Fail2ban is an intrusion prevention software, framework which protect server against brute force attacks. It’s Written in Python programming language. Fail2ban work based on auth log files, by default it will scan the auth log files such as /var/log/auth.log, /var/log/apache/access.log, etc.. and bans IPs that show the malicious signs, too many password failures, seeking for exploits, etc.
Generally fail2Ban is used to update firewall rules to reject the IP addresses for a specified amount of time. Also it will send mail notification too. Fail2Ban comes with many filters for various services such as ssh, apache, nginx, squid, named, mysql, nagios, etc,. Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. this is one of the security for server which will prevent brute force attacks.
If you already installed and used fail2ban to protect your web server, you may be wondering how to find the IP banned or blocked by Fail2ban, or you may want to remove banned ip from fail2ban jail on CentOS 6, CentOS 7, RHEL 6, RHEL 7 and Oracle Linux 6/7.
In this article I will show how to remove banned IP from Fail2Ban on CentOS.
List of Banned IP Address
Run the below command to list all the banned IP address.
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination f2b-AccessForbidden tcp -- anywhere anywhere tcp dpt:http f2b-WPLogin tcp -- anywhere anywhere tcp dpt:http f2b-ConnLimit tcp -- anywhere anywhere tcp dpt:http f2b-ReqLimit tcp -- anywhere anywhere tcp dpt:http f2b-NoAuthFailures tcp -- anywhere anywhere tcp dpt:http f2b-SSH tcp -- anywhere anywhere tcp dpt:ssh f2b-php-url-open tcp -- anywhere anywhere tcp dpt:http f2b-nginx-http-auth tcp -- anywhere anywhere multiport dports http,https ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:EtherNet/IP-1 ACCEPT tcp -- anywhere anywhere tcp dpt:http REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain f2b-NoAuthFailures (1 references) target prot opt source destination REJECT all -- 126.96.36.199 anywhere reject-with icmp-port-unreachable REJECT all -- 188.8.131.52 anywhere reject-with icmp-port-unreachable RETURN all -- anywhere anywhere
Remove Banned IP From Fail2Ban
Now run the below command to remove the IP from the banned list. For example I would like to remove “192.168.0.5” IP from the banned list.
# iptables -D f2b-NoAuthFailures -s 192.168.0.5 -j REJECT