How to Unban an IP properly with Fail2Ban

With Fail2Ban before v0.8.8:

fail2ban-client get YOURJAILNAMEHERE actionunban IPADDRESSHERE

With Fail2Ban v0.8.8 and later:

fail2ban-client set YOURJAILNAMEHERE unbanip IPADDRESSHERE

The hard part is finding the right jail:

1. Use iptables -L -n to find the rule name...
2. ...then use fail2ban-client status | grep "Jail list" | sed -E 's/^[^:]+:[ \t]+//' | sed 's/,//g' to get the actual jail names. The rule name and jail name may not be the same but it should be clear which one is related to which.

Since v0.8.8 there is the unbanip option (actionunban isn't for this purpose) It can be triggered by the set command, if you look at the list of options, you will see the syntax is. So it will be (by heart, please check):

fail2ban-client set ssh-iptables unbanip IPADDRESSHERE 

more generic:

fail2ban-client set JAILNAMEHERE unbanip IPADDRESSHERE

works for me

Example for SSH in interactive mode.

type in bash:

fail2ban-client -i

then in interactive mode type read the status of a jail:

status sshd

you'll get:

Status for the jail: ssh
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 6
|  `- File list:    /var/log/auth.log
`- Actions
   |- Currently banned: 1
   |- Total banned: 2
   `- Banned IP list:   203.113.167.162

then type in fail2ban interactive mode:

set sshd unbanip 203.113.167.162

you'll get:

203.113.167.162

it means no longer 203.113.167.162 in ban list.

The answer of ukoda is wrong:

Call fail2ban-client without parameters and you see a list of possible commands:

get JAIL actionunban ACT             

This gets the unban command for the action ACT for JAIL.

Look into the action parameter of the jail you defined, you probably have an iptables action and maybe some more like sendmail, whois or whatever. so in case your action was iptables it will look like this:

fail2ban-client get JAIL actionunban iptables

and the answer will be:

iptables -D fail2ban-NAME -s IP -j DROP

It will only show you what you would have to write for an unban. There is no unban command itself.

If 192.168.2.1 is banned

sudo iptables -L

Check which Chain it's banned in e.g.

Chain fail2ban-sasl (1 references)

DROP all -- 192.168.2.1 anywhere

Then:

# to view the proper command for un-banning
sudo fail2ban-client get sasl actionunban
# actual command
iptables -D fail2ban-sasl -s 192.168.2.1 -j DROP

If you are running version v0.10.2:

sudo fail2ban-client unban YOUR_IP_ADDRESS

This is from help:

unban <IP> ... <IP> unbans <IP> (in all jails and database)

Confirmed to work in my case when I most likely got banned due to ssh client logging in repeatedly with wrong password.

You first need to get the name of the jail. You can get the list (in most cases it will be only ssh jail):

fail2ban-client status

After getting the jail name you can check which IPs are being ignored.

fail2ban-client get ssh ignoreip

If your IP is in ignore list, you can delete it via:

fail2ban-client set ssh delignoreip your_ip_address
vi /etc/hosts.deny

Remove your host entry:

fail2ban-client reload

Using fail2ban v.0.8.6:

$ sudo fail2ban-client status # to reveal your JAIL name (mine is ssh)
$ sudo fail2ban-client set ssh delignoreip your_ip_address
$ sudo nano /etc/hosts.deny # delete your ip address
$ sudo fail2ban-client reload

unfortunately with version 0.8.2 of fail2ban-client the command:

fail2ban-client get jail actionunban ipaddress

does not run. To solve the problem, best choice is upgrade fail2ban to latest version and use new option:

unbanip

fail2ban-client set sshd unbanip ip_here

would work.