# Fail2Ban Reference & Useful Commands

#### **Category:** All About Ubuntu  
**Last Updated:** May 11, 2025  
**Applies To:** Ubuntu Server 22.04+

### Fail2Ban Jail Configuration

Fail2Ban jails control how long an IP remains banned after matching filters. To increase ban duration (e.g., to 48 hours):

#### Configuration File

```bash
sudo nano /etc/fail2ban/jail.local
```

#### Example Jail Settings for SSH and UFW Block:

```ini
[sshd]
enabled = true
port    = ssh
logpath = %(sshd_log)s
bantime = 172800
findtime = 600
maxretry = 3

[ufw-block]
enabled = true
filter  = ufw-block
logpath = /var/log/ufw.log
bantime = 172800
findtime = 600
maxretry = 3

```

✅ `bantime` is in seconds → `172800` equals 48 hours  
✅ `findtime` is the window (in seconds) to detect repeated offenses  
✅ `maxretry` is the number of failed attempts before banning

After changes:

```bash
sudo systemctl restart fail2ban
```

### Useful Commands

<table id="bkmrk-task-command-check-f"><thead><tr><th>Task</th><th>Command</th></tr></thead><tbody><tr><td>Check fail2ban service status</td><td>`sudo systemctl status fail2ban`</td></tr><tr><td>Start fail2ban</td><td>`sudo systemctl start fail2ban`</td></tr><tr><td>Restart fail2ban</td><td>`sudo systemctl restart fail2ban`</td></tr><tr><td>View all jail statuses</td><td>`sudo fail2ban-client status`</td></tr><tr><td>View a specific jail (e.g., sshd)</td><td>`sudo fail2ban-client status sshd`</td></tr><tr><td>See currently banned IPs in a jail</td><td>`sudo fail2ban-client get sshd banned`</td></tr><tr><td>Unban an IP from a jail</td><td>`sudo fail2ban-client set sshd unbanip <IP>`</td></tr><tr><td>Get ignore list for a jail</td><td>`sudo fail2ban-client get sshd ignoreip`</td></tr><tr><td>Manually test a filter (dry run)</td><td>`fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf`</td></tr></tbody></table>

### Filter &amp; Jail File Paths

<table id="bkmrk-file-purpose-path-ja"><thead><tr><th>File Purpose</th><th>Path</th></tr></thead><tbody><tr><td>Jail configuration</td><td>`/etc/fail2ban/jail.local`</td></tr><tr><td>Custom filters</td><td>`/etc/fail2ban/filter.d/`</td></tr><tr><td>Fail2Ban main log</td><td>`/var/log/fail2ban.log`</td></tr><tr><td>UFW log (for ufw-block)</td><td>`/var/log/ufw.log`</td></tr></tbody></table>

### Dynamically Updating `ignoreip` in Fail2Ban with DDNS

To prevent your own dynamic IP from being blocked by Fail2Ban (especially on services like `sshd` or custom UFW blocks), you can automate the injection of a DDNS-resolved IP into the `ignoreip` configuration.

### Script Overview

**Location:**  
`/usr/local/bin/update-fail2ban-ignoreip.sh`

**Purpose:**  
Resolves a DDNS hostname to an IPv4 address and updates the `ignoreip` line in `/etc/fail2ban/jail.local`. This helps Fail2Ban ignore your dynamic IP address automatically.

### Key Script Breakdown

```bash
#!/bin/bash
DDNS_HOST="your-ddns.example.com"
RESOLVED_IP=$(dig +short "$DDNS_HOST" | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | head -n 1)
```

- Resolves your DDNS hostname to a valid IPv4 address.

```bash
JAIL_FILE="/etc/fail2ban/jail.local"
```

- Points to the jail config you want to modify.

```bash
sed -i -E "s|^(ignoreip\s*=).*|\1 127.0.0.1/8 ::1 $RESOLVED_IP fe80::/10|" "$JAIL_FILE"
```

- Uses `sed` to replace the entire `ignoreip` line with:
    
    
    - localhost + loopback (`127.0.0.1/8 ::1`)
    - your **resolved** DDNS IP
    - and optional link-local IPv6 scope (`fe80::/10`)

```bash
systemctl restart fail2ban
```

- Restarts Fail2Ban so the updated IP takes effect immediately.

### Example Output

```bash
Resolved IP: <your ip>
ignoreip updated in jail.local
Fail2Ban restarted successfully
```

### Cron Job (Optional)

To schedule it daily or multiple times a day, add to `root`’s crontab:

```cron
*/15 * * * * /usr/local/bin/update-fail2ban-ignoreip.sh >> /var/log/update-fail2ban-ignoreip.log 2>&1
```

### Notes

- Use `ignoreip` to exempt safe IPs (including local/DDNS).
- Consider rotating logs weekly to avoid bloated logs.
- Fail2Ban can be extended to cover other services (Apache, Postfix, etc.).