Get the Fail2Ban jail which banned an IP address

There are a lot of reasons why someone want to know the jail that banned an IP address, but I do not find a fail2ban-client command to tell me this. There should be a get command that doesn't require <JAIL>, but instead outputs it.

I am aware that starting with version v0.10.2 I can unban an IP with:

fail2ban-client unban 192.0.2.138

My Question is not how to unban the IP. I ask how can I find out the jail that banned the IP.

Solution 1:

Newer versions (0.10.6/0.11.2) of fail2ban can handle this using fail2ban-client banned <IP>, see RFE 2725.
This would return list of jails where given IP is currently banned.

Solution 2:

The fail2ban-client status JAIL command shows a list of IP addresses currently banned by that jail, but it's a bit laborous to go through every jail like that, and it also won't show you IP addresses that are already released from the jail.

The best way to gather the knowledge you need is to search for the IP address from the Fail2Ban logs:

# grep "192.0.2.138" /var/log/fail2ban.log
fail2ban.actions  [388]: NOTICE  [sshd] Ban 192.0.2.138
fail2ban.actions  [388]: NOTICE  [sshd] Unban 192.0.2.138
fail2ban.filter   [388]: INFO    [sshd] Found 192.0.2.138 - 2020-12-24 10:52:42
fail2ban.filter   [388]: INFO    [sshd] Found 192.0.2.138 - 2020-12-24 10:52:43
fail2ban.filter   [388]: INFO    [sshd] Found 192.0.2.138 - 2020-12-24 10:52:47
fail2ban.filter   [388]: INFO    [sshd] Found 192.0.2.138 - 2020-12-24 10:52:51
fail2ban.filter   [388]: INFO    [sshd] Found 192.0.2.138 - 2020-12-24 10:52:56
fail2ban.actions  [388]: NOTICE  [sshd] Ban 192.0.2.138

This will not only show which jail banned the IP but also why – with all the timestamps you can use to find the corresponding events from the logs Fail2Ban is monitoring.