Author Topic: Never ban IP  (Read 603 times)

Offline Trond

  • New user
  • *
  • Posts: 11
    • View Profile
Never ban IP
« on: May 10, 2017, 01:14:28 pm »
Hi
I have a server with configparamater BanOnEvent like this:
BanOnEvent ClientConnectRate 5/00:01:00 01:00:00 "Stop connecting frequently"

I have added this to my config to awoyd banning special ip-adresses:

<Class special-client>
        From 1.2.3.4
</Class>

<IfModule mod_ban.c>
        <IfClass special-client>
           BanEngine off
        </IfClass>

        <IfClass !special-client>
           BanEngine on
        </IfClass>
</IfModule>

This did not help. special IP-adresses are still banned.


Here are som settings:
proftpd -V

Compile-time Settings:
  Version: 1.3.3g (maint)
  Platform: LINUX [Linux 2.6.32-642.13.1.el6.x86_64 x86_64]
  Built: Sat Jun 11 2016 10:16:46 UTC
  Built With:
    configure  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--libexecdir=/usr/libexec/proftpd' '--localstatedir=/var/run/proftpd' '--disable-strip' '--enable-ctrls' '--enable-dso' '--enable-facl' '--enable-ipv6' '--enable-nls' '--enable-openssl' '--enable-shadow' '--with-libraries=/usr/lib64/mysql' '--with-includes=/usr/include/mysql' '--with-modules=mod_readme:mod_auth_pam:mod_tls:mod_vroot' '--with-shared=mod_sql:mod_sql_passwd:mod_sql_mysql:mod_sql_postgres:mod_quotatab:mod_quotatab_file:mod_quotatab_ldap:mod_quotatab_radius:mod_quotatab_sql:mod_ldap:mod_ban:mod_wrap:mod_ctrls_admin:mod_facl:mod_load:mod_radius:mod_ratio:mod_rewrite:mod_site_misc:mod_exec:mod_shaper:mod_geoip:mod_wrap2:mod_wrap2_file:mod_wrap2_sql:mod_sftp:mod_sftp_pam:mod_sftp_sql:mod_tls_shmcache:mod_ifsession' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'

  CFLAGS: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wall
  LDFLAGS: -L$(top_srcdir)/lib  -L/usr/lib64/mysql
  LIBS: -lacl  -lssl -lcrypto -lssl -lcrypto -lcap  -lssl -lcrypto  -lpam -lsupp -lcrypt -ldl  -ldl -lz

  Files:
    Configuration File:
      /etc/proftpd.conf
    Pid File:
      /var/run/proftpd/proftpd.pid
    Scoreboard File:
      /var/run/proftpd/proftpd.scoreboard
    Header Directory:
      /usr/include/proftpd
    Shared Module Directory:
      /usr/libexec/proftpd

  Features:
    - Autoshadow support
    + Controls support
    + curses support
    - Developer support
    + DSO support
    + IPv6 support
    + Largefile support
    - Lastlog support
    + ncursesw support
    + NLS support
    + OpenSSL support
    + POSIX ACL support
    + Shadow file support
    + Sendfile support
    + Trace support

  Tunable Options:
    PR_TUNABLE_BUFFER_SIZE = 1024
    PR_TUNABLE_DEFAULT_RCVBUFSZ = 8192
    PR_TUNABLE_DEFAULT_SNDBUFSZ = 8192
    PR_TUNABLE_GLOBBING_MAX_MATCHES = 100000
    PR_TUNABLE_GLOBBING_MAX_RECURSION = 8
    PR_TUNABLE_HASH_TABLE_SIZE = 40
    PR_TUNABLE_NEW_POOL_SIZE = 512
    PR_TUNABLE_SCOREBOARD_BUFFER_SIZE = 80
    PR_TUNABLE_SCOREBOARD_SCRUB_TIMER = 30
    PR_TUNABLE_SELECT_TIMEOUT = 30
    PR_TUNABLE_TIMEOUTIDENT = 10
    PR_TUNABLE_TIMEOUTIDLE = 600
    PR_TUNABLE_TIMEOUTLINGER = 30
    PR_TUNABLE_TIMEOUTLOGIN = 300
    PR_TUNABLE_TIMEOUTNOXFER = 300
    PR_TUNABLE_TIMEOUTSTALLED = 3600
    PR_TUNABLE_XFER_SCOREBOARD_UPDATES = 10


