1 (edited by bmackay 2014-06-26 23:53:59)

Topic: Handy Script For Unbanning IPs

Sooner or later Fail2Ban is going to block one of your legitimate mail users.   Unbanning is awkward, especially if you have an upset client on the phone.  It gets worse if you have a separate jail for repeat offenders with a long term ban as you have to search for and possibly unblock multiple rules.

Here is a simple script that I wrote this morning which generates a list of all of your chains then searches for and unblocks a specified IP address in each chain.   You can either specify the IP from the command line or it will prompt.   It has been tested with both web and mail servers with multiple custom chains and fail2ban rule sets.  It works well with the stock iRedMail filters provided by Zhang Huangbin.   

Note, it does not notify fail2ban so you will see an error in your log when fail2ban eventually tries to unban this IP. 

Feel free to reuse, modify or distribute as you see fit.

#!/bin/bash
#
# unban - Script to remove fail2ban blocks for given IP address
#
# Version 1.0
# Last Modified Jun 26, 2014 by bmackay at razyr.net
#
# History
#   Ver 1.0 Jun 26, 2014
#      - discover iptables chains
#      - remove IP if found in chain
#

echo
echo "**************************"
echo "* Starting unban Ver 1.0 *"
echo "**************************"
echo

FOUND=0

if [ $# -eq 0 ]; then
    echo -n "Enter IP Address: "
    read IP
else
    IP=$1
fi

CHAINS=( `iptables -L -n | grep references | cut -d" " -f2` )

for chain in "${CHAINS[@]}"
do
    rule=`iptables -L $chain -n --line-numbers | grep $IP | cut -d" " -f1`
    if [ $rule ]; then
        ((FOUND++))
        echo -n Deleting $chain rule $rule
        iptables -D $chain $rule
        case $? in
           [0]*)
               echo -e "  [\E[0;32mOK\E[0;37m]"
           ;;
           *)
               echo -e "  [\E[0;31mFAIL\E[0;37m]"
        esac
   fi
done

echo
echo $FOUND rules deleted
echo
echo "DONE!"
exit

2

Re: Handy Script For Unbanning IPs

Thanks for your sharing. smile

3 (edited by bmackay 2014-06-28 08:45:04)

Re: Handy Script For Unbanning IPs

Here is an updated version which does not use iptables at all.  It's much cleaner, uses only fail2ban client commands and should work with fail2ban 0.8.8 and later.  It looks up the name of all the jails, searches for a matching ban in each jail and then unbans the IP where found.    This version is much safer for admins with complex iptables rules which may have included traffic management for IPs that wound up on your banned list.  It also generates clean fail2ban logs with no unexpected errors as were generated when using the iptables version of the script.  Finally it always returns an accurate count of the number of bans successfully removed.

#!/bin/bash
#
# unban - Script to remove fail2ban blocks for given IP address
#
# usage -   unban [IP_ADDRESS]
#
# Version 1.1
# Last Modified Jun 27, 2014 by bmackay
#
# History
#   Ver 1.1 Jun 27, 2014  bmackay razyr.net
#      - converted from iptables to fail2ban-client
#      - discover jail list
#      - look for banned IP in each jail
#      - unban where found in jails
#   Ver 1.0 Jun 26, 2014  bmackay razyr.net
#      - iptables method
#      - discover iptables chains
#      - remove IP if found in chain
#

echo
echo "**************************"
echo "* Starting unban Ver 1.1 *"
echo "**************************"
echo

FOUND=0
F2BC="/usr/bin/fail2ban-client"
IFS=", "

if [ $# -eq 0 ]; then
    echo -n "Enter IP Address: "
    read IP
else
    IP=$1
fi

JAILS=( `$F2BC status | grep list: | cut -f3` )

for JAIL in "${JAILS[@]}"
do
   $F2BC status $JAIL | grep $IP >/dev/null 2>&1
   case $? in
       [0]*)
           $F2BC set $JAIL unbanip $IP >/dev/null 2>&1
           echo -n Deleting $IP from $JAIL
           case $? in
               [0]*)
                   echo -e "  [\E[0;32mOK\E[0;37m]"
                   ((FOUND++))
               ;;
               *)
                   echo -e "  [\E[0;31mFAIL\E[0;37m]"
           esac
       ;;
       *)
   esac
done
echo
echo $FOUND rules deleted
echo
echo "DONE!"
echo
exit $FOUND

4

Re: Handy Script For Unbanning IPs

bmackay wrote:

F2BC="/usr/bin/fail2ban-client"

If it's under /usr/bin/, it's better to use F2BC='fail2ban-client' directly. then your script works on BSD.

5 (edited by bmackay 2014-07-07 01:54:12)

Re: Handy Script For Unbanning IPs

One more refinement which prevents the unbanned address from getting banned again while your client sorts out whatever config problems caused the ban in the first place.   This version will whitelist the unbanned IP only for the specific service(s) that it was banned from.  Note, this only lasts until fail2ban is restarted.  For permanent whitelisting, add the IP to the ignore list in the fail2ban jail config file.

#!/bin/bash
#
# unban - Script to remove fail2ban blocks for given IP address
#
# usage - unban [IP_ADDRESS]
#
# Version 1.2
# Last Modified Jul 3, 2014
#
# History
#   Ver 1.2 Jul 3, 2014  bmackay razyr.net
#      - added temporary whitelisting
#   Ver 1.1 Jun 27, 2014  bmackay razyr.net
#      - converted from iptables to fail2ban-client
#      - discover jail list
#      - look for banned IP in each jail
#      - unban where found in jails
#   Ver 1.0 Jun 26, 2014  bmackay razyr.net
#      - iptables method
#      - discover iptables chains
#      - remove IP if found in chain
#

echo
echo "**************************"
echo "* Starting unban Ver 1.2 *"
echo "**************************"
echo

FOUND=0
F2BC="fail2ban-client"
IFS=", "

if [ $# -eq 0 ]; then
    echo -n "Enter IP Address: "
    read IP
else
    IP=$1
fi

JAILS=( `$F2BC status | grep list: | cut -f3` )

for JAIL in "${JAILS[@]}"
do
   $F2BC status $JAIL | grep $IP >/dev/null 2>&1
   case $? in
       [0]*)
           echo -n Deleting $IP from $JAIL
           $F2BC set $JAIL unbanip $IP >/dev/null 2>&1
           case $? in
               [0]*)
                   echo -e "  [\E[0;32mOK\E[0;37m]"
                   ((FOUND++))
               ;;
               *)
                   echo -e "  [\E[0;31mFAIL\E[0;37m]"
           esac
           echo -n Whitelisting $IP for $JAIL
           $F2BC set $JAIL addignoreip $IP >/dev/null 2>&1
           case $? in
               [0]*)
                   echo -e "  [\E[0;32mOK\E[0;37m]"
               ;;
               *)
                   echo -e "  [\E[0;31mFAIL\E[0;37m]"
           esac
       ;;
       *)
   esac
done
echo
echo $FOUND rules deleted
echo
echo "DONE!"
echo
exit $FOUND