Opened 12 years ago

Closed 12 years ago

#49 closed defect (fixed)

Using vuurmuur_script to (un-) block IP addresses doesn't work

Reported by: eveith@… Owned by: Victor Julien
Priority: blocker Milestone: 0.6
Component: vuurmuur Version: 0.5.73
Keywords: Cc:


I'm trying to use a custom fail2ban jail with Vuurmuur, namely vuurmuur_script, to block certain IP addresses. However, even though vuurmuur_script --block returns 0 and creates an entry in the blocklist.conf file, it doesn't show up: Neither when using vuurmuur_script --list-blocked , nor in vuurmuur_conf. Iptables rules aren't created, either. However, IP addresses pile up in /etc/vuurmuur/textdir/rules/blocklist.conf and never get removed.

Change History (11)

in reply to:  description ; comment:1 by Adi Kriegisch, 12 years ago

Replying to

However, IP addresses pile up in /etc/vuurmuur/textdir/rules/blocklist.conf and never get removed.

Would you mind to post that file? (or send it in private to Victor or me?)

thanks! Adi

comment:2 by Victor Julien, 12 years ago

A few other things to check: in the audit.log file (normally in /var/log/vuurmuur) you should see the block/unblock mentioned. Also in the vuurmuur.log you should see mention of it... can you check that?

in reply to:  1 comment:3 by eveith, 12 years ago

The blocklist.conf file looks like this:

# cat /etc/vuurmuur/textdir/rules/blocklist.conf

With more than those, but that should suffice. In fact, the first two lines are about four months old by now. Without the first empty RULE="" line, vuurmuur doesn't make any changes to blocklist.conf.

I do get log entries, for example:

01/25/2008 00:56:50 : PID 11096 : vuurmuur_scrp : root : for ruleset 'blocklist' variable 'RULE' appended 'block'.

Blocklist is empty, though:

# iptables -L
Chain BLOCK (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            limit: avg 1/sec burst 2 LOG level debug tcp-options prefix `vrmr: DROP BLOCKED '
DROP       all  --  anywhere             anywhere

Chain BLOCKLIST (3 references)
target     prot opt source               destination

(I just picked random entries. I can, if you want, post related entries once fail2ban adds a new block. But just the IP address values and dates change, but not the fact that the blocklist is empty. :-)

comment:4 by Victor Julien, 12 years ago

Could you try to remove the RULE="" and the double entries from the file using a text editor and see if the program behaves again then?

comment:5 by eveith, 12 years ago

Ok, I removed the first empty line and used uniq to sort out doublettes. Vuurmuur_conf shows all IP addresses now, vuurmuur_script --list-blocked also works, and rules get applied. vuurmuur_script --unblock --appy also works. :-)

I'll check that blocking using fail2ban also works, and report back as soon as somebody tries to hammer my SSH port.

comment:6 by eveith, 12 years ago

I just had another ban, but the blocklist remained unchanged. Here's what happened:

When the attacker hammers the SSH port often enough, actionban = /usr/bin/vuurmuur_script --block <ip> --apply is run with <ip> replaced with the actual IP. However, neither with vuurmuur_conf nor with a simple grep 83.19.x.x /etc/vuurmuur/textdir/rules/blocklist.conf the IP address shows up.

How can I be of further assistance?

comment:7 by eveith, 12 years ago

Resolution: worksforme
Status: newclosed

Gee, I just re-checked the logs and saw that fail2ban already unblocked the IP address mentioned above. I assume everything works ok, and the problem was indeed the empty RULE="" line and/or the duplicates.

Sorry for the inconvenience.

comment:8 by Victor Julien, 12 years ago

It still sounds to me something could be wrong with vuurmuur too. Maybe fail2ban can call multiple vuurmuur_script instances in parallel when being hammered? Just speculating here. In any case, let us know if it misbehaves again!

comment:9 by eveith, 12 years ago

Resolution: worksforme
Status: closedreopened

Sorry, I guess I have to re-open the ticket, but premisses are slightly different now.

I just decided to clean up all the old entries from the blocklist. I used solely vuurmuur_conf to make sure the file has the right syntax, so that vuurmuur_script keeps working. Afterwards, I inspected blocklist.conf and found only this single line:


I became curious and ran sudo vuurmuur_script --block --apply, which led to an additional entry:

{{{RULE="" RULE="block"}}}

Again, this IP address doesn't show up in vuurmuur_conf, and there's no iptables rule. This looks like the real bug to me. :-)

comment:10 by Victor Julien, 12 years ago

Milestone: undecided0.5.74
Priority: majorblocker

I can reproduce this and confirm it is a bug. I'll look into it asap. Thanks for the report!

comment:11 by Victor Julien, 12 years ago

Resolution: fixed
Status: reopenedclosed

Fixed by changeset:174. Please test!

Note: See TracTickets for help on using tickets.