DEBUG LEVEL 10:
- using TCP receive buffer size of 87380 bytes
 - using TCP send buffer size of 16384 bytes
 - testing Unix domain socket using S_ISFIFO
 - testing Unix domain socket using S_ISSOCK
 - using S_ISSOCK macro for Unix domain socket detection
 - mod_tls/2.4.2: using OpenSSL 1.0.1e-fips 11 Feb 2013
 - disabling runtime support for IPv6 connections
 - retrieved UID 99 for user 'nobody'
 - retrieved GID 99 for group 'nobody'
 - loading 'mod_ctrls_admin.c'
 - loading 'mod_sftp.c'
 - mod_sftp/0.9.7: using OpenSSL 1.0.1e-fips 11 Feb 2013
 - loading 'mod_wrap2.c'
 - loading 'mod_wrap2_file.c'
 - loading 'mod_ifsession.c'
 - ROOT PRIVS at mod_ctrls.c:110
 - RELINQUISH PRIVS at mod_ctrls.c:112
 - <IfModule>: using 'mod_ctrls_admin.c' section at line 294
 - <IfModule>: using 'mod_vroot.c' section at line 301
 - <IfDefine>: skipping 'TLS' section at line 306
 - loading 'mod_ban.c'
 - <IfDefine>: skipping 'QOS' section at line 346
 - <IfDefine>: skipping 'ANONYMOUS_FTP' section at line 372
 - <IfModule>: using 'mod_sftp.c' section at line 428
 - <IfModule>: using 'mod_wrap2.c' section at line 452
 - <IfModule>: using 'mod_ban.c' section at line 466
 - UseReverseDNS off, returning IP address instead of DNS name
10.27.77.10 -
10.27.77.10 - Config for sftp.test.infotorg.no:
10.27.77.10 - <IfClass>
10.27.77.10 -  BanEngine
10.27.77.10 - <IfClass>
10.27.77.10 -  BanEngine
10.27.77.10 - ServerIdent
10.27.77.10 - DefaultServer
10.27.77.10 - DefaultRoot
10.27.77.10 - AuthPAMConfig
10.27.77.10 - AuthOrder
10.27.77.10 - AuthUserFile
10.27.77.10 - AuthGroupFile
10.27.77.10 - IdentLookups
10.27.77.10 - UserID
10.27.77.10 - UserName
10.27.77.10 - GroupID
10.27.77.10 - GroupName
10.27.77.10 - UseSendfile
10.27.77.10 - TransferLog
10.27.77.10 - VRootEngine
10.27.77.10 - HiddenStores
10.27.77.10 - SFTPEngine
10.27.77.10 - SFTPLog
10.27.77.10 - SFTPHostKey
10.27.77.10 - SFTPHostKey
10.27.77.10 - SFTPAuthorizedUserKeys
10.27.77.10 - SFTPOptions
10.27.77.10 - SFTPClientMatch
10.27.77.10 - SFTPClientMatch
10.27.77.10 - SFTPClientMatch
10.27.77.10 - SFTPClientMatch
10.27.77.10 - SFTPClientMatch
10.27.77.10 - SFTPClientMatch
10.27.77.10 - SFTPClientMatch
10.27.77.10 - SFTPClientMatch
10.27.77.10 - WrapEngine
10.27.77.10 - WrapTables
10.27.77.10 - WrapDenyMsg
10.27.77.10 - WrapLog
10.27.77.10 - Limit
10.27.77.10 -  AllowAll
10.27.77.10 - Umask
10.27.77.10 - AllowOverwrite
10.27.77.10 - ROOT PRIVS at mod_delay.c:354
10.27.77.10 - RELINQUISH PRIVS at mod_delay.c:359
10.27.77.10 - ROOT PRIVS at mod_ctrls.c:1139
10.27.77.10 - RELINQUISH PRIVS at mod_ctrls.c:1141
10.27.77.10 - mod_lang/0.9: binding to text domain 'proftpd' using locale path '/usr/share/locale'
10.27.77.10 - mod_lang/0.9: using locale files in '/usr/share/locale'
10.27.77.10 - mod_lang/0.9: added the following supported languages: ja_JP, zh_TW, fr_FR, bg_BG, zh_CN, it_IT, ko_KR, ru_RU, en_US
10.27.77.10 - ROOT PRIVS at keys.c:552
10.27.77.10 - RELINQUISH PRIVS at keys.c:554
10.27.77.10 - ROOT PRIVS at keys.c:552
10.27.77.10 - RELINQUISH PRIVS at keys.c:554
10.27.77.10 - ROOT PRIVS at mod_ban.c:2057
10.27.77.10 - RELINQUISH PRIVS at mod_ban.c:2059
10.27.77.10 - ROOT PRIVS at mod_ban.c:2089
10.27.77.10 - RELINQUISH PRIVS at mod_ban.c:2091
10.27.77.10 - retrieved group ID: 99
10.27.77.10 - setting group ID: 99
10.27.77.10 - SETUP PRIVS at main.c:3133
10.27.77.10 - ROOT PRIVS at main.c:2155
10.27.77.10 - RELINQUISH PRIVS at main.c:2162
10.27.77.10 - ROOT PRIVS at main.c:2490
10.27.77.10 - deleting existing scoreboard '/var/run/proftpd/proftpd.scoreboard'
10.27.77.10 - opening scoreboard '/var/run/proftpd/proftpd.scoreboard'
10.27.77.10 - RELINQUISH PRIVS at main.c:2516
10.27.77.10 - ROOT PRIVS at mod_ctrls_admin.c:1180
10.27.77.10 - opening scoreboard '/var/run/proftpd/proftpd.scoreboard'
10.27.77.10 - RELINQUISH PRIVS at mod_ctrls_admin.c:1182
10.27.77.10 - Failed binding to 0.0.0.0, port 2222: Address already in use
10.27.77.10 - Check the ServerType directive to ensure you are configured correctly.
10.27.77.10 - ROOT PRIVS at mod_delay.c:1346
10.27.77.10 - RELINQUISH PRIVS at mod_delay.c:1351
10.27.77.10 - mod_sftp/0.9.7: scrubbing 2 passphrases from memory
10.27.77.10 - ROOT PRIVS at mod_ban.c:1758
10.27.77.10 - RELINQUISH PRIVS at mod_ban.c:1760


