How to write >1 IP's at white list (Firewall)

Hi!
Have: clear installed HestiaCP.
I can: add my own white IP address and work with CP (and SSH) only from this IP.
My Q: I have 3 white IP - how I can add more IP’s at white list of firewall?

What I have done: create new list with Russian’s IP, add it to firewall and work well (don’t work from others country’s IP). But I whant to create own list with my IP and work with HCP only from my IP.

I understand - I need to create own file of list IP, I try, but can’t find right syntaxis.
Also I have try to write two IP at one field - don’t accept it.

P.S.: Panel is wonderful!!! I got great pleasure in a few days of work

You have to whitelist with 3 rules.

You cannot have an ipset of less than 10 in hestia. I don’t understand why but I have live with it.

Alternatively you may place very hard rules for fail2ban over ssh and edit the fail2ban config instead.

go to: https://xxx.yourdomain.com:8083/edit/server/fail2ban/
or edit: /etc/fail2ban/jail.local

Add this two lines:

[DEFAULT]
ignoreip = 195.114.211.xxx 5.56.63.xxx 5.56.62.xxx 185.37.226.xxx 5.56.60.xxx

3 Likes

We have set the limit due the risks of locking your self out when a remote ipset updates and doesn’t have any values.

Also for less then 10 ip addresses the burden to do it manually isn’t that big. Also don’t forget you are to fork the project as we dit with VestaCP and make any changes you like.

Also keep in mind that ipset is meant to handle large number of prefixes, for one-of rules you are better of using plain iptables and adding a simple firewall rule in the webui/cli

10k iptables rules would affect the networking pretty seriously, reloading the firewall would be a pain also but 10k prefixes in ipset are nothing. Currently the blocklist in hestia has ~70k prefixes :grin:

Thank you very much for offering your reasons.

The threshold of 10 is an arbitrary number but:

  • It could be lowered to 1 or 2 to avoid the risk of being locked out.
  • For less than 2 ips the burden is even lower at no real cost.
  • The burden is not to set the rules X times. The burden is to figure out how for someone who doesn’t know as much as you do.
  • That might be true but a single 5-IP-set-rule will not hurt my server or its performance and is a natural way of using the panel.

Why force the users to make an exception for less than X IPs? If there is a natural way with the panel, let’s allow the users to use as many IPs as they wants.

I understand that “it’s my way or the highway” and that is why I said that I will have to live with that limit.

The reasonable use cases are as follow:

  • I want to whitelist my other servers (but I do not own 10 but maybe tomorrow not)
  • I want to whitelist my office or my client’s offices (but there are less than 10 but maybe tomorro not)
  • I want to ban a couple of IPs today but maybe tomorrow I’ll keep adding more.

Personaly, I don’t whitelist any of my ips and didnt got locked out. A whitelist for specific ips would not prevent you to get locked out from fail2ban, there you already pointed him to the right way over ignoreip in fail2ban. Also the questions would be: Why do you need to whitelist? Why do you get banned? Why do you need to whitelist over xx ips? Personaly, if I would need to whitelist a static ip, I would either whitelist our own /22 IP subnet, or a “jump in” gateway/vps if you don’t have any static ips available.

Hestia is and will always be a solution for sysadmins. The main reason to start the fork was because we all used vesta for our own infra. Then, as we all know, vesta got insecure, the communication about exploits and hacked own infra was not really existent - so Hestia was born :slight_smile:.

If you arent happy with the way it is handled, @eris pointed you already to the way, that you can fork hestia and adjust it to your own needs. @Lupu wrote you detailed why it is like it is and we will not change this behaviour.

Thank you @eris, @Lupu and @ScIT for your comments.

I think that the debate is sterile since you have very strong convictions that the limit should be 10.

As you know, I am not going to fork a good project for a small disagreement of criteria. I want Hestia to be better and that’s why I insist somentimes in the path I think is best. But that’s only my opinion.

1 Like