Should there be more API calls for firewall?

I have ran into a fault with /nodeworx/firewall/allowDenyIps. After realizing this scenario, I’ve decided to instead use apf -u $IP. Should there be API calls for adding/removing individual IPs from deny/allow_hosts.rules?

My scripts intended to remove an IP address from the firewall’s block list X amount of time after it’s been added.
While we’re at it, let’s say that N is the amount of IPs in deny_hosts.rules.
The way to do that with IW API is to:

  • 1. sed out the $IP in question from /etc/apf/deny_hosts.rules
  • 2. output that into another file
  • 3. find the latest "{trust} deny all to/from $IP" entry in /var/log/apf_log
  • 4. collect the time from that entry, let's call it T
  • 5. add X amount of time to T
  • 6. write a shell script that has all the parameters to run a perl script with the API call that uploads the list, from which $IP is sedded out
  • 7. make an atd job that will run that script at time T
What you get in the logs is evidence that each IP in that list has been added into what seems an empty list. There are no "{trust} removed $IP from trust system" entries in the log resulting from that API call.

The real fallout of doing this on a regular basis, is that if you have a script that does this for all IPs in deny_hosts.rules:

  • you need to write logic that seds out IPs that expire after the last IP you ever removed this way
  • because of steps 3-5, the expiry date for remaining IPs will be refreshed and they will be scheduled for removal at time T+X, where T is where a previous IP was removed
  • this will create a cascade of N-1 atd jobs that will also unblock their own IP, but also block the rest
  • and to prevent this you need to write a job script that seds deny_hosts.rules only when the job is being run
  • it's also nontrivial to implement removal of many IPs at the same time if they got blocked the same second
I really think the lack of other API calls is only adding complexity to efficiently using this one. What do you think?

Hi grep

It sounds as though your building a nice GUI

You might want to add this to the ideas page interworx.com/ideas I think but it’s linked from menus above.

If it helps, you can install fail2ban, which does exactly what your exactly what your posting, but I do not use it sorry.

I hope that helps

Many thanks

John

Hi John. It’s not a GUI really, but a script intended for cron jobs.
Thank you for letting me know about fail2ban, but that won’t cut it. I looked at fail2ban and it does the exact opposite of what I want to do: I want to accept rejected IPs after a certain time passes. To be fair to them, count the time right from the time when they got rejected. My justification for this is that maybe the offending IP belongs to a user that is unknowingly a part of a botnet (or behind a NAT with a bot in it) and still wants to access the site.
Here’s what I have come up with to work around InterWorx API.
There’s also this perl script which helped me realize the cascading scenario.

Hi grep

I hope you don’t mind, but I’ve been thinking about your post, and what I think your trying to achieve and I had a few questions which I’m sure you thought about.

How will you define the true bad ip to those you want to let throw

After thinking about this question, it came to me for an easy way to do what you want, only if the answer to the question was you could not differentiate the bad from should not be bad ip as follows

Why not install bfd and set it to block as per your needs, say default 3 mins cron

Set a cron to run hourly to delete the blacklisted ip from apf

This then gives you a blank ip block list every hour, whilst bfd would add offending ip addresses every 3 minutes, so in this scenario, an attacker would only have a window of 3 minutes or less before been blocked for 60 minutes or less, depending upon when added, but if say added at 57 minutes, it blocks for 3 minutes, resets but if attack is continuing, would add it back in next 3 minutes.

It’s just a thought, I hope it makes sense and when I’m back at office, I’ll have a look at your links, but if above would help, just set times and cron to your figures.

Many thanks and I’m sorry if I have misunderstood exactly what your trying to achieve

John

Hi John.

I haven’t thought about that. This brings another sort of issue: what offense would warrant no forgiving to an IP address? I wouldn’t cast judgement too quickly. Especially since short DHCP leases are popular with some ISPs, a permanent ban would completely miss the point.

[QUOTE=d2d4j;26523]Why not install bfd and set it to block as per your needs, say default 3 mins cron

Set a cron to run hourly to delete the blacklisted ip from apf

This then gives you a blank ip block list every hour, whilst bfd would add offending ip addresses every 3 minutes, so in this scenario, an attacker would only have a window of 3 minutes or less before been blocked for 60 minutes or less, depending upon when added, but if say added at 57 minutes, it blocks for 3 minutes, resets but if attack is continuing, would add it back in next 3 minutes.

It’s just a thought, I hope it makes sense and when I’m back at office, I’ll have a look at your links, but if above would help, just set times and cron to your figures.[/QUOTE]
Thank you, that sounds alright. I’ll keep this in mind for when my X day block will need to be changed.

[QUOTE=d2d4j;26523]Many thanks and I’m sorry if I have misunderstood exactly what your trying to achieve

John[/QUOTE]No worries. You were spot on :slight_smile:

grep

Hi grep

Many thanks

I would think bad ver good definitions are upto each sys admin to decide, based upon factors like usage, attempted hacks etc but you there are know cidr blocks which have been shown to be continually abusive. I personally think it’s a mixture, but we do block permanently some cidr ranges, which is unfair on some good users, but for the benefit our clients, and you can see cidr ranges making abuse, which the provider should stop I think.

These are just my thoughts though and I understand your point of view

Many thanks

John