Unblock an IP address in Fail2Ban

Why fail2ban banned the IP in the first place?

Fail2ban watches your logs (SSH auth logs, nginx access logs, etc.) for patterns that look like brute-forcing or abuse — too many failed logins, too many requests in too short a window — and temporarily firewalls that IP out using iptables or nftables rules.

It's doing its job correctly most of the time; the annoying case is when you (or a legitimate crawler, or a colleague on a shared office IP) trip the same threshold by accident.

How to unblock an IP

  1. Find the jail name involved
  2. Confirm the IP address is indeed blocked
  3. Unblock the IP using the jail name and IP address
fail2ban-client status 
nft list ruleset
fail2ban-client set <jail-name> unbanip <ip-address>
nft list ruleset

This will list the current firewall rules, and should display the IP address in a named set

fail2ban-client status

This will include output that lists the names of available jails. You need to identify the correct jail in order to unblock the IP

fail2ban-client set <jail-name> unbanip <ip-address>

If found, this will remove the block on the IP from the corresponding jail

Common problems

  • It gets banned again a few minutes later. This means the underlying behavior that triggered the ban is still happening — unbanning doesn't fix the cause. Check what's making the repeated requests/logins (a misconfigured script, a monitoring tool polling too fast, a bot) and fix that, or you'll be back here again.
  • unbanip says the IP isn't banned, but it's still blocked. Sometimes a ban was applied directly via iptables/nftables outside of fail2ban's own tracking (or a previous fail2ban version left stale rules behind). Check the raw firewall rules directly: iptables -L -n | grep <ip> or nft list ruleset | grep <ip>, and remove the rule manually if fail2ban doesn't recognize it.
  • You want to make sure this never happens to your own IP again. Add a permanent allowlist entry in /etc/fail2ban/jail.local under ignoreip, e.g. ignoreip = 127.0.0.1/8 ::1 203.0.113.42, then restart fail2ban (systemctl restart fail2ban). This is worth doing proactively for your office/home IP and any legitimate services you rely on.