The fastest way to lock yourself out is to fail your own SSH login a few times. ignoreip tells
Fail2ban to never ban the listed addresses.
1. Add ignoreip globally
In /etc/fail2ban/jail.local:
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 203.0.113.7 192.168.0.0/16 10.0.0.0/8
You can mix single IPs, CIDR ranges, and IPv6. Separate them with spaces.
2. Whitelist a hostname (dynamic IP)
Fail2ban resolves DNS names in ignoreip, so a dynamic-DNS host works too:
ignoreip = 127.0.0.1/8 ::1 home.example.com
DNS is re-resolved periodically, not on every check — fine for home IPs that change a few times a day, not for round-robin CDNs.
3. Per-jail whitelist
Put ignoreip inside a specific jail to whitelist only there:
[sshd]
enabled = true
ignoreip = 127.0.0.1/8 ::1 203.0.113.7
4. Reload
sudo fail2ban-client reload
Confirm it took effect:
sudo fail2ban-client get sshd ignoreip
Tip: always include 127.0.0.1/8 ::1 so local health checks and the server talking to itself
never get banned. Add your admin IP before enabling aggressive jails.