Using vuurmuur_script to (un-) block IP addresses doesn't work

Replying to eveith@wwweb-library.net:

However, IP addresses pile up in /etc/vuurmuur/textdir/rules/blocklist.conf and never get removed.

Would you mind to post that file? (or send it in private to Victor or me?)

thanks! Adi

A few other things to check: in the audit.log file (normally in /var/log/vuurmuur) you should see the block/unblock mentioned. Also in the vuurmuur.log you should see mention of it... can you check that?

The blocklist.conf file looks like this:

# cat /etc/vuurmuur/textdir/rules/blocklist.conf
RULE=""
RULE="block 58.242.42.214"
RULE="block 74.8.152.35"
RULE="block 74.8.152.35"
RULE="block 74.8.152.35"
RULE="block 74.8.152.35"
RULE="block 59.127.136.36"
RULE="block 60.215.8.6"
RULE="block 72.44.51.116"

With more than those, but that should suffice. In fact, the first two lines are about four months old by now. Without the first empty RULE="" line, vuurmuur doesn't make any changes to blocklist.conf.

I do get log entries, for example:

01/25/2008 00:56:50 : PID 11096 : vuurmuur_scrp : root : for ruleset 'blocklist' variable 'RULE' appended 'block 219.153.43.149'.

Blocklist is empty, though:

# iptables -L
Chain BLOCK (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            limit: avg 1/sec burst 2 LOG level debug tcp-options prefix `vrmr: DROP BLOCKED '
DROP       all  --  anywhere             anywhere

Chain BLOCKLIST (3 references)
target     prot opt source               destination

(I just picked random entries. I can, if you want, post related entries once fail2ban adds a new block. But just the IP address values and dates change, but not the fact that the blocklist is empty. :-)

Could you try to remove the RULE="" and the double entries from the file using a text editor and see if the program behaves again then?

Ok, I removed the first empty line and used uniq to sort out doublettes. Vuurmuur_conf shows all IP addresses now, vuurmuur_script --list-blocked also works, and rules get applied. vuurmuur_script --unblock 1.2.3.4 --appy also works. :-)

I'll check that blocking using fail2ban also works, and report back as soon as somebody tries to hammer my SSH port.

I just had another ban, but the blocklist remained unchanged. Here's what happened:

When the attacker hammers the SSH port often enough, actionban = /usr/bin/vuurmuur_script --block <ip> --apply is run with <ip> replaced with the actual IP. However, neither with vuurmuur_conf nor with a simple grep 83.19.x.x /etc/vuurmuur/textdir/rules/blocklist.conf the IP address shows up.

How can I be of further assistance?

Gee, I just re-checked the logs and saw that fail2ban already unblocked the IP address mentioned above. I assume everything works ok, and the problem was indeed the empty RULE="" line and/or the duplicates.

Sorry for the inconvenience.

It still sounds to me something could be wrong with vuurmuur too. Maybe fail2ban can call multiple vuurmuur_script instances in parallel when being hammered? Just speculating here. In any case, let us know if it misbehaves again!

Sorry, I guess I have to re-open the ticket, but premisses are slightly different now.

I just decided to clean up all the old entries from the blocklist. I used solely vuurmuur_conf to make sure the file has the right syntax, so that vuurmuur_script keeps working. Afterwards, I inspected blocklist.conf and found only this single line:

RULE=""

I became curious and ran sudo vuurmuur_script --block 1.2.3.4 --apply, which led to an additional entry:

{{{RULE="" RULE="block 1.2.3.4"}}}

Again, this IP address doesn't show up in vuurmuur_conf, and there's no iptables rule. This looks like the real bug to me. :-)

I can reproduce this and confirm it is a bug. I'll look into it asap. Thanks for the report!

Fixed by changeset:174. Please test!