proftpd -v
ProFTPD Version 1.3.3g

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5394
    • View Profile
    • http://www.castaglia.org/
Re: Never ban IP
« Reply #1 on: May 10, 2017, 06:57:13 pm »
Do you have any <VirtualHost> sections in your ProFTPD configuration?  It could be that that <IfModule mod_ban.c> section needs to be enclosed in a <Global> section, so that it is applied to any/all vhosts...

Offline Trond

  • New user
  • *
  • Posts: 11
    • View Profile
Re: Never ban IP
« Reply #2 on: May 12, 2017, 12:30:04 pm »
No sucsess. I have this in my config now:

<Class special-client>
        FROM 212.18.129.200
</Class>


<Global>

  # Umask 022 is a good standard umask to prevent new dirs and files
  # from being group and world writable
  Umask                         007

  # Allow users to overwrite files and change permissions
  AllowOverwrite                yes
  <Limit ALL SITE_CHMOD>
    AllowAll
  </Limit>

<IfModule mod_ban.c>
        <IfClass special-client>
           BanEngine off
        </IfClass>

        <IfClass !special-client>
           BanEngine on
        </IfClass>
</IfModule>

</Global>

But now it never blocks any IP

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5394
    • View Profile
    • http://www.castaglia.org/
Re: Never ban IP
« Reply #3 on: May 12, 2017, 06:10:03 pm »
When you connect from that special client, what does the proftpd debug logging show?  Specifically does the debug logging show the IP address of that connected client that you expect?  Does it match with that "From" address, or is it different, due to e.g. some NAT/firewall/router?

Offline Trond

  • New user
  • *
  • Posts: 11
    • View Profile
Re: Never ban IP
« Reply #4 on: May 23, 2017, 09:23:42 am »
The IP-adresse from wrap.log shows that the IP-adresse match the spesial ip-adress in the config-file. So no NAT og firewall problems.


Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5394
    • View Profile
    • http://www.castaglia.org/
Re: Never ban IP
« Reply #5 on: May 23, 2017, 04:55:11 pm »
That's not what I was hoping for; I was hoping to see the requested logging information.

