How to Unban and Whitelist IP Addresses in Fail2ban

Fail2ban is a powerful security tool that protects your server from unauthorized access attempts by monitoring your logs and temporarily banning suspicious IP addresses. Occasionally, though, you may need to investigate why an IP was banned, remove a ban, or whitelist an IP you trust.

Searching for a Banned IP Address

To confirm whether a specific IP address is banned, simply run the following command:

sudo fail2ban-client status sshd

If the IP address is currently banned, you’ll find it under “Actions” in the “Banned IP list” section:

turnipjuice@turnipjuice:~$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 8
|  |- Total failed:     24997
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 5
   |- Total banned:     2486
   `- Banned IP list:   165.232.84.95 186.96.145.241 178.62.196.87 64.227.64.178 76.8.66.186

Unbanning an IP Address

To manually remove a banned IP from a Fail2ban jail, we’ll need to make use of the fail2ban-client command. For example, to unban the IP address 1.2.3.4 from the sshd jail (i.e. the jail belonging to the SSH service), you’ll need to run the following command:

sudo fail2ban-client set sshd unbanip 1.2.3.4

If the IP address exists in that jail’s ban list, Fail2ban will proceed to remove it.

Whitelisting an IP Address

To whitelist an IP address, we’ll need to create a custom Fail2ban configuration file where we can add our trusted IP addresses.

sudo nano /etc/fail2ban/jail.d/whitelist.conf

While editing the configuration file, add the following lines to it:

[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 1.2.3.4

The lines above replace the current ignoreip values defined in the default Fail2ban configuration file. Therefore, it is important to include the localhost IP range in the list: 127.0.0.1/8 and ::1.

Remember to replace 1.2.3.4 with the actual IP address you wish to whitelist.
Additionally, you can also whitelist multiple IP addresses or CIDR ranges separated by spaces.

The ignoreip directive ensures that Fail2ban will never ban those IP addresses, as they will be ignored instead. While the [DEFAULT] directive ensures that Fail2ban enforces the whitelist across all jails. If you wish to whitelist IP addresses for a particular jail, simply replace [DEFAULT] with the jail in question, for example, [sshd].

Once you’ve saved your changes, simply reload the Fail2ban service so they can take effect.

sudo systemctl reload fail2ban.service