Managing Fail2Ban in HestiaCP Server
Fail2Ban is a security tool that helps protect your server by banning IP addresses with suspicious activity, such as multiple failed login attempts. This guide covers how to check banned IPs and unban an IP in HestiaCP.
1. Check Banned IPs for All Jails
Run the following command to list banned IPs in each Fail2Ban jail:
for jail in $(sudo fail2ban-client status | grep -oP '(?<=Jail list:\s)(.*)' | tr ', ' '\n'); do echo "Banned IPs in $jail:" sudo fail2ban-client status "$jail" | grep -i 'Banned IP list' -A 10 echo "--------------------------" done
Breakdown:
Retrieves all active jails from Fail2Ban.
Iterates through each jail and prints the list of banned IPs.
Displays results for each jail separately.
Unblock a Specific IP
To remove a specific IP from Fail2Ban’s blacklist, use:
fail2ban-client unban 127.0.0.1
Replace `127.0.0.1` with the actual IP you want to unblock.
This immediately removes the IP from all jails where it was banned.
Unblock an IP from a Specific Jail
If you know which jail banned the IP (e.g., `sshd`), unban it only from that jail:
fail2ban-client set sshd unbanip 127.0.0.1
Replace `sshd` with the appropriate jail name.
✅Unban all IPs from all jails (single command):
for jail in $(fail2ban-client status | grep "Jail list:" | cut -d: -f2 | tr -d ' ' | tr ',' ' '); do for ip in $(fail2ban-client status $jail | grep "Banned IP list" | cut -d: -f2); do fail2ban-client set $jail unbanip $ip; done; done
Restart Fail2Ban (if needed)
If you make configuration changes and need to restart Fail2Ban, use:
systemctl restart fail2ban
Conclusion
Use the first command to list banned IPs in all jails.
Unban a specific IP using `fail2ban-client unban <IP>`.
If needed, unban an IP from a specific jail with `fail2ban-client set <jail> unbanip <IP>`.
Restart Fail2Ban only if necessary.