Unblocking an IP Address

How to a “Blocked” IP address from the Linux firewall

Reviewed by Murray Anderegg 02/27/2013

The department blocks the IP addresses of systems from which multiple bad passwords are entered within a certain amount of time.  Blocks are temporary and should automatically clear after a period of time. The period of time starts at no less than 10 minutes and increases by 50% for every set of failed attempts afterwards, e.g. no less than 15 minutes, followed by no less than 22 minutes, followed by no less than 33 minutes, etc. Eventually a block can become permanent for an extremely persistent system. If you think this has happened to you, send email to help@cs.unc.edu to get the block removed.

The rest of this document describes what an administrator needs to do to remove a “block” on an IP address from a machine.

When an address is blocked, it should be placed into a chain in the firewall called ‘sshguard’. On an older ssh installation, the addresses were placed into a chain in the firewall called ‘STASIS’.

Required information

To remove the block on an IP number, you will need the following information:

  • the machine that the user is trying to access
    the userid for the user
    the IP address from which the user has been trying to access the machine

If the user does not know this, then use ‘sudo’ on the machine to look for failed logins by the userid.  This is done with:

  • /bin/egrep ‘ailed.*userid‘ /var/log/secure
  • For example:
  • /bin/egrep ‘ailed.*anderegg’ /var/log/secure

To remove a block:

ssh to the machine that has blocked the user.

Search for the IP address in the firewall with:

sudo /sbin/iptables –list sshguard –numeric –verbose –line-numbers

sudo /sbin/iptables –list STASIS –numeric –verbose –line-numbers

If you need to, you can search the firewall for just that IP address with:

  • sudo /sbin/iptables –list –numeric –verbose –line-numbers | /bin/grep ipaddr
  • For example,
  • sudo /sbin/iptables –list –numeric –verbose –line-numbers | /bin/grep 152.2.129.83

Removing an address in the sshguard chain

If the address has been placed into the sshguard chain in the firewall, then the way to get the user out is to restart the sshguard service:

On Red Hat systems, sudo /sbin/service sshguard restart

On Ubuntu systems, sudo /usr/sbin/invoke-rc.d sshguard restart

Then recheck that the IP address is no longer in the firewall.

Removing an address in the STASIS chain

When you have decided that the address is indeed blocked by the firewall, run the following command:

  • sudo /sbin/iptables –delete rule -s ipaddr/32 -d 0/0 -j DROP
  • For example,
  • sudo /sbin/iptables –delete STASIS -s 152.2.129.83/32 -d 0/0 -j DROP

Now search for the IP address again in STASIS, in case the user ended up in the firewall more than once.  All instances of the IP address must be removed from the STASIS firewall chain.

You can also flush all of the blocked IP addresses from the firewall by running:  sudo /sbin/iptables –flush STASIS