How to avoid beeing banned by fail2ban for ever

This week it happened: Me as an admin was banned by fail2ban and I did not even know why. So I was thinking about how I could avoid this for one and forever.

Always allow ssh from another fixed ip address

The first thing I did was to add one of my VPS with fixed ip address to be ignored by fail2ban, like this: Add a file /etc/fail2ban/jail.d/ignoremyip.conf with the content:

ignoreip =

So now at least I could reach my yunohost over the vps, if I’m banned. But I was not happy, because I want to reach it from home and without any problems. And at home I have a dynamic ip address. :thinking:


So I developed the following concept: At home I already have an DYNDNS account for my Pleroma server (on Rapsberry Pi). So my following script could get my current dynamic ip from the address resolution and put it in the config of fail2ban, just if it has changed (normally in the night). :+1:t2:

Bash Script

This is the script I developed, call it by cron:


# Script to always unban the admins own dynamic ip address
# Put this to /usr/local/bin/unban
# Change the SERVERNAME down below to your DYNDNS host
# Make it executable: chmod 700 /usr/local/bin/unban
# Put it in root's cron like: */10 * * * * /usr/local/bin/unban

# Author: Martin Doering
# Email:
# License: public domain

# set this to your DYNDNS-Server name of your home
# It's IP will ever be ignored and not banned

OLDIP=$(grep 'ignoreip' /etc/fail2ban/jail.d/ignoreip.conf|awk '{ print $NF }')
NEWIP=$(host $SERVERNAME|awk '{ print $NF }')
if [[ "$NEWIP" == "$OLDIP" ]]; then

if [[ $NEWIP =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
  echo "[DEFAULT]"       > /etc/fail2ban/jail.d/ignoreip.conf
  echo "ignoreip = $NEWIP" >> /etc/fail2ban/jail.d/ignoreip.conf

systemctl restart fail2ban

Since I run this script I never was locked out again. Maybe it is of use for you yunohost admins. And: THanks for all your work, Yunohost is great! :rocket:


Ive banned myself twice already. I think it was because I was using the admin panel then used ssh without logging out of the admin panel.

If you dont mind I would like share this script on an upcoming episode of my podcast.

Is this a problem to use admin panel and ssh at the same time? I just experienced that I was blocked and I was astonished, because I did nothing 6 hours before. So maybe it had been a browser polling or such. No idea.

Yes, do whatever you want with the script. I’ve put it in public domain.

BUT: You need an DYNDNS-Account to find out your current ip.

1 Like

I now found out, why I was banned: I have an app (Joplin) which syncs with Nextcloud. I moved my Nextcloud account to Yunohost, created the account, but with a different password.

Joplin now always tried the wrong password and I was banned. :smiley:

Note that in 3.7 we’re gonna increase the maxretry to 10 because the current value is really too crazy and lead to many bad experiences :

(Could even make it 15 and that should still be okay)