sysadmin notes

fail2ban status check commands

2026-03-28 — fail2ban, security

Quick reference for the commands I need when something is happening. These are the things I want to find fast, not dig through man pages for. Setup and configuration is in the SSH hardening notes.

Checking status

# Overall status — lists active jails
fail2ban-client status

# Status for a specific jail (replace sshd with jail name)
fail2ban-client status sshd

The jail status shows currently banned IPs, total bans since startup, and filter stats (how many failures it's tracking).

# Confirm active settings for a jail
fail2ban-client get sshd bantime
fail2ban-client get sshd findtime
fail2ban-client get sshd maxretry

Viewing banned IPs

# From fail2ban itself
fail2ban-client status sshd

# Directly from nftables (when using nftables banaction)
nft list set inet f2b-table addr-set-sshd

# More compact view of just IPs
nft list set inet f2b-table addr-set-sshd \
  | grep elements -A 9999 \
  | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+'
If you're using iptables as the banaction instead of nftables, use iptables -L f2b-sshd -n instead of the nft commands.

Banning and unbanning manually

# Manually ban an IP (useful for testing or preemptive blocks)
fail2ban-client set sshd banip 192.0.2.1

# Unban an IP (e.g. if you locked out a legitimate user or yourself)
fail2ban-client set sshd unbanip 192.0.2.1

If you lock yourself out: the ban will expire after the configured bantime. If you have console/VNC access, you can unban immediately from there. Alternatively, if you have a second IP that isn't banned, use that to connect and unban.

Logs

# Live fail2ban log (most useful during an incident)
journalctl -fu fail2ban

# Recent bans and unbans
journalctl -u fail2ban --since "1 hour ago" | grep -E "Ban|Unban"

# All bans for a specific IP
journalctl -u fail2ban | grep 192.0.2.1

Reloading configuration

# Reload all jails (picks up changes to jail.local)
fail2ban-client reload

# Reload a specific jail only
fail2ban-client reload sshd

# Test config for errors before reloading
fail2ban-client -t

Testing filters

When writing or debugging a filter, you can test it against a log file without actually banning anything:

# Test the sshd filter against the journal
fail2ban-regex systemd-journal /etc/fail2ban/filter.d/sshd.conf

# Test against a log file
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

This is useful when fail2ban isn't detecting failures you think it should — run the filter test and see how many lines it matches before blaming the jail config.

Database of prior bans

fail2ban keeps a SQLite database of ban history. This is how escalating ban times work — it looks up whether an IP has been banned before and adjusts the ban duration accordingly.

# Path to the database
ls -lh /var/lib/fail2ban/fail2ban.sqlite3

# Crude query to see ban history (requires sqlite3 installed)
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 \
  "SELECT ip, jail, timeofban, bantime FROM bans ORDER BY timeofban DESC LIMIT 20;"