Skip to content

How to Fix Fail2Ban Blocking Your Own SSH Connection

DodaTech 2 min read

In this tutorial, you'll learn about How to Fix Fail2Ban Blocking Your Own SSH Connection. We cover key concepts, practical examples, and best practices.

The Problem

You're locked out of your own server via SSH. After repeated failed login attempts (maybe you mistyped your password, or an automated script triggered the ban), Fail2Ban added your IP to its ban list. Every SSH connection attempt is immediately rejected, even with the correct credentials.

Quick Fix

1. Check if you're banned (via console or alternate network)

# If you can still access the server via console or VPN
sudo fail2ban-client status sshd

Expected output:

Status for the jail: sshd
|- Filter
|  |- Currently failed: 3
|  |- Total failed:     15
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     5
   `- Banned IP list:   203.0.113.45

2. Unban your IP

sudo fail2ban-client set sshd unbanip 203.0.113.45

3. Unban from all jails

sudo fail2ban-client status | grep "Jail list" | cut -d: -f2 | tr ',' '\n' | xargs -I {} sudo fail2ban-client set {} unbanip 203.0.113.45

4. Add your IP to the permanent ignore list

Edit /etc/fail2ban/jail.local:

[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24 203.0.113.45

Reload Fail2Ban:

sudo fail2ban-client reload

5. Check all active jails

sudo fail2ban-client status

6. Adjust ban parameters

Edit /etc/fail2ban/jail.local:

[DEFAULT]
bantime = 3600       # 1 hour (default is 10 minutes)
findtime = 600       # Count failures over 10 minutes
maxretry = 5         # Ban after 5 failures

[sshd]
enabled = true
maxretry = 3         # Lower threshold for SSH specifically

7. Create a self-unban script (if you have out-of-band console access)

#!/bin/bash
# Run from console: sudo ./unban.sh
MY_IP=$(last -i | grep "still logged in" | head -1 | awk '{print $3}')
sudo fail2ban-client set sshd unbanip $MY_IP

Common Causes

Cause Why You Got Banned Fix
Mistyped password Multiple failed attempts while typing Add your IP to ignoreip
Automated script Cron job or monitoring with wrong password Fix the script or whitelist its source IP
Brute force targeting your IP Attacker spoofed your IP or you're on shared NAT Add your IP range to ignoreip
Too strict fail2ban config maxretry is too low (e.g., 2) Increase to 3-5
Permanent ban setting bantime = -1 (forever) Change to bantime = 3600
Multiple services banning SSH + Apache + Postfix all banning same IP Unban from all jails at once

Prevention

  • Always add your office/home IP range to ignoreip in /etc/fail2ban/jail.local
  • Use a VPN to access your servers, and whitelist the VPN IP
  • Keep maxretry at 3-5 to avoid locking yourself out from a few typos
  • Set bantime to 1 hour instead of permanent for SSH jails

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro