Vesta Control Panel - Forum

Community Forum
https://forum.vestacp.com/

Add/remove IP address to firewall

https://forum.vestacp.com/viewtopic.php?f=10&t=19170

Page 1 of 1

Add/remove IP address to firewall

Posted: Sun Sep 29, 2019 10:24 pm
by bobmeetin
Either through the control panel or command line (cli?) or both, what are the procedures to add or remove an IP address in the firewall. Also to review what's currently there (as root)

The default behavior seems to be to block an IP after several attempts then you have to wait an hour or so for it to release.

Re: Add/remove IP address to firewall

Posted: Sun Sep 29, 2019 10:45 pm
by NordicSnowman
bobmeetin wrote:
Sun Sep 29, 2019 10:24 pm
 Either through the control panel or command line (cli?) or both, what are the procedures to add or remove an IP address in the firewall. Also to review what's currently there (as root)

The default behavior seems to be to block an IP after several attempts then you have to wait an hour or so for it to release.
Fail2ban is the function blocking after failed attempts or bad behaviour, depending on your F2B rules.
You can list them (the banned ones) with v-list-firewall-ban cli-command.
For more details about the jails, use:

Code: Select all

fail2ban-client status
For adding, removing or changing rules through cli-command

Example for FTP, port 21 (allowing anyone)
# options: ACTION IP PORT [PROTOCOL] [COMMENT] [RULE]

Code: Select all

v-add-firewall-rule allow 0.0.0.0/0 21 TCP FTP
Example for blocking 123.123.123.123 to FTP
# options: ACTION IP PORT [PROTOCOL] [COMMENT] [RULE]

Code: Select all

v-add-firewall-rule drop 123.123.123.123 21 TCP FTP-ban-123
Similar for removing rules, deleting and changing rules or bans.
Check out the CLI-commands: https://vestacp.com/docs/cli/

Re: Add/remove IP address to firewall

Posted: Mon Sep 30, 2019 6:51 am
by plutocrat
bobmeetin wrote:
Sun Sep 29, 2019 10:24 pm
 The default behavior seems to be to block an IP after several attempts then you have to wait an hour or so for it to release.
Seems you're talking about fail2ban. Try this approach

Code: Select all

root@server~ $ fail2ban-client status
Status
|- Number of jail:	5
`- Jail list:	dovecot-iptables, exim-iptables, ssh-iptables, sshd, vesta-iptables
root@server~ $ fail2ban-client status exim-iptables 
Status for the jail: exim-iptables
|- Filter
|  |- Currently failed:	8
|  |- Total failed:	158047
|  `- File list:	/var/log/exim4/mainlog
`- Actions
   |- Currently banned:	3
   |- Total banned:	20034
   `- Banned IP list:	46.38.144.179 45.82.153.37 92.118.38.36
root@server~ $ fail2ban-client set exim-iptables unbanip 92.118.38.36
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/