You blacklisted YOURSELF !

Alle Fragen, die rund um Fail2Ban (Konfiguration, Fehler, Filter...) sind.
Antworten
ktsaou
Beiträge: 18
Registriert: 12. Mai 2015, 08:41

You blacklisted YOURSELF !

Beitrag von ktsaou » 26. Mär 2016, 16:03

Hi,

On Mar 23 2016, you blacklisted yourself !

The downloaded files include IP 185.21.103.31, which is your IP.

Code: Alles auswählen

# host http://www.blocklist.de
http://www.blocklist.de has address 185.21.103.31

 # host lists.blocklist.de
lists.blocklist.de has address 185.21.103.31
The downloaded source files really include this IP:

Code: Alles auswählen

# grep 185.21.103.31 /etc/firehol/ipsets/blocklist_de*.source
/etc/firehol/ipsets/blocklist_de.source:185.21.103.31
/etc/firehol/ipsets/blocklist_de_ssh.source:185.21.103.31
As you can see it is found in ssh and the default (all.txt).

These are the timestamps (GMT+2) of the files (the timestamps are copied from your web server):

Code: Alles auswählen

# ls -l /etc/firehol/ipsets/blocklist_de.source
-rw------- 1 root root 568381 Mar 23 17:28 /etc/firehol/ipsets/blocklist_de.source
# ls -l /etc/firehol/ipsets/blocklist_de_ssh.source
-rw------- 1 root root 20254 Mar 23 17:42 /etc/firehol/ipsets/blocklist_de_ssh.source
As a result, all users that downloaded that blacklists and actually use them on their firewalls, cannot update them anymore!

My guess is that your only solution in order to allow these users download them again, is to swap this blacklisted IP with another one that is not listed.

Also, I see that currently all your IP lists are empty (probably because you have blacklisted yourself) !

Regards,

Costa

ktsaou
Beiträge: 18
Registriert: 12. Mai 2015, 08:41

Re: You blacklisted YOURSELF !

Beitrag von ktsaou » 26. Mär 2016, 16:57

A screenshot for the zero sized IP lists
Dateianhänge
blocklist_de_zero_ips.PNG
Zero sized IP lists

vbs
Beiträge: 5
Registriert: 25. Mär 2016, 02:18

Re: You blacklisted YOURSELF !

Beitrag von vbs » 26. Mär 2016, 17:14

I can confirm that, my ipset lists are empty also. But that means that blocklist itself is not banned and I should be able to get further updates, right?

ktsaou
Beiträge: 18
Registriert: 12. Mai 2015, 08:41

Re: You blacklisted YOURSELF !

Beitrag von ktsaou » 26. Mär 2016, 17:38

It depends. I guess the machine that receives threat intel is using the same blacklist. So the probes cannot send their findings to the concentration point.

michelpy
Beiträge: 5
Registriert: 4. Mär 2016, 07:18

Re: You blacklisted YOURSELF !

Beitrag von michelpy » 26. Mär 2016, 19:09

I can see the same, all lists empty.

Benutzeravatar
Martin
Beiträge: 397
Registriert: 14. Sep 2010, 11:54
Kontaktdaten:

Re: You blacklisted YOURSELF !

Beitrag von Martin » 26. Mär 2016, 19:44

Hello,

i found the reason, why the site and lists was empty.
I fix it now, i think in a few minutes, it works again.

The IP from the new backup-Webserver is now whitelisted too and on the Reporting-Server, the SSH-Login is fixed too.

Thank you for the report.
Mfg Martin
http://www.blocklist.de/de/ Fail2Ban Reporting Service

ktsaou
Beiträge: 18
Registriert: 12. Mai 2015, 08:41

Re: You blacklisted YOURSELF !

Beitrag von ktsaou » 26. Mär 2016, 23:31

Good!
Thanks Martin.

However, if you don't change lists.blocklist.de to a different IP (other than the blacklisted one), several of your users will not be able to download the updated list.

This happens in my case too. Since 185.21.103.31 is now blacklisted on my systems, I cannot talk to lists.blocklist.de to download the fixed IP list and the whole process is locked.

So, my opinion is that you have to point lists.blocklist.de to a new IP, to let your users update.

Benutzeravatar
Martin
Beiträge: 397
Registriert: 14. Sep 2010, 11:54
Kontaktdaten:

Re: You blacklisted YOURSELF !

Beitrag von Martin » 27. Mär 2016, 07:43

Hi,
at our old Server which needs a big upgrade, we have more IPs, but on our Backup-System, we have only one IP :-(
The most Upgrade of the Main-Files are done, but we need more Time, to update the config and Settings, because there was many changes and currently, the Websites does not work on the upgraded system.
But i work on it :-)
Mfg Martin
http://www.blocklist.de/de/ Fail2Ban Reporting Service

vbs
Beiträge: 5
Registriert: 25. Mär 2016, 02:18

Re: You blacklisted YOURSELF !

Beitrag von vbs » 27. Mär 2016, 11:05

For met the lists are filled again, ~24k lines right now. Thanks!

ktsaou
Beiträge: 18
Registriert: 12. Mai 2015, 08:41

Re: You blacklisted YOURSELF !

Beitrag von ktsaou » 27. Mär 2016, 11:40

For anyone having issues to update after using all.txt as a firewall blacklist using ipset, you can do this:

Code: Alles auswählen

ipset del blocklist_de 185.21.103.31
blocklist_de is the name of the ipset you use.

Using the above, you will be able to update again.

Antworten