How to clear a banned IP address?

Occasionally a remote Agent will lose internet access and then our Fail2Ban will ban their IP address as their remote phone tries to re-establish its connection to the PBX.

To clear the phone from the Fail2Ban list of Banned IP addresses:
a. I would prefer not to add the banned Agent’s IP address to the "Whitelist"
b. I tried selecting “Restart” of the Intrusion Detection module from within the FreePBX GUI, but 15 seconds after the restart the remote agent’s IP address appears again in the Banned IP address list.
c. After about 1-3 hours the banned IP address stops appearing on the Intrusion Detection list of Banned IP addresses.

What is the proper way to immediately clear a banned IP address so that the Max Retry is reset for that IP address?

assuming it’s the last IP added in the fail2ban chain,

iptables -D fail2ban-SIP 1

1 Like

Great suggestion but they are added so fast I can’t be sure it is the last I added. In the GUI it doesn’t show the banned order.

Any way to specify the IP address in your command?

iptables -L fail2ban-SIP
gives you a list of the banned IPs

iptables -D fail2ban-SIP #
where # is the sequence number (1,2,3,4 etc…) of the IP you want to clear.

You can play with it a bit to figure out the correct number.
At worst you’ll just unblock the wrong IP
and your config does not ban for more than a couple of hours anyways.

1 Like

fail2ban-client --help

hence

fail2ban-client status
fail2ban-client <JAIL> unbanip a.b.c.d
fail2ban-client set <JAIL> addignoreip <IP> 
. 
.
.

I didn’t want to dredge up this post, but I figured it was worth it to make sure no one else was confused. This may not have been the case when this was originally posted, but to unban an ip from a jail now, you need to put “set” in front of the jail name.

For example:
fail2ban-client set <JAIL> unbanip a.b.c.d

2 Likes

[[email protected] ~]# fail2ban-client set unbanip 192.168.7.51
-bash: JAIL: No such file or directory

The IP 192.168.7.51 has just been banned by Fail2Ban after
8 attempts against SIP on localhost.

[[email protected] ~]# fail2ban-client set unbanip 192.168.7.51
-bash: JAIL: No such file or directory

Does not seem to work that command what im i doing wrong ? @dicko

[[email protected] ~]# fail2ban-client status
Status
|- Number of jail: 9
`- Jail list: recidive, zulu, ssh-iptables, apache-badbots, pbx-gui, asterisk-iptables, apache-api, apache-tcpwrapper, vsftpd-iptables

Went to look at fail2ban logs found this :

2021-10-05 10:45:54,499 fail2ban.actions[4545]: WARNING [asterisk-iptables] Ban 192.168.7.51
2021-10-05 11:15:54,669 fail2ban.actions[4545]: WARNING [asterisk-iptables] Unban 192.168.7.51
2021-10-05 12:51:52,837 fail2ban.server [4545]: INFO Stopping all jails

[[email protected] ~]# fail2ban-client set asterisk-iptables unbanip 192.168.7.51
ERROR NOK: (‘IP 192.168.7.51 is not banned’,)
IP 192.168.7.51 is not banned
[[email protected] ~]#

In this case replace <JAIL> with asterisk-iptables

fail2ban-client set asterisk-iptables  unbanip a.b.c.d
4 Likes

just throwing out a few of my favorite shell scripts:

unban.sh. ( ./unban.sh 1.2.3.4)

#!/bin/bash
echo $1
fail2ban-client status asterisk-iptables
fail2ban-client set asterisk-iptables unbanip $1

getbans.sh

#!/bin/bash
for i in apache-tcpwrapper recidive ssh-iptables apache-badbots pbx-gui asterisk-iptables vsftpd-iptables;
 do fail2ban-client status $i;
 done

getabans.sh

#!/bin/bash
fail2ban-client status asterisk-iptables
echo "use ./unban ip to unban"
3 Likes