Unban ip Failban

Step 1: Find IP Address to Unblock

Log in to your server via SSH and type in the following command:

iptables -L -n

Look for the IP address you want to unblock / unban.

Step 2: Get Jail Name of fail2ban Blocked IP Address

Now we must find the jail name this IP address is in. To do so, type the following to find the jail list settings:

fail2ban-client status

Step 3: Unban IP Address from fail2ban

For this example, we will remove an IP address jailed within ssh. To do so, type in the following:

fail2ban-client set <jail-name> unbanip

The IP address should now be unbanned from fail2ban.

fail2ban-client set apache-auth unbanip
fail2ban-client set apache-badbots unbanip
fail2ban-client set apache-botsearch unbanip
fail2ban-client set apache-modsecurity unbanip
fail2ban-client set apache-nohome unbanip
fail2ban-client set apache-overflows unbanip
fail2ban-client set apache-shellshock unbanip
fail2ban-client set courier-auth unbanip
fail2ban-client set courier-smtp unbanip
fail2ban-client set cyrus-imap unbanip
fail2ban-client set dovecot unbanip
fail2ban-client set dropbear unbanip
fail2ban-client set drupal-auth unbanip
fail2ban-client set ispconfig unbanip
fail2ban-client set php-url-fopen unbanip
fail2ban-client set postfix unbanip
fail2ban-client set postfix-rbl unbanip
fail2ban-client set postfix-sasl unbanip
fail2ban-client set pure-ftpd unbanip
fail2ban-client set recidive unbanip
fail2ban-client set roundcube-auth unbanip
fail2ban-client set selinux-ssh unbanip
fail2ban-client set sendmail-auth unbanip
fail2ban-client set sendmail-reject unbanip
fail2ban-client set sshd unbanip
fail2ban-client set sshd-ddos unbanip
fail2ban-client set wordpress unbanip

Fail2ban Error in file postfix-sasl.conf

my old file conf was :
failregex = ^%(__prefix_line)swarning: [-._\w]+\[\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$

If you go to https://regex101.com/ you can test the regular expression on the log string :

May 10 15:57:59 mail postfix/smtpd[28617]: warning: ip43.ip-192-99-125.net[]: SASL LOGIN authentication failed: Connection lost to authentication server

I corrected the error and the the configuration is :

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+:]*={0,2})?\s*$

You can leave also the first setting but it is not necessary.



Fail2ban and wordpress

Find the wordpress log file.

normally is configured in httpd.conf (if u are using apache web server)
Find the wordpress log file.
normally is configured in httpd.conf (if u are using apache web server)

    # The following directives define some format nicknames for use with
    # a CustomLog directive (see below).

    #LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    LogFormat "%h %v %l %u %t \"%r\" %>s %b" comonvhost

      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio

    # The location and format of the access logfile (Common Logfile Format).
    # If you do not define any access logfiles within a 
    # container, they will be logged here.  Contrariwise, if you *do*
    # define per- access logfiles, transactions will be
    # logged therein and *not* in this file.
    #CustomLog "logs/access_log" common
    # If you prefer a logfile with access, agent, and referer information
    # (Combined Logfile Format) you can use the following directive.
    CustomLog "logs/access_log" combined

here the log file parameters

My server example of failed login to wordpress

%v       %h                     %l %u %t                     \"%r\"                        %>s
saic.it - -       [30/Sep/2017:09:29:02 +0200] "POST /wp-login.php HTTP/1.1" 200 
%b   \"%{Referer}i\"                   \"%{User-Agent}i\""
5444 "http://www.saic.it/wp-login.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0"



How to unban ip with Failban

fail2ban-client set postfix unbanip

how to show jail list :
fail2ban-client status

how to view the status of a jail:
fail2ban-client status roundcube
show all the ipa for all jails
fail2ban-client status | grep “Jail list:” | sed “s/ //g” | awk ‘{split($2,a,”,”);for(i in a) system(“fail2ban-client status ” a[i])}’ | grep “Status\|IP list”
Esfor jail in $(fail2ban-client status | grep ‘Jail list:’ | sed ‘s/.*Jail list://’ | sed ‘s/,//g’); do fail2ban-client set $jail unbanip; done

List of banned or recidive ip

iptables -L -n

Failban Error – Centos 7


from logwatch I saw this error :

