The fastest way to lock yourself out is to fail your own SSH login a few times. ignoreip tells Fail2ban to never ban the listed addresses.

1. Add ignoreip globally

In /etc/fail2ban/jail.local:

[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 203.0.113.7 192.168.0.0/16 10.0.0.0/8

You can mix single IPs, CIDR ranges, and IPv6. Separate them with spaces.

2. Whitelist a hostname (dynamic IP)

Fail2ban resolves DNS names in ignoreip, so a dynamic-DNS host works too:

ignoreip = 127.0.0.1/8 ::1 home.example.com

DNS is re-resolved periodically, not on every check — fine for home IPs that change a few times a day, not for round-robin CDNs.

3. Per-jail whitelist

Put ignoreip inside a specific jail to whitelist only there:

[sshd]
enabled  = true
ignoreip = 127.0.0.1/8 ::1 203.0.113.7

4. Reload

sudo fail2ban-client reload

Confirm it took effect:

sudo fail2ban-client get sshd ignoreip

Tip: always include 127.0.0.1/8 ::1 so local health checks and the server talking to itself never get banned. Add your admin IP before enabling aggressive jails.

How to Whitelist Your IP in Fail2ban (ignoreip)

1. Add ignoreip globally

2. Whitelist a hostname (dynamic IP)

3. Per-jail whitelist

4. Reload