ip_blacklist

floyd · Sep 1, 2008

I am thinking that the ip_blacklist feature should also put the ip in the firewall. If somebody is trying to hack into the control panel I probably want to firewall them as well. And then maybe have it clear every hour.

What do you guys think?

By the way I already know how to do this myself. I am just thinking of other users who don't know how to make it work.

tlchost · Sep 1, 2008

floyd said:
I am thinking that the ip_blacklist feature should also put the ip in the firewall. If somebody is trying to hack into the control panel I probably want to firewall them as well. And then maybe have it clear every hour.

Makes sense to me....but I would need to put my own IP in a white list....with my luck, I'd be the first person to get locked out.

floyd · Sep 1, 2008

At the top of the firewall could be certain ip to allow from and then even if your ip gets listed after that it would not matter since the firewall takes action based on the first match.

Also clearing every hour guarantees one would only be blocked for an hour at most.

It seems like to me all almost all failed logins of any type should at least be temporarily firewalled. Maybe only after x number of tries. Maybe there is already something that does this.

I brought it up so we could have a discussion about it and see what other people think.

nobaloney · Sep 2, 2008

I don't like it. I think it's too dangerous (what if I don't have a static IP#? I can't login for an hour?).

Jeff

floyd · Sep 2, 2008

I can't login for an hour?

If that is what you choose for a time limit. And of course you would not get blocked at unless you had x number of failed logins.

And of course there are other ways to get your ip freed from the firewall. You just have to be a little creative. You can always create a back door for yourself.

nobaloney · Sep 2, 2008

floyd said:
And of course there are other ways to get your ip freed from the firewall. You just have to be a little creative. You can always create a back door for yourself.

As I well know; I once knew the backdoor code for the DEC PDP-10, a long time ago. (It worked on the old CompuServe servers

.)

But now you're writing about stuff that gets even more complex and easier to make mistakes.

Jeff

tlchost · Sep 2, 2008

jlasman said:
But now you're writing about stuff that gets even more complex and easier to make mistakes.

Jeff

But that's part of the adventure, ain;t it?

nobaloney · Sep 3, 2008

Thom (and others who aren't quite sure how firewalls work),

The firewalling is done at the kernel level. To allow a login from a system not allowed through the firewall becomes a bit complex. Look up port knocking. And if you decide to try it, be very careful.

Jeff

floyd · Sep 3, 2008

I was actually speaking of something a lot simpler like sending an email to the system from an address that is not blocked (like yahoo or hotmail) that would then trigger clearing the ip that is located in the body of the email. Of course this would be very special email address that you would use.

There are other methods too.

tlchost · Sep 3, 2008

floyd said:
I was actually speaking of something a lot simpler like sending an email to the system from an address that is not blocked (like yahoo or hotmail) that would then trigger clearing the ip that is located in the body of the email. Of course this would be very special email address that you would use.

There are other methods too.

Rather than have learned and august folks hint that I don't understand firewalls...I'd be more interested in a discussion of the various methods to "get back into the box"....I have several IPs from which I can get in....but if all of them got auto-blocked I'd be real unhappy.

Maybe one way would be to have a listof IPs that are automatically removed from the block list at a pre-determined interval?

Tell us more about the methods.

nobaloney · Sep 5, 2008

If you'd remove a predetermined list at a predetermined interval, why not just whitelist them in the first place? But this would only be required if DirectAdmin were changed to use the firewall to block the IP#s instead of the way it does it now.

What user floyd is writing about is having a special address on your system, forwarded to a program that would remove your IP# (as listed in the body of your email) from the blocklist.

What I was writing about is described here. However this requires rather massive changes to how the firewall is defined; for example blocking an IP# isn't really blocking if you're going to use portknocking; it's just closing all ports based on the IP#. So yes, as he writes, his method is a lot simpler.

But you'd have to guarantee that your system never blocks mail from hotmail, gmail, or whatever email account you'd use to send the special email to the special address. This will be easier with the final release of SpamBlocker3, which will (optionally) whitelist known public email vendors.

You could of course simply flush all iptables blocks every hour with a simple cronjob; then you'd only have to wait in hour.

But I still prefer blocking DirectAdmin port access the way we do now.

Jeff

ip_blacklist

floyd

Verified User

tlchost

Verified User

floyd

Verified User

nobaloney

NoBaloney Internet Svcs - In Memoriam †

floyd

Verified User

nobaloney

NoBaloney Internet Svcs - In Memoriam †

tlchost

Verified User

nobaloney

NoBaloney Internet Svcs - In Memoriam †

floyd

Verified User

tlchost

Verified User

nobaloney

NoBaloney Internet Svcs - In Memoriam †