ERROR   Failed to execute ban jail ‘ssh-iptables’ action ‘iptables’ info ‘CallingMap({‘ipjailmatches’: <function <lambda> at 0x7f8e24d2b578>, ‘matches’: u’Jan 28 00:15:51 saic sshd[30705]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ti0100a400-1587.bb.online.no  user=root\n

Failed password for root from port 45430 ssh2\n

Failed password for root from port 45430 ssh2′, ‘ip’: ‘’, ‘ipmatches’: <function <lambda> at 0x7f8e24d2b488>, ‘ipfailures’: <function <lambda> at 0x7f8e24d2bb90>, ‘time’: 1485558957.444361, ‘failures’: 3, ‘ipjailfailures’: <function <lambda> at 0x7f8e24d2b5f0>})’: Error starting action

To solve I follow this : https://github.com/fail2ban/fail2ban/issues/973

and than this : https://github.com/fail2ban/fail2ban/issues/878#issuecomment-65732113

Not necessarily… But if you will really stand-alone fail2ban, so download direct from github or checkout via git (from github). – master – https://github.com/fail2ban/fail2ban/archive/master.zip – debian – https://github.com/fail2ban/fail2ban/archive/debian.zip – repo – git://github.com/fail2ban/fail2ban.git
Hereafter unzip it and run install:

cd /tmp/f2b
?sudo? python setup.py install

So I reinstalled fail2ban, previous backup fine (/etc/fail2ban).

After installation I overwrote /etc/fail2ban with my previous file.

Failban Configuration file for WordPress

a) Create configuration file
vim /etc/fail2ban/filter.d/wordpress.conf

# Fail2Ban filter for WordPress hard failures


before = common.conf


_daemon = (?:wordpress|wp)

failregex = .*<HOST> – – .* “POST \/wp-login\.php HTTP\/1\.1” 200 (5127|5128|5129|5130) .*
.*<HOST> – – .* “POST \/xmlrpc\.php HTTP\/1\.1” 200 (5127|5128|5129|5130) .*
.*<HOST> – – .* “POST \/blog\/wp-login\.php HTTP\/1\.1” 200 (5127|5128|5129|5130) .*
.*<HOST> – – .* “POST \/web\/wp-login\.php HTTP\/1\.1” 200 (5127|5128|5129|5130) .*
ignoreregex =

b) set jail.conf


enabled = true
filter = wordpress
action = iptables-multiport[name=wordpress, port=”http,https”, [email protected], [email protected]]
logpath = /var/log/httpd/access_log
maxretry = 5
port = http,https
findtime = 300
bantime = 10800

restart failban



Failban Configuration for ISPConfig

vi /etc/fail2ban/filter.d/ispconfig.conf
The first thing we need to do is create a filter for ISPconfig in the /etc/fail2ban/filter.d/ directory.

vi /etc/fail2ban/filter.d/ispconfig.conf
Add the following definition so the filter knows what to look for in the /var/log/ispconfig/auth.log for ISPConfig 3.

# Fail2Ban filter for ISPConfig hard failures


before = common.conf


_daemon = (?:ispconfig)

failregex = Failed login for user .* from <HOST>
ignoreregex =

vim /etc/fail2ban/jail.conf

add this line

enabled = true
port = 8080
filter = ispconfig
action = iptables-multiport[name=wordpress, port=”http,https”, [email protected], [email protected]]
logpath = /var/log/ispconfig/auth.log
maxretry = 3
findtime = 300
bantime = 10800
You can/should test the new configuration by running the following command.

fail2ban-regex /var/log/ispconfig/auth.log /etc/fail2ban/filter.d/ispconfig.conf

THEN Restart fail2ban to load your new jail for ISPConfig 3 failed login attempts.

service fail2ban restart



Failban configuration

Today I found an error in the regular expression of failban filter :


with this useful site https://regex101.com/ gave me an error so I changed the expression from

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\s*     

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+\/:]*={0,2})?\s*     

failban conf file : jail.conf


enabled = true
filter = postfix-sasl
action = iptables[name=postfix-sasl, port=”smtp,465,submission,imap3,imaps,pop3,pop3s”, protocol=tcp]
sendmail-whois[name=postfix-sasl, [email protected], [email protected]]
#port = smtp,465,submission,imap3,imaps,pop3,pop3s
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# “warn” level but overall at the smaller filesize.
logpath = %(postfix_log)s
backend = %(postfix_backend)s
maxretry = 3
bantime = 10800

here /etc/fail2ban/paths-fedora.conf the configuration of the variable postfix_log and postfix_backend