How to Fix Fail2Ban Blocking Your Own SSH Connection
DodaTech
2 min read
In this tutorial, you'll learn about How to Fix Fail2Ban Blocking Your Own SSH Connection. We cover key concepts, practical examples, and best practices.
The Problem
You're locked out of your own server via SSH. After repeated failed login attempts (maybe you mistyped your password, or an automated script triggered the ban), Fail2Ban added your IP to its ban list. Every SSH connection attempt is immediately rejected, even with the correct credentials.
Quick Fix
1. Check if you're banned (via console or alternate network)
# If you can still access the server via console or VPN
sudo fail2ban-client status sshd
Expected output:
Status for the jail: sshd
|- Filter
| |- Currently failed: 3
| |- Total failed: 15
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 1
|- Total banned: 5
`- Banned IP list: 203.0.113.45
2. Unban your IP
sudo fail2ban-client set sshd unbanip 203.0.113.45
3. Unban from all jails
sudo fail2ban-client status | grep "Jail list" | cut -d: -f2 | tr ',' '\n' | xargs -I {} sudo fail2ban-client set {} unbanip 203.0.113.45
4. Add your IP to the permanent ignore list
Edit /etc/fail2ban/jail.local:
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24 203.0.113.45
Reload Fail2Ban:
sudo fail2ban-client reload
5. Check all active jails
sudo fail2ban-client status
6. Adjust ban parameters
Edit /etc/fail2ban/jail.local:
[DEFAULT]
bantime = 3600 # 1 hour (default is 10 minutes)
findtime = 600 # Count failures over 10 minutes
maxretry = 5 # Ban after 5 failures
[sshd]
enabled = true
maxretry = 3 # Lower threshold for SSH specifically
7. Create a self-unban script (if you have out-of-band console access)
#!/bin/bash
# Run from console: sudo ./unban.sh
MY_IP=$(last -i | grep "still logged in" | head -1 | awk '{print $3}')
sudo fail2ban-client set sshd unbanip $MY_IP
Common Causes
| Cause | Why You Got Banned | Fix |
|---|---|---|
| Mistyped password | Multiple failed attempts while typing | Add your IP to ignoreip |
| Automated script | Cron job or monitoring with wrong password | Fix the script or whitelist its source IP |
| Brute force targeting your IP | Attacker spoofed your IP or you're on shared NAT | Add your IP range to ignoreip |
| Too strict fail2ban config | maxretry is too low (e.g., 2) |
Increase to 3-5 |
| Permanent ban setting | bantime = -1 (forever) |
Change to bantime = 3600 |
| Multiple services banning | SSH + Apache + Postfix all banning same IP | Unban from all jails at once |
Prevention
- Always add your office/home IP range to
ignoreipin/etc/fail2ban/jail.local - Use a VPN to access your servers, and whitelist the VPN IP
- Keep
maxretryat 3-5 to avoid locking yourself out from a few typos - Set
bantimeto 1 hour instead of permanent for SSH jails
← Previous
How to Configure Fail2Ban Jails for SSH, Nginx and Apache
Next →
How to Fix Falco Rule Trigger / Unexpected Alert Noise
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro