Remove old banned IP addresses

**thisisit3** · 08-06-2007, 03:58 AM

On VPS systems with QoS limits you frequently hit the iptables rules limit. Especially if you run portsentry and BFD, the limit is reached rather quickly. The first thing to do is ask support to raise the default limit because its too low (i've asked to set it to 1000, which fills up within a week or so).

STEP 1 - the script
Copy the following code into a text file, name it something like "ipbanreset" and place it in your "/root/bin" directory.

Code:

#!/bin/bash

# Make sure we are running under a VPS system with QoS
if [ ! -f "/proc/user_beancounters" ]
then
  echo "File \"/proc/user_beancounters\" does not exist. Make sure this script runs on a VPS system with QoS enabled."
  exit $E_NOFILE
fi

# Get the iptables hard limit
iplimit=` tail /proc/user_beancounters | grep numiptent | awk '{print$5}' `

# Get the 90% of the limit, convert to integer via scale
iplimit_soft=` echo "scale=0; $iplimit * 0.90 / 1" | bc -l `

# Get the iptables current count
ipcurrent=` tail /proc/user_beancounters | grep numiptent | awk '{print$2}' `

# If the current count not greater or equal (less than) to the soft limit, exit
if [ "$ipcurrent" -lt "$iplimit_soft" ]
then
	exit 0
fi

hostname=`hostname`
echo "Warning: iptables rule limit has been reached (over 90% full) on $hostname"
echo "Hard limit: $iplimit"
echo "Soft limit (90%): $iplimit_soft"
echo "Current number of rules: $ipcurrent"

# Get all currently banned IP addresses from iptables
declare -a bannedips
bannedips=( `/sbin/iptables --list -n | grep "DROP" | grep "all" | awk '{print$4}'` )

# Exit if no banned IP addresses are found
if [ "${#bannedips[*]}" -eq "0" ]
then
	echo "No banned IP addresses found, other types of rules have filled the rule limit."
	exit 0
fi

echo "Removing old banned IP addresses..."

# Count them and get half of them (the oldest half)
bannedips_count=`expr ${#bannedips[*]} / 2`

# Remove them from iptables
for element in $(seq $bannedips_count $((${#bannedips[@]} - 1)))
do
	`/sbin/iptables -D INPUT -s ${bannedips[$element]} -j DROP`
done

echo "Removed $bannedips_count banned IP addresses"

ipcurrent=` tail /proc/user_beancounters | grep numiptent | awk '{print$2}' `
echo "New current number of rules: $ipcurrent"

STEP 2 - the cron job
Now create a cron job so that the above script runs once a day, for example, run "crontab -e" as root and add (runs once a day, at midnight):

Code:

0 0 * * * /root/bin/ipbanreset

**homoludens** · 08-08-2007, 09:47 AM

Thanks for another great script, thisisit3. You've saved me hours of noob induced swearing.

**thisisit3** · 08-08-2007, 01:04 PM

No problem, i'm glad its helpful to you.

I've tried to add it as another link in my signature, unfortunately i've reached the character-limit, so i may need to open a special thread with all my tips & tricks....

hmmm

**Ron** · 08-08-2007, 01:18 PM

Temporary solution(s) to save signature characters...
instead of fancy urls,
[url=http://www.jaguarpc.com/forums/showthread.php?t=17391]Exim Customization[/url] 83 chars
you could do something like
Exim customization: www.jaguarpc.com/forums/showthread.php?t=17391 66 chars
or even better (worse?)
Exim customization: www.tinyurl.com/yo9h9a 42 chars

That last being about 1/2 the chars, but it's a short description.
Or you could PM Jag and ask for more sig space for everyone if it is definable.

I was just bored.

**thisisit3** · 08-08-2007, 03:09 PM

hehe

i may use your suggestion for tinyurl.com

**dayo** · 10-11-2007, 11:23 AM

You are the man!

**thisisit3** · 10-12-2007, 12:53 AM

thank you :P

**counterpoint** · 08-14-2008, 05:03 AM

This stuff is very helpful - thanks. Unfortunately, I'm getting some kind of error each time the cron job runs:
iptables: Bad rule (does a matching rule exist in that chain?)
which repeats a good number of times.

At the end of the report, it says that 115 rules have been removed, but the number of rules is only one less than it was at the start - presumably the other 114 refer to the error messages.

I'm not sure how I can clear this?

