(a current version is always available within the apnscp documentation)

apnscp Firewall

apnscp utilizes firewalld for its firewall. Rampart is a module that serves as a wrapper for fail2ban, a brute-force deterrent that blocks threats through firewalld. These two components act in tandem to keep your server secure while exercising some intelligence. Rampart is for ephemeral blocks that automatically expire after a fixed duration (see network/setup-firewall) whereas a separate firewalld permanent whitelist/blacklist is provided.

During installation, apnscp will detect the connected IP address and whitelist it to avoid triggering a block by fail2ban, for example if you forget your password multiple times. If your IP address changes or you setup apnscp from behind a proxy, then you can easily update the whitelist with cpcmd

cpcmd config_set rampart.whitelist

To view active whitelists use config_get:

cpcmd config_get rampart.whitelist

Whitelists may be IP address ( or CIDR hosts ( rampart.whitelist is an append-only operations. Edit /etc/fail2ban/jail.conf by hand to remove old IP addresses.

Whitelisting access

apnscp restricts access to all ports except for well-known services (HTTP, FTP, mail, SSH) and optional services (CP, user daemons). A second whitelist, which allows access to blocked ports as well as overrides Rampart can be set using firewall-cmd:

firewall-cmd --ipset=whitelist --add-entry=

These entries are permanent.


Likewise a blacklist exists to block addresses that are not blocked by Rampart's adaptive firewall.

firewall-cmd --ipset=blacklist --add-entry=

Blacklists are lower priority than whitelist and Rampart blocks.

Unbanning IP addresses

All IP addresses automatically unban from Rampart after a fixed duration. To manually unban an address from Rampart use cpcmd:

# Ban in recidive, which is a long-term ban > 1 week
cpcmd rampart_ban recidive
# Validate which jails is present in
cpcmd rampart_is_banned
# Unban from all jails
cpcmd rampart_unban

Permanent blacklist and whitelist entries can be removed with firewall-cmd

# Add to the permanent whitelist
firewall-cmd --ipset=whitelist --add-entry=
# Show all whitelist entries
ipset list whitelist
# Remove from whitelist
firewall-cmd --ipset=whitelist --remove-entry=