Fail2ban: Reset Fail2Ban Log and Database (Purge / Refresh Fail2Ban)

Created on 3 Jul 2016 · 6Comments · Source: fail2ban/fail2ban

Environment:

Fail2Ban version: 0.91
OS: Ubuntu 16.04
[X] Fail2Ban installed via OS/distribution mechanisms (apt-get)
[X] You have not applied any additional foreign patches to the codebase
[] Some customizations were done to the configuration (provide details below is so)

The issue:

After thorough testing of my jails from a testing server with dedicated IP address, that IP is now blocked by recidive as I want it to be. But now with all my testing done I have no way to reset all of Fail2Ban's log files and database.

I manually opened fail2ban.log and deleted all its contents but after restarting Fail2Ban the file is re-populated with my all my old testing data so I assume it's pulling that from the SQLite database.

Is there a simple flush database and flush logs command line to run after one if finished testing?

Steps to reproduce

None

Expected behavior

fail2ban.log file repopulated after being manually cleared.

Observed behavior

Unable to reset logs and database

Any additional information

Configuration, dump and another helpful excerpts

Any customizations done to /etc/fail2ban/ configuration

Relevant parts of /var/log/fail2ban.log file:

_preferably obtained while running fail2ban with loglevel = 4_

Relevant lines from monitored log files in question:

Source

mitchellkrogza

Most helpful comment

I have resolved this from some help on the Google+ Page for Fail2Ban from Yaroslav Halchenko

I have now a simple set of commands to flush Fail2Ban

sudo service fail2ban stop
sudo truncate -s 0 /var/log/fail2ban.log
sudo rm /var/lib/fail2ban/fail2ban.sqlite3
sudo service fail2ban restart

Hope this helps someone one day.

mitchellkrogza on 4 Jul 2016

👍18

All 6 comments

I have resolved this from some help on the Google+ Page for Fail2Ban from Yaroslav Halchenko

I have now a simple set of commands to flush Fail2Ban

sudo service fail2ban stop
sudo truncate -s 0 /var/log/fail2ban.log
sudo rm /var/lib/fail2ban/fail2ban.sqlite3
sudo service fail2ban restart

Hope this helps someone one day.

mitchellkrogza on 4 Jul 2016

👍18

@mitchellkrogza

Hope this helps someone one day.

...today, is that day.

userabuser on 14 Sep 2019

😄5

I have resolved this from some help on the Google+ Page for Fail2Ban from Yaroslav Halchenko

I have now a simple set of commands to flush Fail2Ban

sudo service fail2ban stop
sudo truncate -s 0 /var/log/fail2ban.log
sudo rm /var/lib/fail2ban/fail2ban.sqlite3
sudo service fail2ban restart

Hope this helps someone one day.

Thanks

Konata400 on 31 Jan 2020

If you dont want to purge all entrys:
Put the ip you used for testing in jail.local into the array of ips- to ignore:

ignoreip = 127.0.0.1/8 ::1 add.your.testip.here

restart fail2ban, it will not reban your ip

Iodok

Iodok on 28 Sep 2020

You can use sqlite3 command to do some statistics by querying bips table of /var/lib/fail2ban/fail2ban.sqlite3 database (if your fail2ban version < v0.11.1, change bips to bans).

Show all IP address and its jail:
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "select ip,jail from bips"

Show all unique IP address:
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "select distinct ip from bips"

I did this on CENTOS 7.x

sudo service fail2ban stop
sudo truncate -s 0 /var/log/fail2ban.log
sudo rm /var/lib/fail2ban/fail2ban.sqlite3
sudo service fail2ban start
sudo fail2ban-client reload

Bonjur on 20 Jan 2021

🎉1

Just for the record...

sudo truncate -s 0 /var/log/fail2ban.log

you don't need to stop fail2ban to rotate the log (but better would be to use logrotate service, see fail2ban-logrotate)

sudo rm /var/lib/fail2ban/fail2ban.sqlite3

well in 0.11 the issue with purge was solved... also another option dbmaxmatches gets implemented in #2402, which can help to hold database slimmer.
Complete removal of database is not recommended for several reasons.
Anyway, the "fix" for that would be either to switch to 0.11 or as workaround (until not upgraded) periodically purge it manually (in cron or timer), see https://github.com/fail2ban/fail2ban/issues/1316#issuecomment-178815912.