<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
	<id>https://wiki.scott5.org/index.php?action=history&amp;feed=atom&amp;title=Fail2ban</id>
	<title>Fail2ban - Revision history</title>
	<link rel="self" type="application/atom+xml" href="https://wiki.scott5.org/index.php?action=history&amp;feed=atom&amp;title=Fail2ban"/>
	<link rel="alternate" type="text/html" href="https://wiki.scott5.org/index.php?title=Fail2ban&amp;action=history"/>
	<updated>2026-07-03T20:34:20Z</updated>
	<subtitle>Revision history for this page on the wiki</subtitle>
	<generator>MediaWiki 1.43.1</generator>
	<entry>
		<id>https://wiki.scott5.org/index.php?title=Fail2ban&amp;diff=1869&amp;oldid=prev</id>
		<title>Scott: /* TRAVEL SCENARIO: I banned myself */</title>
		<link rel="alternate" type="text/html" href="https://wiki.scott5.org/index.php?title=Fail2ban&amp;diff=1869&amp;oldid=prev"/>
		<updated>2026-07-02T22:55:32Z</updated>

		<summary type="html">&lt;p&gt;&lt;span class=&quot;autocomment&quot;&gt;TRAVEL SCENARIO: I banned myself&lt;/span&gt;&lt;/p&gt;
&lt;table style=&quot;background-color: #fff; color: #202122;&quot; data-mw=&quot;interface&quot;&gt;
				&lt;col class=&quot;diff-marker&quot; /&gt;
				&lt;col class=&quot;diff-content&quot; /&gt;
				&lt;col class=&quot;diff-marker&quot; /&gt;
				&lt;col class=&quot;diff-content&quot; /&gt;
				&lt;tr class=&quot;diff-title&quot; lang=&quot;en&quot;&gt;
				&lt;td colspan=&quot;2&quot; style=&quot;background-color: #fff; color: #202122; text-align: center;&quot;&gt;← Older revision&lt;/td&gt;
				&lt;td colspan=&quot;2&quot; style=&quot;background-color: #fff; color: #202122; text-align: center;&quot;&gt;Revision as of 22:55, 2 July 2026&lt;/td&gt;
				&lt;/tr&gt;&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-lineno&quot; id=&quot;mw-diff-left-l55&quot;&gt;Line 55:&lt;/td&gt;
&lt;td colspan=&quot;2&quot; class=&quot;diff-lineno&quot;&gt;Line 55:&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;Symptoms: SSH connects then drops instantly, or times out, from one specific location — while the VPN or another network works fine.&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;Symptoms: SSH connects then drops instantly, or times out, from one specific location — while the VPN or another network works fine.&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;−&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;# Get in another way (&lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;UCI &lt;/del&gt;VPN, IPMI console, or another host).&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;# Get in another way (VPN, IPMI console, or another host).&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;# &amp;lt;code&amp;gt;sudo fail2ban-client status sshd&amp;lt;/code&amp;gt; → confirm your IP is listed.&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;# &amp;lt;code&amp;gt;sudo fail2ban-client status sshd&amp;lt;/code&amp;gt; → confirm your IP is listed.&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;# &amp;lt;code&amp;gt;sudo fail2ban-client set sshd unbanip &amp;lt;your-ip&amp;gt;&amp;lt;/code&amp;gt;&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;# &amp;lt;code&amp;gt;sudo fail2ban-client set sshd unbanip &amp;lt;your-ip&amp;gt;&amp;lt;/code&amp;gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;/table&gt;</summary>
		<author><name>Scott</name></author>
	</entry>
	<entry>
		<id>https://wiki.scott5.org/index.php?title=Fail2ban&amp;diff=1867&amp;oldid=prev</id>
