Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Manually ban/unban IP #41

Open
ADeeeee opened this issue Aug 31, 2021 · 5 comments
Open

Manually ban/unban IP #41

ADeeeee opened this issue Aug 31, 2021 · 5 comments

Comments

@ADeeeee
Copy link

ADeeeee commented Aug 31, 2021

Hi all,

I've searched for a while and it seems there's no description on the Internet or in README about how people ban or unban the IP addresses manually once it got banned via this middleware. I used this function sometimes when some allies got banned by accident or the fillter is just too strict.

My plan is using this middleware in my Kubernetes cluster with Traefik Ingress. Is there any way to do it? It'd be so helpful rather than only waiting it timed out.

e.g.
The way I use it via Ubuntu standalone:
fail2ban-client set [RULE-NAME] ban/ubanip [IP]
@tomMoulard
Copy link
Owner

Hello @ADeeeee,

Thanks for your interest in this Traefik plugin!

That's because there is no current way to do that once traefik started.

But you can manually whitelist or blacklist IP prior to starting the reverse proxy by doing something like :

whitelist:
    ip:
      - "::1"

@ADeeeee
Copy link
Author

ADeeeee commented Aug 31, 2021
edited

Hi Tom,

Thanks for the reply. I do have the whitelist already. Does it work if I edit the middleware by adding a banned IP in whitelist after the IP got banned? This would be a nice workaround if it does.

--edited--
BTW, does these format also works?
Multiple single ports checking:

ports: 
  - "80"
  - "443"

IP subnet range:

whitelist:
  ip:
    - "192.168.0.0/16"

@tomMoulard
Copy link
Owner

When you update the plugin configuration, Traefik reloads the plugin entirely. So no more banned IP. Thus, if you whitelist an IP, it should work right in your case.

BTW, does these format also works?
Multiple single ports checking

No

IP subnet range

Yes

@ADeeeee
Copy link
Author

ADeeeee commented Oct 13, 2021

Hello Tom,

I've tried it on Kubernetes recently and found few issues and situations:

  1. Blacklist is prior
    It should be reversed because it's so dangerous if any accident happens. It's confirmed when an IP address is both in blacklist and whitelist, it's still blocked with 403 forbidden.

  2. Unable to unblock IP addresses
    Once an IP address got blocked via urlregex filter. You can't unblock it even with restart the pod, edit and save the middleware, or even whitelist the IP address (according to above). There's no way to restart the traefik at all, which could make the whole services on Kubernetes cluster disconnected for a while.
    Any solutions for this? This is kinda crucial important for avoiding accidents.

Just FYI and I guess I will wait for the features and also the stable plugin environment in Traefik. This is very cool. I hope I will be back one day it matches my requirement.

@tomMoulard
Copy link
Owner

Hi @ADeeeee,

It should be reversed because it's so dangerous if any accident happens

For now, we expect our users to know the risks and implications of a harsh f2b rule.

Unable to unblock IP addresses

As I said, there is no current way to unblock IP addresses dynamically. Restarting Traefik should be enough to clear the blacklisted IP pool.
If you see a log like Plugin: FailToBan is up and running, it means that this plugin was loaded (or reloaded), so both pools are emptied, and the configuration is fresh

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tomMoulard @ADeeeee