How would you script the temporary IP banning on Linux?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
time
This matches if the packet arrival time/date is within a given range. All options are optional, but are ANDed when specified. All times are interpreted as UTC by default.
--datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
--datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
Only match during the given time, which must be in ISO 8601 "T" notation. The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07.
If --datestart or --datestop are not specified, it will default to 1970-01-01 and 2038-01-19, respectively.
$ date --iso-8601=hours
2021-06-20T16+05:00
It seems to be showing timezone. I can do: "$ date --iso-8601=minutes|head -c 16"
after wasting some more time, my idea on command is:
Quote:
sudo iptables -I INPUT -s 1.2.3.4 -m time --datestop "$(date --date='+'24' hours' --iso-8601=minutes|head -c 16)" -j DROP
(hours can be replaced by minutes etc.)
it bans the IP. The iptables -S output:
Quote:
-A INPUT -s 1.2.3.4/32 -m time --datestop 2021-06-20T16:11:00 -j DROP
But after the time expire, the entry remains in iptables and i think that it prevent connections even after defined time because after i removed the rule (by replacing -I by -D), connection from that IP appeared.
UPDATE/SOLUTIONS:
A) try following command instead:
sudo iptables -I INPUT -s 1.2.3.4 -m time --datestop "$(date --date='+24 hours' --utc '+%FT%R')" -j DROP
B) use ipset instead of iptables:
Install "ipset" package
sudo ipset create badips iphash maxelem 1000111222 timeout 0
sudo ipset add badips 1.2.3.4 timeout 86400
iptables -I INPUT -m set --match-set badips src -j DROP
save iptables (various distros, various command - yes stupid) maybe: iptables-save > /etc/sysconfig/iptables;service iptables save
(not tried yet)
How you would you iptables block the ip for 24hrs. better?
I'd make a separate chain for the time-based rules and then also put a time-date stamp in a comment for the rule. Then you can filter based on that periodically in a cron job.
However, I'd really recomnend looking at nftables nowadays instead of iptables. It will be a lot easier to work with, among othe advantages.
It seems to be showing timezone. I can do: "$ date --iso-8601=minutes|head -c 16"
after wasting some more time, my idea on command is:
Code:
sudo iptables -I INPUT -s 1.2.3.4 -m time --datestop "$(date --date='+'24' hours' --iso-8601=minutes|head -c 16)" -j DROP
(hours can be replaced by minutes etc.) it bans the IP. The iptables -S output:
Code:
-A INPUT -s 1.2.3.4/32 -m time --datestop 2021-06-20T16:11:00 -j DROP
But after the time expire, the entry remains in iptables and i think that it prevent connections even after defined time because after i removed the rule (by replacing -I by -D), connection from that IP appeared.
How you would you iptables block the ip for 24hrs. better?
...and instead of doing it for 15 minutes, do it for 24 hours. You were also told that fail2ban would be a much better method; we don't know what to suggest, since you (again) don't tell us what version/distro of Linux you're running this on, or what other tools you have available to you. Fail2ban uses iptables, and if you only need one block interval, you set it to be 24 hours or whatever time you want. Then it's two commands one to block:
Code:
fail2ban-client set <JAIL NAME> banip <IP You want to block
...and one to unblock
Code:
fail2ban-client set <JAIL NAME> unbanip <IP you want to unblock.
...which could be easily scripted into an "at" job. That's why fail2ban was suggested to you seven years ago.
No i can not use that solution, possibly i would not be asking if i could. Offtopic:
Linux details are highlighted in the signature. When not specified the version, assume latest or general Linux. If you can not answer general Linux, keep silent or ask for version number if you must have it.
Thanks @Turbocapitalist
No i can not use that solution, possibly i would not be asking if i could. Offtopic:
Linux details are highlighted in the signature. When not specified the version, assume latest or general Linux. If you can not answer general Linux, keep silent or ask for version number if you must have it.
Thanks @Turbocapitalist
Clearly there are things about this situation that you have not explained.
Can you tell us why the suggested solutions will not work or cannot be implemented?
No i can not use that solution, possibly i would not be asking if i could.
Again, you asked this same question *SEVEN YEARS AGO*, with only a slight variation (minutes vs. hours). And fail2ban USES IPTABLES...which you say you have. And again, unless you actually provide details (such as what you CAN use or why you can't use something else), we don't know. As you've been told many, MANY times unless you provide details we don't have them, do we?
And in your first post, you asked, "How you would you iptables block the ip for 24hrs. better?" You were given two suggestions: fail2ban and nftables. That's the 'better' way. And editing your post to include:
Quote:
Originally Posted by postcd
Method B may be to use ipset instead of iptables:
Install "ipset" package
sudo ipset create badips iphash maxelem 1000111222 timeout 0
sudo ipset add badips 1.2.3.4 timeout 86400
iptables -I INPUT -m set --match-set badips src -j DROP
save iptables (various distros, various command - yes stupid) maybe: iptables-save > /etc/sysconfig/iptables;service iptables save
(not tried yet)
...also seems odd, since you could have just tried that to see if it worked, since ipset is apparently on the list of software you can install. And you've had several threads in the past dealing with how to save/restore both iptables and ipset rules upon reboot as well. https://wiki.archlinux.org/title/Iptables https://wiki.archlinux.org/title/Ipset
Quote:
Offtopic:
Linux details are highlighted in the signature. When not specified the version, assume latest or general Linux. If you can not answer general Linux, keep silent or ask for version number if you must have it.
