IP blocker (apparent) failure

Bans are temporary, indeed every time you restart iptables, fail2ban or your entire server, those rules dissapear, the strange thing is that the manually added entries in banlist.conf remain, that file must be emptied every time fail2ban restarts.

If you want to make permanent rules, you could add them directly to the firewall rules, not using v-add-firewall-ban but v-add-firewall-rule

To do this, instead of adding every rule one by one, it is tedious and if there are a lot of rules it will affect the server’s performance so the recommended way is to add an ipset containing all the ips/networks you want to block.

Doc

We will create an ipset named permaban, to do so, first we will create the dir and the file containing the list of networks and ips.

mkdir -p /var/lib/permaban/bin/

To save all the current ips you have manually added to banlist.conf, we will parse the file and will extract the ips and networks and will save them to the new ipset file that we will use.

awk -F "'" '{/IP=/} {print $2}' /usr/local/hestia/data/firewall/banlist.conf | awk '!a[$0]++' > /var/lib/permaban/permaban.list

Empty banlist.conf file

:> /usr/local/hestia/data/firewall/banlist.conf

Add the ipset named permaban and create a rule to DROP all ips/networks listed on that ipset.

v-add-firewall-ipset permaban "file:/var/lib/permaban/permaban.list" v4 yes
v-add-firewall-rule DROP ipset:permaban 0 TCP "PERMABAN"

And thats all, from now on, all the ips listed on /var/lib/permaban/permaban.list will be blocked. Hestia will read and update the list every 24 hours but if you want to add ips/networks easily and update the firewall immediately, I’ve created a script to do so.

The script will check the ips/netwroks, will remove duplicated ones, update iptables ipset, etc.

Create the script file named permaban.sh and also a symlink in /usr/local/bin/ named permaban

touch /var/lib/permaban/bin/permaban.sh && chmod +x /var/lib/permaban/bin/permaban.sh
ln -s /var/lib/permaban/bin/permaban.sh /usr/local/bin/permaban

Now edit file /var/lib/permaban/bin/permaban.sh an add this script:

#!/usr/bin/env bash
source /etc/hestiacp/hestia.conf
BIN="$HESTIA/bin"
ipset="permaban"
ip="$1"
list=""

if [[ -z $ip ]]; then
        echo "Error: you must add at least one ip or ip/mask in CIDR format"
        echo
        echo "Usage:"
        echo "       permaban 203.0.113.1"
        echo "       permaban 203.0.113.0/24"
        echo "       permaban 192.0.2.1 203.0.113.1/24"
        echo "       permaban 203.0.113.1 192.0.2.1 203.0.113.1/24"
        exit 1
fi

if ! "$BIN"/v-list-firewall-ipset plain | grep -Eq "^$ipset"; then
        echo "Error: ipset $ipset doesn't exist"
        exit 1
else
        if ! "$BIN"/v-list-firewall-ipset plain | grep -Eq "^$ipset.*file:"; then
                echo "Error: ipset $ipset is not using a file to load the ips"
                exit 1
        fi
fi

for i in "$@"; do
        if ! grep -Pq '^(([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)\.){3}([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)($|/([123][0-9]))$' <<<"$i"; then
                echo "Warning: $i is not a valid ip/network so I don't include it"
                continue
        fi
        list+="$i\n"
done

if [[ -z $list ]]; then
        echo "There isn't ips/networks to add to ipset $ipset"
        exit
fi

ipset_file="$("$BIN"/v-list-firewall-ipset plain | grep "^$ipset" | awk '{print $5}' | sed 's/^file://')"
ipset_log="${ipset_file}.log"

ipset_dir="$(dirname "$ipset_file")"
if [[ ! -d "$ipset_dir" ]]; then
        echo "Error: dir $ipset_dir doesn't exist"
        exit 1
fi

echo
echo "Adding list of ips/networks to ${ipset_file}"
echo -e "$list" | tee -a "$ipset_file"

awk -i inplace -v INPLACE_SUFFIX=.bak '!a[$0]++' "$ipset_file"
sort -Vu "$ipset_file" -o "$ipset_file"
sed -i '/^$/d' "$ipset_file"

size="$(wc -l <"$ipset_file")"
min_size="$(awk -F '=' '/^IPSET_MINi_SIZE=/ {print $2}' "$BIN"/v-add-firewall-ipset)"
if ! grep -q -E '^[0-9]{1,}$' <<<"$min_size"; then
        min_size="5"
fi
if [[ $size -le $min_size ]]; then
        echo "Error: the minimum number of allowed ips/networks is $min_size and you are using $size"
        exit 1
fi

echo -n "Adding ips/networks to ipset and updating iptables..."
if "$BIN"/v-update-firewall-ipset yes | grep -i error; then
        exit 1
fi
echo " OK"
echo "# Added $(date +'%Y-%m-%d %T')" >>"$ipset_log"
echo -e "$list" >>"$ipset_log"

Once saved, you can add more ips/networks to the ipset permaban.

Example, trying to add ips and networks, also invalid ips and networks.

$ permaban 203.0.113.1 192.0.2.2 whatever 1.332.3.46 198.51.100.0/24 198.51.100.0/43
Warning: whatever is not a valid ip/network so I don't include it
Warning: 1.332.3.46 is not a valid ip/network so I don't include it
Warning: 198.51.100.0/43 is not a valid ip/network so I don't include it

Adding list of ips/networks to /var/lib/permaban/permaban.list
203.0.113.1
192.0.2.2
198.51.100.0/24

Adding ips/networks to ipset and updating iptables... OK

I hope it helps.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.