手動解除 fail2ban 封鎖的 IP

因為常常發現更換密碼後, 來不及更改 client 端, 一下子 client 端的 IP 就被列入封鎖, 重新啟動 iptable , fail2ban 還是馬上會倍加回封鎖清單內, 因此找到以下的作法.

  • 假設以下是已經被 ban 的 iptables 清單
    iptables --list
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh
    fail2ban-dovecot  tcp  --  anywhere             anywhere            multiport dports pop3,pop3s,imap,imaps,submission,urd,sieve
    fail2ban-dovecot-auth  tcp  --  anywhere             anywhere            multiport dports pop3,pop3s,imap,imaps,submission,urd,sieve
    fail2ban-sendmail-smtp  tcp  --  anywhere             anywhere            multiport dports smtp
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
    ACCEPT     icmp --  anywhere             anywhere
    :
    :
    Chain fail2ban-dovecot-auth (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-sendmail-smtp (1 references)
    target     prot opt source               destination
    REJECT     all  --  192.168.0.120        anywhere            reject-with icmp-port-unreachable
    REJECT     all  --  176.61.137.108       anywhere            reject-with icmp-port-unreachable
    RETURN     all  --  anywhere             anywhere
  • 打算將 fail2ban-sendmail-smtp 內 192.168.0.120 手動解除封鎖
  • 並沒有成功.. 應該是要定義 action unban 的作用功能
    fail2ban-client get sendmail-smtp actionunban 192.168.0.120
    ERROR  NOK: ('Invalid Action name',)
    'Invalid Action name'
  • 有成功..
    iptables -D fail2ban-sendmail-smtp 1
    iptables --list
    :
    :
    Chain fail2ban-sendmail-smtp (1 references)
    target     prot opt source               destination
    REJECT     all  --  176.61.137.108       anywhere            reject-with icmp-port-unreachable
    RETURN     all  --  anywhere             anywhere
  • 因為特殊原因, 特定 IP 會造成被列入阻絕, 如果希望先開啟這 IP 不要被阻絕, 可透過編輯 jail.conf 內的 ignoreip 來達成
  • Exp. 將 127.0.xx.xx 以及 192.168.0.124 加入白名單
    vi /etc/fail2ban/jail.conf
    :
    [DEFAULT]
    
    # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
    # ban a host which matches an address in this list. Several addresses can be
    # defined using space separator.
    ignoreip = 127.0.0.1/8 192.168.0.124/24
    
    :
  • 重新載入讓設定生效
    service fail2ban reload
在 iRedMail 內建的 fail2ban 需要更改的檔案 jail.local
  • tech/fail2ban_unban.txt
  • 上一次變更: 2019/01/02 13:33
  • Jonathan Tsai