Fail2ban Status commands

fail2ban-client status postfix

Show status of all fail2ban jails at once
create the file
JAILS=`fail2ban-client status | grep Jail list | sed -E s/^[^:]+:[ \t]+// | sed s/,//g`
for JAIL in $JAILS
fail2ban-client status $JAIL

or with a command

fail2ban-client status|awk -F: ‘/Jail list:/ { split($2,jail,”,”) ; for (i in jail) { gsub(/[\t ]/,””,jail[i]); system(“fail2ban-client status “jail[i]); }; }’

grep -srni “journalmatch” /etc/fail2ban/filter.d/


Unban ip Failban

Step 1: Find IP Address to Unblock

Log in to your server via SSH and type in the following command:

iptables -L -n

Look for the IP address you want to unblock / unban.

Step 2: Get Jail Name of fail2ban Blocked IP Address

Now we must find the jail name this IP address is in. To do so, type the following to find the jail list settings:

fail2ban-client status

Step 3: Unban IP Address from fail2ban

For this example, we will remove an IP address jailed within ssh. To do so, type in the following:

fail2ban-client set <jail-name> unbanip

The IP address should now be unbanned from fail2ban.

fail2ban-client set apache-auth unbanip
fail2ban-client set apache-badbots unbanip
fail2ban-client set apache-botsearch unbanip
fail2ban-client set apache-modsecurity unbanip
fail2ban-client set apache-nohome unbanip
fail2ban-client set apache-overflows unbanip
fail2ban-client set apache-shellshock unbanip
fail2ban-client set courier-auth unbanip
fail2ban-client set courier-smtp unbanip
fail2ban-client set cyrus-imap unbanip
fail2ban-client set dovecot unbanip
fail2ban-client set dropbear unbanip
fail2ban-client set drupal-auth unbanip
fail2ban-client set ispconfig unbanip
fail2ban-client set php-url-fopen unbanip
fail2ban-client set postfix unbanip
fail2ban-client set postfix-rbl unbanip
fail2ban-client set postfix-sasl unbanip
fail2ban-client set pure-ftpd unbanip
fail2ban-client set recidive unbanip
fail2ban-client set roundcube-auth unbanip
fail2ban-client set selinux-ssh unbanip
fail2ban-client set sendmail-auth unbanip
fail2ban-client set sendmail-reject unbanip
fail2ban-client set sshd unbanip
fail2ban-client set sshd-ddos unbanip
fail2ban-client set wordpress unbanip

Fail2ban Error in file postfix-sasl.conf

my old file conf was :
failregex = ^%(__prefix_line)swarning: [-._\w]+\[\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$

If you go to you can test the regular expression on the log string :

May 10 15:57:59 mail postfix/smtpd[28617]: warning:[]: SASL LOGIN authentication failed: Connection lost to authentication server

I corrected the error and the the configuration is :

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+:]*={0,2})?\s*$

You can leave also the first setting but it is not necessary.

Some others command to do test:

fail2ban-client ping
fail2ban-client status
fail2ban-client status dovecot
fail2ban-client status postfix-sasl

fail2ban-regex /root/software/test_fail2ban_dovecot.log /etc/fail2ban/filter.d/dovecot.conf

You can test a piece of log file with a configuration jail file using the command fail2ban-regex


Fail2ban and wordpress

Find the wordpress log file.

normally is configured in httpd.conf (if u are using apache web server)
Find the wordpress log file.
normally is configured in httpd.conf (if u are using apache web server)

    # The following directives define some format nicknames for use with
    # a CustomLog directive (see below).

    #LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    LogFormat "%h %v %l %u %t \"%r\" %>s %b" comonvhost

      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio

    # The location and format of the access logfile (Common Logfile Format).
    # If you do not define any access logfiles within a 
    # container, they will be logged here.  Contrariwise, if you *do*
    # define per- access logfiles, transactions will be
    # logged therein and *not* in this file.
    #CustomLog "logs/access_log" common
    # If you prefer a logfile with access, agent, and referer information
    # (Combined Logfile Format) you can use the following directive.
    CustomLog "logs/access_log" combined

here the log file parameters

My server example of failed login to wordpress

%v       %h                     %l %u %t                     \"%r\"                        %>s - -       [30/Sep/2017:09:29:02 +0200] "POST /wp-login.php HTTP/1.1" 200 
%b   \"%{Referer}i\"                   \"%{User-Agent}i\""
5444 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0"



How to unban ip with Failban

fail2ban-client set postfix unbanip

how to show jail list :
fail2ban-client status

how to view the status of a jail:
fail2ban-client status roundcube
show all the ipa for all jails
fail2ban-client status | grep “Jail list:” | sed “s/ //g” | awk ‘{split($2,a,”,”);for(i in a) system(“fail2ban-client status ” a[i])}’ | grep “Status\|IP list”
Esfor jail in $(fail2ban-client status | grep ‘Jail list:’ | sed ‘s/.*Jail list://’ | sed ‘s/,//g’); do fail2ban-client set $jail unbanip; done

List of banned or recidive ip

iptables -L -n