How do you view all of the banned IP's for Ubuntu 12.04 via the command line?

short version:

list all currently blocked ips:

fail2ban-client status | grep "Jail list:" | sed "s/ //g" | awk '{split($2,a,",");for(i in a) system("fail2ban-client status " a[i])}' | grep "Status\|IP list"

unban an ip:

fail2ban-client set postfix-mail unbanip 111.222.333.444

long version:

if you are looking for the "official" way to do that, there is a command line client for fail2ban https://www.fail2ban.org/wiki/index.php/Commands :

~ # fail2ban-client status
Status
|- Number of jail:      8
`- Jail list:           roundcube, sshd, sogo, postfix-sasl, postfix-mail, dovecot, ssh, sshd-ddos

then you can run

~ # fail2ban-client status roundcube

Status for the jail: roundcube
|- filter
|  |- File list:        /var/log/mail.log
|  |- Currently failed: 0
|  `- Total failed:     12
`- action
   |- Currently banned: 1
   |  `- IP list:       111.222.333.444
   `- Total banned:     1

or you can use my command, which iterates over all existing jails:

fail2ban-client status | grep "Jail list:" | sed "s/ //g" | awk '{split($2,a,",");for(i in a) system("fail2ban-client status " a[i])}' | grep "Status\|IP list"

which outputs:

Status for the jail: roundcube
   |  `- IP list:
Status for the jail: sshd
   |  `- IP list:
Status for the jail: sogo
   |  `- IP list:
Status for the jail: postfix-sasl
   |  `- IP list:
Status for the jail: postfix-mail
   |  `- IP list:
Status for the jail: dovecot
   |  `- IP list:
Status for the jail: ssh
   |  `- IP list:
Status for the jail: sshd-ddos
   |  `- IP list:

sudo iptables -L INPUT -v -n | less

This tells iptables to List all rules in the INPUT chain, providing verbose numeric output. We are piping through less so that we get it a page at a time.


You can see all the previously banned IPs through /var/log/fail2ban.log

sudo zgrep 'Ban' /var/log/fail2ban.log*

Some bans are temporary though, so I'm not sure how to best cancel those out (my fail2ban logs are empty which makes this harder to test!). You could enter into a big accounting scheme with the awk command, but it's getting pretty dull.

Anyway, that's the way you want to do it if you're looking for a reason why you were banned.

The other way is to look at IP tables and see what's being dropped. Again, this has some problems because it shows default routes that get overridden but I'm blocking rules with a source of 0.0.0.0/0 and that seems to keep it clean enough for practical use:

sudo iptables -L -n | awk '$1=="DROP" && $4!="0.0.0.0/0"'

This won't explain why a ban happened though.

Tags:

Firewall

Fail2Ban

Recent Posts