How to a “Blocked” IP address from the Linux firewall
Reviewed by Murray Anderegg 02/27/2013
The department blocks the IP addresses of systems from which multiple bad passwords are entered within a certain amount of time. Blocks are temporary and should automatically clear after a period of time. The period of time starts at no less than 10 minutes and increases by 50% for every set of failed attempts afterwards, e.g. no less than 15 minutes, followed by no less than 22 minutes, followed by no less than 33 minutes, etc. Eventually a block can become permanent for an extremely persistent system. If you think this has happened to you, send email to email@example.com to get the block removed.
The rest of this document describes what an administrator needs to do to remove a “block” on an IP address from a machine.
When an address is blocked, it should be placed into a chain in the firewall called ‘sshguard’. On an older ssh installation, the addresses were placed into a chain in the firewall called ‘STASIS’.
To remove the block on an IP number, you will need the following information:
- the machine that the user is trying to access
the userid for the user
the IP address from which the user has been trying to access the machine
If the user does not know this, then use ‘sudo’ on the machine to look for failed logins by the userid. This is done with:
- /bin/egrep ‘ailed.*userid‘ /var/log/secure
- For example:
- /bin/egrep ‘ailed.*anderegg’ /var/log/secure
To remove a block:
ssh to the machine that has blocked the user.
Search for the IP address in the firewall with:
sudo /sbin/iptables –list sshguard –numeric –verbose –line-numbers
sudo /sbin/iptables –list STASIS –numeric –verbose –line-numbers
If you need to, you can search the firewall for just that IP address with:
- sudo /sbin/iptables –list –numeric –verbose –line-numbers | /bin/grep ipaddr
- For example,
- sudo /sbin/iptables –list –numeric –verbose –line-numbers | /bin/grep 22.214.171.124
Removing an address in the sshguard chain
If the address has been placed into the sshguard chain in the firewall, then the way to get the user out is to restart the sshguard service:
On Red Hat systems, sudo /sbin/service sshguard restart
On Ubuntu systems, sudo /usr/sbin/invoke-rc.d sshguard restart
Then recheck that the IP address is no longer in the firewall.
Removing an address in the STASIS chain
When you have decided that the address is indeed blocked by the firewall, run the following command:
- sudo /sbin/iptables –delete rule -s ipaddr/32 -d 0/0 -j DROP
- For example,
- sudo /sbin/iptables –delete STASIS -s 126.96.36.199/32 -d 0/0 -j DROP
Now search for the IP address again in STASIS, in case the user ended up in the firewall more than once. All instances of the IP address must be removed from the STASIS firewall chain.
You can also flush all of the blocked IP addresses from the firewall by running: sudo /sbin/iptables –flush STASIS