		<title>Scott: Created page with &quot;= fail2ban Cheat Sheet =  Config: &lt;code&gt;/etc/fail2ban/jail.local&lt;/code&gt; (jails) · &lt;code&gt;/etc/fail2ban/fail2ban.local&lt;/code&gt; (daemon)  Backend: &#039;&#039;&#039;systemd journal&#039;&#039;&#039; (not log files) · Ban action: &#039;&#039;&#039;nftables&#039;&#039;&#039;  Jail: &lt;code&gt;sshd&lt;/code&gt; · maxretry 4 · findtime 10m · bantime 1h  Bans trigger on &#039;&#039;&#039;auth failures&#039;&#039;&#039;, not connection counts.  == Status &amp; inspection ==  &lt;syntaxhighlight lang=&quot;bash&quot;&gt; # Daemon alive? sudo systemctl status fail2ban sudo fail2ban-client ping...&quot;</title>
		<link rel="alternate" type="text/html" href="https://wiki.scott5.org/index.php?title=Fail2ban&amp;diff=1867&amp;oldid=prev"/>
		<updated>2026-07-02T22:48:10Z</updated>

		<summary type="html">&lt;p&gt;Created page with &amp;quot;= fail2ban Cheat Sheet =  Config: &amp;lt;code&amp;gt;/etc/fail2ban/jail.local&amp;lt;/code&amp;gt; (jails) · &amp;lt;code&amp;gt;/etc/fail2ban/fail2ban.local&amp;lt;/code&amp;gt; (daemon)  Backend: &amp;#039;&amp;#039;&amp;#039;systemd journal&amp;#039;&amp;#039;&amp;#039; (not log files) · Ban action: &amp;#039;&amp;#039;&amp;#039;nftables&amp;#039;&amp;#039;&amp;#039;  Jail: &amp;lt;code&amp;gt;sshd&amp;lt;/code&amp;gt; · maxretry 4 · findtime 10m · bantime 1h  Bans trigger on &amp;#039;&amp;#039;&amp;#039;auth failures&amp;#039;&amp;#039;&amp;#039;, not connection counts.  == Status &amp;amp; inspection ==  &amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt; # Daemon alive? sudo systemctl status fail2ban sudo fail2ban-client ping...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;= fail2ban Cheat Sheet =&lt;br /&gt;
&lt;br /&gt;
Config: &amp;lt;code&amp;gt;/etc/fail2ban/jail.local&amp;lt;/code&amp;gt; (jails) · &amp;lt;code&amp;gt;/etc/fail2ban/fail2ban.local&amp;lt;/code&amp;gt; (daemon)&lt;br /&gt;
&lt;br /&gt;
Backend: &amp;#039;&amp;#039;&amp;#039;systemd journal&amp;#039;&amp;#039;&amp;#039; (not log files) · Ban action: &amp;#039;&amp;#039;&amp;#039;nftables&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
Jail: &amp;lt;code&amp;gt;sshd&amp;lt;/code&amp;gt; · maxretry 4 · findtime 10m · bantime 1h&lt;br /&gt;
&lt;br /&gt;
Bans trigger on &amp;#039;&amp;#039;&amp;#039;auth failures&amp;#039;&amp;#039;&amp;#039;, not connection counts.&lt;br /&gt;
&lt;br /&gt;
== Status &amp;amp; inspection ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
# Daemon alive?&lt;br /&gt;
sudo systemctl status fail2ban&lt;br /&gt;
sudo fail2ban-client ping                 # should answer &amp;quot;pong&amp;quot;&lt;br /&gt;
&lt;br /&gt;
# Which jails are running?&lt;br /&gt;
sudo fail2ban-client status&lt;br /&gt;
&lt;br /&gt;
# The sshd jail: current bans, totals, failure counts&lt;br /&gt;
sudo fail2ban-client status sshd&lt;br /&gt;
&lt;br /&gt;
# Watch fail2ban&amp;#039;s own log live&lt;br /&gt;
sudo journalctl -u fail2ban -f&lt;br /&gt;
&lt;br /&gt;
# See the auth failures fail2ban is reading (same source it uses)&lt;br /&gt;
sudo journalctl -u ssh --since &amp;quot;1 hour ago&amp;quot; | grep -i fail&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Bans: check / remove / add ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
# Is a specific IP banned? (listed under &amp;quot;Banned IP list&amp;quot;)&lt;br /&gt;
sudo fail2ban-client status sshd&lt;br /&gt;
&lt;br /&gt;
# UNBAN an address (the &amp;quot;I locked myself out&amp;quot; fix — run from IPMI console)&lt;br /&gt;
sudo fail2ban-client set sshd unbanip &amp;lt;ip&amp;gt;&lt;br /&gt;
&lt;br /&gt;
# Unban everything in the jail&lt;br /&gt;
sudo fail2ban-client unban --all&lt;br /&gt;
&lt;br /&gt;
# Manually ban an address&lt;br /&gt;
sudo fail2ban-client set sshd banip &amp;lt;ip&amp;gt;&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The actual block lives in nftables — verify with:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
sudo nft list ruleset | grep -A5 f2b&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== TRAVEL SCENARIO: I banned myself ==&lt;br /&gt;
