Where do the malicious ip blocklists come from? in the last 24 hoursish my hestia servers have been having problems with random 521 error codes through Cloudflare. I’m 99% sure the blocklist has some of the cloudflare ip addresses blocked.
Be nice if we could easily just create our own whitelists…
The files you want to investigate are in /usr/local/hestia/data/firewall/ipset/
From the blacklist.sh script you can see that its getting its blocked IPs from here.
"https://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1" # Project Honey Pot Directory of Dictionary Attacker IPs
"https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=22.214.171.124" # TOR Exit Nodes
"https://www.maxmind.com/en/high-risk-ip-sample-list" # MaxMind GeoIP Anonymous Proxies
"http://danger.rulez.sk/projects/bruteforceblocker/blist.php" # BruteForceBlocker IP List
"https://www.spamhaus.org/drop/drop.lasso" # Spamhaus Don't Route Or Peer List (DROP)
"https://cinsscore.com/list/ci-badguys.txt" # C.I. Army Malicious IP List
"https://lists.blocklist.de/lists/all.txt" # blocklist.de attackers
"https://blocklist.greensnow.co/greensnow.txt" # GreenSnow
"https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset" # Firehol Level 1
"https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/stopforumspam_7d.ipset" # Stopforumspam via Firehol
The actual list of IPs you’ll need to grep through as its about 1Mb in size, approx 70k addresses.
-rw-rw---- 1 root root 1.1M Feb 10 00:10 blacklist-script.v4.iplist
I’m not sure that’s your issue though. Cloudflare has been doing weird things for one of my clients today, but then it clears up without changing any firewall settings.
Pretty sure you
could use ipset for exactly this.
In order to “whitelist” you can:
Less than 10 IPs: Create a firewall rule for each IP
10 and more IPs: Create an ipset and create a firewall rule
BUT this won’t work since fail2ban will still ban your IP. You need to edit fail2ban jail.local
ignoreip = 195.114.211.xxx 5.56.63.xxx 5.56.62.xxx 185.37.226.xxx 5.56.60.xxx
You may even try something like this
I have been thinking about clients being banned out of the mail server because of a misconfigured device in a small office of 10 users.
The idea is to add to ignoreip the successful login IPs so they don’t get banned in 14400 seconds.
I successfully implemented the solution. I hope this helps.
I have followed this manual:
Using a Fail2Ban Jail to Whitelist a User < System | The Art of Web
Edit /etc/fail2ban/jail.local and add:
enabled = true
filter = dovecot-whitel…
I think you’re right. While i did remove the malicious ip list from my main server, after leaving everything overnight responses everywhere stopped throwing the random 521 errors. Guess I was just thinking the only thing that changed everywhere could have been that ip list and that Cloudflare could do no wrong… who knows, maybe it could have been just a general internet routing problem.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.