I've been doing lots of tests while trying to host two email domains on clearOS. The Attack Detector app (based on fail2ban) did not like that and decided to lock me out of the box.
I'd refereed to the app's documentation and had found the following:
I did what the document says and whitelisted the IP on the Intrusion Prevention app, but that didn't lift the ban! I had to login to SSH and issued the following command to unban the IP:
It seems the documentation is wrong in this part or I might be missing something here!
I'd refereed to the app's documentation and had found the following:
If this application is installed and the 'sshd' rule is enabled, repeated failed log-in attempts will block access with your public IP address. You will need to log in using a different public IP address and White List your blocked public IP address on the Intrusion Prevention app.
I did what the document says and whitelisted the IP on the Intrusion Prevention app, but that didn't lift the ban! I had to login to SSH and issued the following command to unban the IP:
fail2ban-client set sshd unbanip 192.168.0.10
It seems the documentation is wrong in this part or I might be missing something here!
Share this post:
Responses (5)
-
Accepted Answer
Great! I checked the documentation and the misleading part is gone.
As for whitelisting private IP's by default, I strongly stand against it, especially when clearOS is used in business or educational environments. I've witnessed many hacking attempts from within in schools and companies. So, better to be safe than sorry. -
Accepted Answer
I have not yet filed a report, but I did raise teh subject with the Devs on Tuesday under the guise of should all private IP's be whitelisted. This lead onto a bigger discussion but may not cover what you want. Whitelisting private IP's becomes a philosophical discussion because the attacker could also be inside your LAN.
I've recently got access to the documentation Wiki to write howto's. I'll see if it will let me correct app documentation as well.
.... Big pause. I do have access and have corrected the documentation. -
Accepted Answer
-
Accepted Answer
Looks like you're right. There is no webconfig option to whitelist IP's in fail2ban/app-attach-detector. If can be done by editing the ignoreip in /etc/fail2ban/jail.local (or /etc/fail2ban/jail.conf if you insist), but I'd still expect you to have to manually unban as you did. I'll file a bug when I get the energy.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »