -s banned_ip -j DROP

To remove an IP address fromthe banned FTP list, run the following command:

sudo iptables -D fail2ban-pure-ftpd -s banned_ip -j DROP

To adjust the time that each IP address is banned for, run the following commands:

sudo vim /etc/fail2ban/jail.conf

Look for the line that begins with "bantime" and modify the value listed (the value is listed in seconds).

If you have any more questions, feel free to leave a comment.

I have heard of people configuring fail2ban to simply clobber attempts to login as (for example) root. i.e. ONE strike and you're out!

Is it possible to configure fail2ban to nuke on anything but an allowed user?


Jim (JR)

If you set "maxretry = 0" in /etc/fail2ban/jail.conf, you will have that effect. Check out this tutorial on installing and configuring fail2ban for more info on that file.

I'm not sure that I expressed the question properly, so let me try again:

1. There are multiple users that may want to log in.
2. I want to give these users the opportunity to enter their credentials correctly, so maxretry >= 1 or 2, (or so), is a good idea.
3. *HOWEVER* - if someone tries to login as *root* - they fail immediately and are banned immediately.

Is it possible to granularize fail2ban's permissions in that way? Are there other tools that can do this?


Jim (JR)

Jim, I don't believe you can do that with fail2ban, nor am I aware of any software that will do that. I can see how that feature would be useful. Since fail2ban is an open source project, they are open to changes from users. I recommend submitting a feature request here at the SourceForge page. Here is a link to the manual for fail2ban in case I overlooked that feature.

Hey Jim,
yes you can do that. Just add a new filter in filter.d directory and add a regex (must be compatible to your logfile) with a set username (e.g. root) and add a specific jail for this filter.

You can however disable root login via SSH in the SSH configuration. Then only users that are in the sodoers file would have access to root. However, that doesn't ban the IP.

/etc/ssh/sshd_config: PermitRootLogin no

better use keys and sudo..

A useful sshd option is:

PermitRootLogin without-password

This sounds much worse than it is! It allows root logins, but not using password authentication, only keys; it does NOT mean that root can log in without a password :)

If you disallow root login in sshd config, your /var/log/auth.log will log lines such as these:
User root from 220.181.***.*** not allowed because not listed in AllowUsers

You can then build a jail rule in fail2ban conf to ban the given IP with a filter.
See fail2ban wiki for guidelines on how to build your customized filters.

I have a venture that I am simply now running on, and I’ve been at the glance out for such info.I appreciate all your work and also providing a lot vital tricks for your readers. ffxi gil

Thank you for posting this information. I'd made a mistake from my workstation and had locked myself out of local ssh for about a year, thanks to my overzealous security settings. On the plus side, external access was still available. Thanks to your little 'iptables' tip, I was able to get back in.

One of the great things about many winter sports resorts is that they are about far more than getting some exercise, or learning some new sporting techniques. They are also about having a lot of fun.I gathered useful information on this point as I am working on a business project. Thank you posting relative information and its now becoming easier to complete this assignment.<a href="" rel=dofollow>Ping G20  Driver</a> | <a href=" rel=dofollow">Ping G15 Driver</a> |  <a href="" rel=dofollow>Ping G20 Fairway wood</a> | <a href="" rel=dofollow>TaylorMade R11S driver</a> | <a href="" rel=dofollow>TaylorMade R11 driver</a> | <a href="" rel=dofollow>TaylorMade R11 Left driver</a>

thanks worked for my wordpress installs

Post new comment