Unblock IP address from connecting via SSH

I manage a small cluster at work and occasionally students get their IP address banned by entering the wrong password when logging into the cluster. I don’t fix the problem often enough to remember how to do it, so I thought I’d jot it down here for future reference.

The blocking of IPs is controlled by Fail2ban, which scans log files for IPs which look malicious (e.g. too many password failures, looking for exploits, etc.) and bans them. It does this by updating firewall rules to reject the specific IP.

To see the list of what is being blocked run (in a terminal):

sudo iptables -L --line-numbers

That will give you something like:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     udp  --  anywhere             anywhere             udp xxx:xxxxxx
2    ACCEPT     tcp  --  anywhere             anywhere             tcp xxx:xxxxxx
3    ACCEPT     udp  --  anywhere             anywhere             udp xxx:xxxxxx
4    ACCEPT     tcp  --  anywhere             anywhere             tcp xxx:xxxxxx
5    f2b-sshd   tcp  --  anywhere             anywhere             multiport dports ssh
6    REJECT     tcp  --  anywhere             anywhere             tcp spts:xxxxxx:xxxxxx dpt:ulistproc reject-with icmp-port-unreachable
7    REJECT     udp  --  anywhere             anywhere             udp spts:xxxxxx:xxxxxx dpt:ulistproc reject-with icmp-port-unreachable
8    ACCEPT     all  --  anywhere             anywhere            
9    ACCEPT     all  --  anywhere             anywhere            
10   ACCEPT     tcp  --  anywhere             anywhere             tcp xxx:xxxxxx state NEW
11   ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
12   ACCEPT     tcp  --  xxx.xxx.xxx.xxx/24   anywhere             tcp xxx:xxxxxx state NEW
13   ACCEPT     tcp  --  xxx.xxx.xxx.xxx/24   anywhere             tcp xxx:xxxxxx state NEW
14   REJECT     udp  --  anywhere             anywhere             udp xxx:xxxxxx reject-with icmp-port-unreachable
15   REJECT     tcp  --  anywhere             anywhere             tcp xxx:xxxxxx reject-with icmp-port-unreachable
16   REJECT     tcp  --  anywhere             anywhere             tcp xxx:xxxxxx reject-with icmp-port-unreachable
17   REJECT     tcp  --  anywhere             anywhere             tcp xxx:xxxxxx:0:1023 reject-with icmp-port-unreachable
18   REJECT     udp  --  anywhere             anywhere             udp xxx:xxxxxx:0:1023 reject-with icmp-port-unreachable

Chain FORWARD (policy DROP)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             xxx.xxx.xxx.xxx/24     ctstate RELATED,ESTABLISHED
2    ACCEPT     all  --  xxx.xxx.xxx.xxx/24   anywhere            
3    ACCEPT     all  --  anywhere             anywhere            
4    REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
5    REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
6    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
7    ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc

Chain f2b-sshd (1 references)
num  target     prot opt source               destination         
1    REJECT     all  --  xxx.xxx.xxx.xxx      anywhere             reject-with icmp-port-unreachable
2    REJECT     all  --  199.188.177.166      anywhere             reject-with icmp-port-unreachable
3    RETURN     all  --  anywhere             anywhere     

What we are interested in is the ‘Chain f2b-sshd’ part at the bottom of the list. Here we can see the (made up) IP address 199.188.177.166 is being banned (“REJECT”). That means that any user trying to SSH into the machine from that IP address will fail. If you have verified that that is the IP address you are expecting and know it is safe to unblock then we can delete the rule using the Chain name (f2b-sshd) and line number (2) using “iptables -D CHAIN LINE_NUMBER” so in this specific case:

sudo iptables -D f2b-sshd 2

To make the change permanent you must save your changes:

sudo iptables-save

 

This entry was posted in Linux and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.