Opened 12 years ago
Closed 12 years ago
#49 closed defect (fixed)
Using vuurmuur_script to (un-) block IP addresses doesn't work
| Reported by: | Owned by: | Victor Julien | |
|---|---|---|---|
| Priority: | blocker | Milestone: | 0.6 |
| Component: | vuurmuur | Version: | 0.5.73 |
| Keywords: | Cc: |
Description
I'm trying to use a custom fail2ban jail with Vuurmuur, namely vuurmuur_script, to block certain IP addresses. However, even though vuurmuur_script --block 1.2.3.4 returns 0 and creates an entry in the blocklist.conf file, it doesn't show up: Neither when using vuurmuur_script --list-blocked , nor in vuurmuur_conf. Iptables rules aren't created, either. However, IP addresses pile up in /etc/vuurmuur/textdir/rules/blocklist.conf and never get removed.
Change History (11)
comment:1 follow-up: 3 Changed 12 years ago by
comment:2 Changed 12 years ago by
A few other things to check: in the audit.log file (normally in /var/log/vuurmuur) you should see the block/unblock mentioned. Also in the vuurmuur.log you should see mention of it... can you check that?
comment:3 Changed 12 years ago by
The blocklist.conf file looks like this:
# cat /etc/vuurmuur/textdir/rules/blocklist.conf RULE="" RULE="block 58.242.42.214" RULE="block 74.8.152.35" RULE="block 74.8.152.35" RULE="block 74.8.152.35" RULE="block 74.8.152.35" RULE="block 59.127.136.36" RULE="block 60.215.8.6" RULE="block 72.44.51.116"
With more than those, but that should suffice. In fact, the first two lines are about four months old by now. Without the first empty RULE="" line, vuurmuur doesn't make any changes to blocklist.conf.
I do get log entries, for example:
01/25/2008 00:56:50 : PID 11096 : vuurmuur_scrp : root : for ruleset 'blocklist' variable 'RULE' appended 'block 219.153.43.149'.
Blocklist is empty, though:
# iptables -L Chain BLOCK (0 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 1/sec burst 2 LOG level debug tcp-options prefix `vrmr: DROP BLOCKED ' DROP all -- anywhere anywhere Chain BLOCKLIST (3 references) target prot opt source destination
(I just picked random entries. I can, if you want, post related entries once fail2ban adds a new block. But just the IP address values and dates change, but not the fact that the blocklist is empty. :-)
comment:4 Changed 12 years ago by
Could you try to remove the RULE="" and the double entries from the file using a text editor and see if the program behaves again then?
comment:5 Changed 12 years ago by
Ok, I removed the first empty line and used uniq to sort out doublettes. Vuurmuur_conf shows all IP addresses now, vuurmuur_script --list-blocked also works, and rules get applied. vuurmuur_script --unblock 1.2.3.4 --appy also works. :-)
I'll check that blocking using fail2ban also works, and report back as soon as somebody tries to hammer my SSH port.
comment:6 Changed 12 years ago by
I just had another ban, but the blocklist remained unchanged. Here's what happened:
When the attacker hammers the SSH port often enough, actionban = /usr/bin/vuurmuur_script --block <ip> --apply is run with <ip> replaced with the actual IP. However, neither with vuurmuur_conf nor with a simple grep 83.19.x.x /etc/vuurmuur/textdir/rules/blocklist.conf the IP address shows up.
How can I be of further assistance?
comment:7 Changed 12 years ago by
| Resolution: | → worksforme |
|---|---|
| Status: | new → closed |
Gee, I just re-checked the logs and saw that fail2ban already unblocked the IP address mentioned above. I assume everything works ok, and the problem was indeed the empty RULE="" line and/or the duplicates.
Sorry for the inconvenience.
comment:8 Changed 12 years ago by
It still sounds to me something could be wrong with vuurmuur too. Maybe fail2ban can call multiple vuurmuur_script instances in parallel when being hammered? Just speculating here. In any case, let us know if it misbehaves again!
comment:9 Changed 12 years ago by
| Resolution: | worksforme |
|---|---|
| Status: | closed → reopened |
Sorry, I guess I have to re-open the ticket, but premisses are slightly different now.
I just decided to clean up all the old entries from the blocklist. I used solely vuurmuur_conf to make sure the file has the right syntax, so that vuurmuur_script keeps working. Afterwards, I inspected blocklist.conf and found only this single line:
RULE=""
I became curious and ran sudo vuurmuur_script --block 1.2.3.4 --apply, which led to an additional entry:
{{{RULE="" RULE="block 1.2.3.4"}}}
Again, this IP address doesn't show up in vuurmuur_conf, and there's no iptables rule. This looks like the real bug to me. :-)
comment:10 Changed 12 years ago by
| Milestone: | undecided → 0.5.74 |
|---|---|
| Priority: | major → blocker |
I can reproduce this and confirm it is a bug. I'll look into it asap. Thanks for the report!
comment:11 Changed 12 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
Fixed by changeset:174. Please test!
Replying to eveith@wwweb-library.net:
Would you mind to post that file? (or send it in private to Victor or me?)
thanks! Adi