====== 手動解除 fail2ban 封鎖的 IP ======
因為常常發現更換密碼後, 來不及更改 client 端, 一下子 client 端的 IP 就被列入封鎖, 重新啟動 iptable , fail2ban 還是馬上會倍加回封鎖清單內, 因此找到以下的作法.

  * 假設以下是已經被 ban 的 iptables 清單<code sh>
iptables --list
</code><file>
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh
fail2ban-dovecot  tcp  --  anywhere             anywhere            multiport dports pop3,pop3s,imap,imaps,submission,urd,sieve
fail2ban-dovecot-auth  tcp  --  anywhere             anywhere            multiport dports pop3,pop3s,imap,imaps,submission,urd,sieve
fail2ban-sendmail-smtp  tcp  --  anywhere             anywhere            multiport dports smtp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
:
:
Chain fail2ban-dovecot-auth (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-sendmail-smtp (1 references)
target     prot opt source               destination
REJECT     all  --  192.168.0.120        anywhere            reject-with icmp-port-unreachable
REJECT     all  --  176.61.137.108       anywhere            reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere
</file>
  * 打算將 fail2ban-sendmail-smtp 內 192.168.0.120 手動解除封鎖

===== 正規功能 =====
  * 並沒有成功.. 應該是要定義 action unban 的作用功能 <code sh>
fail2ban-client get sendmail-smtp actionunban 192.168.0.120
</code><file>
ERROR  NOK: ('Invalid Action name',)
'Invalid Action name'
</file>

===== iptables 命令 =====
  * 有成功.. <code sh>
iptables -D fail2ban-sendmail-smtp 1
iptables --list
</code><file>
:
:
Chain fail2ban-sendmail-smtp (1 references)
target     prot opt source               destination
REJECT     all  --  176.61.137.108       anywhere            reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere
</file>

===== 將特定 IP 列入白名單 =====
  * 因為特殊原因, 特定 IP 會造成被列入阻絕, 如果希望先開啟這 IP 不要被阻絕, 可透過編輯 jail.conf 內的 ignoreip 來達成
  * Exp. 將 127.0.xx.xx 以及 192.168.0.124 加入白名單<code sh>vi /etc/fail2ban/jail.conf</code><file>
:
[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8 192.168.0.124/24

:
</file>
  * 重新載入讓設定生效<code sh>
service fail2ban reload</code>

<note>
** 在 iRedMail 內建的 fail2ban 需要更改的檔案 jail.local **
</note>
===== 參考網址 =====
  * https://www.howtoforge.com/community/threads/how-to-manually-unban-ip-blocked-by-fail2ban.51366/

{{tag>fail2ban}}