How do you view all of the banned IP's for Ubuntu 12.04 via the command line?

Question

I can't seem to find a quick command to just view all the banned IP's on the server. Or is there a file I can just edit?

I'm guessing fail2ban is the one that inputs all the IP's to ban. Where do I adjust the settings for it?

I seem to be able to only login to my server remotely only if i disable ufw. I can't seem to find out how to unban myself. I don't even know why i was banned in the first place. Is there a log of some sort to view all the attempts made?

there is so much output. what am i suppose to look for? http://i.imgur.com/zTTXJTE.png ... thanks .. i did a ufw allow and it still didnt work. i dont know where it says its banned. — Patoshi パトシ, Jun 24 '14 at 21:07
Also did a ufw status and and then disable ufw, did a iptables -F, then ufw enable. Still i can't access my server remotely. My ip clearly is shown in the status box as allow: http://i.imgur.com/f7JD2Ny.png — Patoshi パトシ, Jun 24 '14 at 21:13
how do i check that? I can SSH in when the firewall is off. so isnt it working by default? — Patoshi パトシ, Jun 26 '14 at 19:11
what is the command for that? And how do i check to see if that rule is already there? — Patoshi パトシ, Jun 26 '14 at 20:03

score 48 · Answer 1 · edited Mar 20 '17 at 15:47

short version:

list all currently blocked ips:

fail2ban-client status | grep "Jail list:" | sed "s/ //g" | awk '{split($2,a,",");for(i in a) system("fail2ban-client status " a[i])}' | grep "Status\|IP list"

unban an ip:

fail2ban-client set postfix-mail unbanip 111.222.333.444

long version:

if you are looking for the "official" way to do that, there is a command line client for fail2ban https://www.fail2ban.org/wiki/index.php/Commands :

~ # fail2ban-client status
Status
|- Number of jail:      8
`- Jail list:           roundcube, sshd, sogo, postfix-sasl, postfix-mail, dovecot, ssh, sshd-ddos

then you can run

~ # fail2ban-client status roundcube

Status for the jail: roundcube
|- filter
|  |- File list:        /var/log/mail.log
|  |- Currently failed: 0
|  `- Total failed:     12
`- action
   |- Currently banned: 1
   |  `- IP list:       111.222.333.444
   `- Total banned:     1

or you can use my command, which iterates over all existing jails:

fail2ban-client status | grep "Jail list:" | sed "s/ //g" | awk '{split($2,a,",");for(i in a) system("fail2ban-client status " a[i])}' | grep "Status\|IP list"

which outputs:

Status for the jail: roundcube
   |  `- IP list:
Status for the jail: sshd
   |  `- IP list:
Status for the jail: sogo
   |  `- IP list:
Status for the jail: postfix-sasl
   |  `- IP list:
Status for the jail: postfix-mail
   |  `- IP list:
Status for the jail: dovecot
   |  `- IP list:
Status for the jail: ssh
   |  `- IP list:
Status for the jail: sshd-ddos
   |  `- IP list:

without awk: `fail2ban-client status | grep "Jail list:" | sed "s/\`- Jail list://" | sed "s/\s//g" | sed "s/,/\n/g" | xargs -L1 fail2ban-client status | less` — Quamis, May 28 '19 at 12:52

Elder Geek · Accepted Answer · 2016-11-01T22:16:13.310

27

sudo iptables -L INPUT -v -n | less

This tells iptables to List all rules in the INPUT chain, providing verbose numeric output. We are piping through less so that we get it a page at a time.

edited Nov 01 '16 at 22:16

answered Jul 03 '14 at 17:08

Elder Geek

35,476
25
95
181

2

Maybe something changed since 2014 but as things stand now, this answer is wrong since fail2ban doesn't put things in the `INPUT` chain. – But those new buttons though.. Jul 21 '17 at 04:05
@billynoah Of course somethings changed. Nothing in life is static. For one, 12.04 is no longer under support. If you are still using it I recommend that you upgrade to 16.04 LTS which is supported until April 2021. – Elder Geek Jul 21 '17 at 12:23
I'm not sure if you're referencing 12.04 because I said 2014? I was talking about the year of your answer. – But those new buttons though.. Jul 21 '17 at 12:26
1

@billynoah I'm referencing 12.04 due the the fact that it's referenced in the question that this answer was provided for. You have my apologies for any confusion you may be experiencing. :-) – Elder Geek Jul 22 '17 at 18:46

score 21 · Answer 3 · edited Aug 13 '17 at 17:30

21

You can see all the previously banned IPs through /var/log/fail2ban.log

sudo zgrep 'Ban' /var/log/fail2ban.log*

Some bans are temporary though, so I'm not sure how to best cancel those out (my fail2ban logs are empty which makes this harder to test!). You could enter into a big accounting scheme with the awk command, but it's getting pretty dull.

Anyway, that's the way you want to do it if you're looking for a reason why you were banned.

The other way is to look at IP tables and see what's being dropped. Again, this has some problems because it shows default routes that get overridden but I'm blocking rules with a source of 0.0.0.0/0 and that seems to keep it clean enough for practical use:

sudo iptables -L -n | awk '$1=="DROP" && $4!="0.0.0.0/0"'

This won't explain why a ban happened though.

edited Aug 13 '17 at 17:30

Community

1

answered Jun 27 '14 at 11:54

Oli

289,791
117
680
835

is fail2ban the main application that does the banning and not any other app? my server is just a basic ubuntu server so i never installed anything else into it. – Patoshi パトシ Jul 02 '14 at 19:51
In that case, yes. – Oli Jul 02 '14 at 20:06
1

Note that my current version writes `NOTICE [snap-iptables] Ban 45.32.216.148` -- no `':'` after the word Ban, but spaces before and after. – Alexis Wilke Oct 22 '16 at 03:00

How do you view all of the banned IP's for Ubuntu 12.04 via the command line?

3 Answers3