I did answer; however, you still aren't providing details. Even if people assume your signature contains what you're using on one machine, we can't assume it for every other machine, can we?? And I did answer 'general Linux'...did you understand the answer?? Unless *YOU* write a script to do things, iptables isn't the tool...fail2ban is, and that hasn't changed in seven years. And since it escaped you, I asked what version/distro...you did not answer.
Again; this can be scripted using an "at" job, a shell script called through cron, or several other methods. Since you've got many years scripting (see your other numerous threads about that), and many years using iptables, you should be able to put both together easily. Again, after seven years working with iptables, you should know how to refresh a ruleset, or why that rule will remain there.
Quote:
Thanks @Turbocapitalist
So you apparently can use nftables, but somehow not use fail2ban? Even though the two are pretty familiar in scope?? Have you actually read the nftables docs? From their own site, first on the list under "Supporting nftables" https://wiki.nftables.org/wiki-nftab...is_nftables%3F
Quote:
Originally Posted by NFTables Documentation
Supporting nftables
The following projects are known to either directly support nftables or have authors actively working on nftables integration.
So any idea about the method using just IPtables (it would be good if someone address commands i have mentioned in first post)?
I think that the ipset method i have described in the first post is working.
No i can not use that solution, possibly i would not be asking if i could. Offtopic:
would be nice to explain your special limitations. Would be nice to know why did you ask that question at all.
Quote:
Originally Posted by postcd
Linux details are highlighted in the signature. When not specified the version, assume latest or general Linux. If you can not answer general Linux, keep silent or ask for version number if you must have it.
Exactly 1 line before you explained the general answer is not acceptable for you.
Quote:
Originally Posted by postcd
So any idea about the method using just IPtables (it would be good if someone address commands i have mentioned in first post)?
I think that the ipset method i have described in the first post is working.
Why don't you answer to those questions? Why can't you use failban? Why do you think reinventing/reimplementing it is a good idea?
If ipset is working for you what [else] do you need?
]No i can not use that solution, possibly i would not be asking if i could. Offtopic:
would be nice to explain your special limitations. Would be nice to know why did you ask that question at all.
Code:
Linux details are highlighted in the signature. When not specified the version, assume latest or general Linux.
If you can not answer general Linux, keep silent or ask for version number if you must have it.
Exactly 1 line before you explained the general answer is not acceptable for you.
Code:
So any idea about the method using just IPtables (it would be good if someone address commands i have mentioned in first post)?
I think that the ipset method i have described in the first post is working.
Why don't you answer to those questions? Why can't you use failban? Why do you think reinventing/reimplementing it is a good idea? If ipset is working for you what [else] do you need?
Agreed to all, especially since the OP has seven years experience working with iptables/ipset, and they've asked the same question previously. And they were told that yes, this could be scripted in several ways (and they similarly have years of experience scripting). You're exactly right, in that reinventing things isn't the best way to go. Also, the ipset suggestion was added to the original post after the first reply.
postcd, you asked for 'better' ways to do this and were given fail2ban years ago (and now), and were also given nftables. So since you refuse advice from others, and also refuse to answer questions or provide details (as pan64 said), why did you ask this question at all?? Again, you asked:
Quote:
Originally Posted by postcd
So any idea about the method using just IPtables (it would be good if someone address commands i have mentioned in first post)? I think that the ipset method i have described in the first post is working.
Yes; again, you were told that yes, you COULD script things, and it was also mentioned that there is a reason iptables isn't removing the rule as you desire, and you were even given a hint as to what to look at. And you were also told (again) that this isn't the best way to do things.
So any idea about the method using just IPtables (it would be good if someone address commands i have mentioned in first post)?
You chopped off the timezone, but iptables assumes UTC, so you should pass --utc to the date call. Also, you could avoid generating the timezone instead of chopping it off:
Code:
sudo iptables -I INPUT -s 1.2.3.4 -m time --datestop "$(date --date='+24 hours' --utc '+%FT%R')" -j DROP
Offtopic:
@ntubski Thanks for the rare ontopic useful and solicited input
I will use ipset rule (mentioned in my first post) and if i have any issue with it, i will try Your iptables rule, because if working, it is the best way to deal with the issue (no need to install additional things, setup crons etc).
Offtopic:
@ntubski Thanks for the rare ontopic useful and solicited input
I will use ipset rule (mentioned in my first post) and if i have any issue with it, i will try Your iptables rule, because if working, it is the best way to deal with the issue (no need to install additional things, setup crons etc).
ntubski is 100% correct with the command; however, the rule most likely *WILL NOT* be removed at that time. Good luck; you'll need it.
And there's nothing in any response you've received here that wasn't on topic, useful, or solicited; when you ask a question you are soliciting answers.
I've got a private mail from OP, wanted explanation (and deletion of my previous mail).
Dear OP, you missed a very important thing: the help you are waiting for is to deliver a working solution for, you without you. We would like to help you, but without knowing the details we can only guess. That's why was fail2ban suggested. You refused (forgotten?) to say some important details (especially what's wrong with fail2ban).
ntubski tried a different approach, but again without details who knows if you will accept it or not?
From my side asking (and requesting more info) is a way to give better help, ignoring these questions is just making more trouble for yourself.
PM was obviously sent to prevent wasting the time of others (like you and others in this topic like to do) and it is my choice i do not want to use f2b, not sure why you kids does not understand, but i do not care why, i just hope you stop wasting time of all the people by your unsolicited content instead of replying strictly ontopic or keep silent.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.