&lt;br /&gt;
Symptoms: SSH connects then drops instantly, or times out, from one specific location — while the VPN or another network works fine.&lt;br /&gt;
&lt;br /&gt;
# Get in another way (UCI VPN, IPMI console, or another host).&lt;br /&gt;
# &amp;lt;code&amp;gt;sudo fail2ban-client status sshd&amp;lt;/code&amp;gt; → confirm your IP is listed.&lt;br /&gt;
# &amp;lt;code&amp;gt;sudo fail2ban-client set sshd unbanip &amp;lt;your-ip&amp;gt;&amp;lt;/code&amp;gt;&lt;br /&gt;
# Fix whatever failed auth 4× in 10 min (wrong key? stale agent? password typos?). Otherwise you&amp;#039;ll be banned again in minutes.&lt;br /&gt;
# Worst case, do nothing: bantime is &amp;#039;&amp;#039;&amp;#039;1 hour&amp;#039;&amp;#039;&amp;#039;, then it clears itself.&lt;br /&gt;
&lt;br /&gt;
Note: with the minimal &amp;lt;code&amp;gt;ignoreip&amp;lt;/code&amp;gt;, your travel IPs are NOT exempt. Four bad auth attempts from the hotel wifi = 1-hour ban. Use keys, and check &amp;lt;code&amp;gt;ssh -v&amp;lt;/code&amp;gt; output before retrying blindly.&lt;br /&gt;
&lt;br /&gt;
== Config changes ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
# Test config without applying&lt;br /&gt;
sudo fail2ban-client -t&lt;br /&gt;
&lt;br /&gt;
# Reload after editing jail.local (keeps existing bans by default)&lt;br /&gt;
sudo fail2ban-client reload&lt;br /&gt;
&lt;br /&gt;
# Full restart (re-reads everything; bans are restored from the&lt;br /&gt;
# persistent sqlite DB at /var/lib/fail2ban/fail2ban.sqlite3)&lt;br /&gt;
sudo systemctl restart fail2ban&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Interaction with nftables ==&lt;br /&gt;
&lt;br /&gt;
* Any &amp;lt;code&amp;gt;nft flush ruleset&amp;lt;/code&amp;gt; / &amp;lt;code&amp;gt;systemctl reload nftables&amp;lt;/code&amp;gt; &amp;#039;&amp;#039;&amp;#039;wipes the f2b ban sets&amp;#039;&amp;#039;&amp;#039;. fail2ban still &amp;#039;&amp;#039;thinks&amp;#039;&amp;#039; they&amp;#039;re banned. Fix: &amp;lt;code&amp;gt;sudo systemctl restart fail2ban&amp;lt;/code&amp;gt; after firewall reloads.&lt;br /&gt;
* Ban actions: &amp;lt;code&amp;gt;nftables-multiport&amp;lt;/code&amp;gt; (per-jail ports), &amp;lt;code&amp;gt;nftables-allports&amp;lt;/code&amp;gt; for allports bans.&lt;br /&gt;
&lt;br /&gt;
== Current policy notes (jail.local) ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;ignoreip&amp;lt;/code&amp;gt; — keep minimal: loopback + witchetty&amp;#039;s /32 (backup source). Anything listed here can brute-force sshd forever without a ban.&lt;br /&gt;
* Consider &amp;lt;code&amp;gt;bantime.increment = true&amp;lt;/code&amp;gt; in &amp;lt;code&amp;gt;[DEFAULT]&amp;lt;/code&amp;gt; for escalating bans on repeat offenders.&lt;br /&gt;
* &amp;lt;code&amp;gt;allowipv6 = auto&amp;lt;/code&amp;gt; lives in &amp;#039;&amp;#039;&amp;#039;fail2ban.local&amp;#039;&amp;#039;&amp;#039; &amp;lt;code&amp;gt;[Definition]&amp;lt;/code&amp;gt;, not jail.local (daemon setting, silences the startup warning).&lt;br /&gt;
&lt;br /&gt;
== Quick triage flowchart ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Can&amp;#039;t SSH in?&lt;br /&gt;
├─ Works from VPN but not current IP?&lt;br /&gt;
│   ├─ IP not in $ssh_nets_v4  → nft issue (see nft sheet: temp rule)&lt;br /&gt;
│   └─ IP in allowed range     → probably banned → unbanip&lt;br /&gt;
├─ Works from nowhere?&lt;br /&gt;
│   ├─ nftables ruleset empty/broken → nft sheet, IPMI console&lt;br /&gt;
│   └─ sshd itself down → journalctl -u ssh -b&lt;br /&gt;
└─ Connects but auth fails? → not a firewall problem; check keys/PAM&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
[[Category:Sysadmin]]&lt;br /&gt;
[[Category:Cheat sheets]]&lt;/div&gt;</summary>
		<author><name>Scott</name></author>
	</entry>
</feed>