(a current version is always available within the apnscp documentation)
apnscp Firewall
apnscp utilizes firewalld for its firewall. Rampart is a module that serves as a wrapper for fail2ban, a brute-force deterrent that blocks threats through firewalld. These two components act in tandem to keep your server secure while exercising some intelligence. Rampart is for ephemeral blocks that automatically expire after a fixed duration (see network/setup-firewall) whereas a separate firewalld permanent whitelist/blacklist is provided.
During installation, apnscp will detect the connected IP address and whitelist it to avoid triggering a block by fail2ban, for example if you forget your password multiple times. If your IP address changes or you setup apnscp from behind a proxy, then you can easily update the whitelist with cpcmd
cpcmd config_set rampart.whitelist
To view active whitelists use config_get:
cpcmd config_get rampart.whitelist
Whitelists may be IP address (64.22.68.1) or CIDR hosts (64.22.68.1/24). rampart.whitelist is an append-only operations. Edit /etc/fail2ban/jail.conf by hand to remove old IP addresses.
Whitelisting access
apnscp restricts access to all ports except for well-known services (HTTP, FTP, mail, SSH) and optional services (CP, user daemons). A second whitelist, which allows access to blocked ports as well as overrides Rampart can be set using firewall-cmd
:
firewall-cmd --ipset=whitelist --add-entry=192.168.0.1/24
These entries are permanent.
Blacklisting
Likewise a blacklist exists to block addresses that are not blocked by Rampart's adaptive firewall.
firewall-cmd --ipset=blacklist --add-entry=192.168.0.10
Blacklists are lower priority than whitelist and Rampart blocks.
Unbanning IP addresses
All IP addresses automatically unban from Rampart after a fixed duration. To manually unban an address from Rampart use cpcmd:
# Ban 192.168.0.4 in recidive, which is a long-term ban > 1 week
cpcmd rampart_ban 192.168.0.4 recidive
# Validate which jails 192.168.0.4 is present in
cpcmd rampart_is_banned 192.168.0.4
# Unban 192.168.0.4 from all jails
cpcmd rampart_unban 192.168.0.4
Permanent blacklist and whitelist entries can be removed with firewall-cmd
# Add 192.168.0.4 to the permanent whitelist
firewall-cmd --ipset=whitelist --add-entry=192.168.0.4
# Show all whitelist entries
ipset list whitelist
# Remove 192.168.0.4 from whitelist
firewall-cmd --ipset=whitelist --remove-entry=192.168.0.4