**counterpoint** · 08-14-2008, 11:01 AM

Adding to my query above, the actual command being executed in the loop is always:
/sbin/iptables -D INPUT -s 0.0.0.0/0 -j DROP

**thisisit3** · 08-21-2008, 06:59 PM

Run the following command, it should report all the banned IP addresses currently in your iptables:

Code:

/sbin/iptables --list -n | grep "DROP" | grep "all" | awk '{print$4}'

look at the output and see if there are any mistakes, like for example empty addresses, strings, non-numeric stuff etc.

for some reason, your system returns output with wrong IP addresses...

**counterpoint** · 08-22-2008, 02:22 AM

I get a list of IP addresses, and then a list of null IP addresses (that probably cause the trouble). But I'm not clear how to get rid of them without damaging the iptables setup.

Code:

222.184.178.15
87.118.120.202
89.149.241.229
59.126.46.141
77.48.10.14
80.68.203.22
85.92.68.124
220.69.22.75
67.228.115.242
222.255.9.248
91.196.61.118
216.168.253.198
89.106.8.242
216.168.253.199
216.168.253.197
216.168.253.196
122.139.47.87
85.88.28.5
83.149.102.130
220.249.213.184
123.64.176.199
82.133.112.213
202.4.48.210
65.57.245.11
203.22.204.187
205.234.215.99
116.231.42.118
58.65.232.113
213.6.177.64
86.134.176.242
81.169.139.117
202.60.70.84
86.102.99.101
208.179.186.104
82.132.136.193
194.117.157.72
82.152.223.216
123.4.116.205
79.127.26.192
59.40.231.74
116.204.200.73
82.132.136.219
82.132.136.197
116.2.175.8
83.137.98.245
61.87.232.80
125.65.165.139
121.41.6.240
211.94.162.151
88.214.192.29
85.236.225.37
117.44.10.245
194.72.238.62
61.19.242.44
75.14.245.201
116.232.251.18
82.132.136.213
82.152.223.52
76.65.80.5
85.183.21.6
89.42.133.2
91.98.84.106
72.232.207.234
213.203.223.115
69.60.122.6
220.167.186.24
221.206.60.30
58.41.32.239
213.6.155.119
125.65.112.135
69.73.160.29
212.113.24.150
78.39.6.200
85.185.172.23
117.92.136.45
85.185.41.188
189.105.16.245
88.235.245.217
89.34.211.70
202.145.97.59
213.6.181.238
66.45.227.82
66.11.228.246
66.45.246.210
201.235.176.120
65.75.242.167
88.243.159.170
210.51.11.239
122.4.185.46
217.72.220.70
84.244.147.70
207.44.246.69
77.245.144.141
217.199.191.194
121.102.62.107
202.181.99.47
219.94.155.28
202.69.234.125
219.94.162.56
219.94.128.213
82.66.25.99
150.162.34.200
116.227.185.64
220.248.45.69
125.66.207.127
121.229.74.198
189.12.231.50
69.64.50.59
189.24.244.153
69.64.49.15
190.210.9.213
213.189.154.226
87.230.89.19
222.187.221.3
216.31.146.19
58.19.238.205
217.219.227.165
98.223.147.16
200.150.40.223
58.214.181.22
78.38.128.4
69.222.217.225
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0

**thisisit3** · 08-28-2008, 06:04 AM

Something is messing up the IP chain. What kind of scripts have you got installed on your server? one of those is probably adding these bogus lines, i don't think that its related to my script.

Do you use APF or BFD or some other script like that?

**counterpoint** · 08-28-2008, 06:43 AM

I'm using BFD with the settings you kindly suggested for use with JaguarPC VPS.

**thisisit3** · 08-28-2008, 07:10 AM

Enable the email feature of BFD and see which rule generates the bogus IP addresses.

**counterpoint** · 08-28-2008, 11:14 AM

I get an email for each BFD action, as below. They all look ok. Or is there another email option?

The remote system 80.191.247.3 was found to have exceeded acceptable login failures on vps.aliroguru.net; there was 1 events to the service apache-exploits. As such the attacking host has been banned from further accessing this system. For the integrity of your host you should investigate this event as soon as possible.

Executed ban command:
/etc/apf/apf -d 80.191.247.3 {bfd.apache-exploits}

The following are event logs from 80.191.247.3 on service apache-exploits (all time stamps are GMT +0100):

[Wed Aug 27 15:41:14 2008] [error] [client 80.191.247.3] Invalid method in request \x16\x03
[Wed Aug 27 15:41:14 2008] [error] [client 80.191.247.3] File does not exist: /usr/local/apache/htdocs/501.shtml
----
- Thank you;
root@vps.aliroguru.net

LinkBack

Thread Tools

Display

Remove old banned IP addresses

Bookmarks

Bookmarks

Posting Permissions