Offline Trond

  • New user
  • *
  • Posts: 11
    • View Profile
Re: Never ban IP
« Reply #6 on: June 07, 2017, 06:26:12 am »
Jun 07 08:25:05 mod_wrap2/2.0.6[122457]: unable to resolve GID for 'trond'
Jun 07 08:25:05 mod_wrap2/2.0.6[122457]: using 'file:~/.sftp/hosts.allow' for allow table
Jun 07 08:25:05 mod_wrap2/2.0.6[122457]: using 'file:~/.sftp/hosts.deny' for deny table
Jun 07 08:25:05 mod_wrap2/2.0.6[122457]: looking under service name 'proftpd'
Jun 07 08:25:05 mod_wrap2/2.0.6[122457]: checking access rules for connection
Jun 07 08:25:05 mod_wrap2/2.0.6[122457]: checking allow table rules
Jun 07 08:25:05 mod_wrap2/2.0.6[122457]: table daemon list:
Jun 07 08:25:05 mod_wrap2/2.0.6[122457]:   ALL
Jun 07 08:25:05 mod_wrap2/2.0.6[122457]: table client list:
Jun 07 08:25:05 mod_wrap2/2.0.6[122457]:   108.156.110.1
Jun 07 08:25:05 mod_wrap2/2.0.6[122457]:   88.95.19.89
Jun 07 08:25:05 mod_wrap2/2.0.6[122457]:   212.18.129.200
Jun 07 08:25:05 mod_wrap2/2.0.6[122457]: daemon matches 'ALL'
Jun 07 08:25:05 mod_wrap2/2.0.6[122457]: client matches '212.18.129.200'
Jun 07 08:25:05 mod_wrap2/2.0.6[122457]: allowed connection from trond@212.18.129.200
Jun 07 08:25:05 mod_wrap2/2.0.6[122457]: unable to resolve GID for 'trond'
Jun 07 08:25:05 mod_wrap2/2.0.6[122457]: using 'file:~/.sftp/hosts.allow' for allow table
Jun 07 08:25:05 mod_wrap2/2.0.6[122457]: using 'file:~/.sftp/hosts.deny' for deny table
Jun 07 08:25:05 mod_wrap2/2.0.6[122457]: looking under service name 'proftpd'
Jun 07 08:25:05 mod_wrap2/2.0.6[122457]: checking access rules for connection
Jun 07 08:25:05 mod_wrap2/2.0.6[122457]: checking allow table rules
Jun 07 08:25:05 mod_wrap2/2.0.6[122457]: table daemon list:
Jun 07 08:25:05 mod_wrap2/2.0.6[122457]:   ALL
Jun 07 08:25:05 mod_wrap2/2.0.6[122457]: table client list:
Jun 07 08:25:05 mod_wrap2/2.0.6[122457]:   108.156.110.1
Jun 07 08:25:05 mod_wrap2/2.0.6[122457]:   88.95.19.89
Jun 07 08:25:05 mod_wrap2/2.0.6[122457]:   212.18.129.200
Jun 07 08:25:05 mod_wrap2/2.0.6[122457]: daemon matches 'ALL'
Jun 07 08:25:05 mod_wrap2/2.0.6[122457]: client matches '212.18.129.200'
Jun 07 08:25:05 mod_wrap2/2.0.6[122457]: allowed connection from trond@212.18.129.200

Offline Trond

  • New user
  • *
  • Posts: 11
    • View Profile
Re: Never ban IP
« Reply #7 on: June 07, 2017, 06:41:37 am »
Here is from ban.log when changing allowed ip :

Jun 07 08:39:55 mod_ban/0.5.5[123443]: added ClientConnectRate-triggered autoban for host '212.18.129.200'
Jun 07 08:39:55 mod_ban/0.5.5[123443]: ClientConnectRate autoban threshold reached, ending session
Jun 07 08:40:00 mod_ban/0.5.5[123476]: login from host '212.18.129.200' denied due to host ban


Offline Trond

  • New user
  • *
  • Posts: 11
    • View Profile
Re: Never ban IP
« Reply #8 on: June 07, 2017, 07:27:03 am »
Is it possible to take further information about this topic on mail? I am a little unconfortable showing all this information on an open forum?
My mailadress is trond.tandberg@evry.com.

Offline Trond

  • New user
  • *
  • Posts: 11
    • View Profile
Re: Never ban IP
« Reply #9 on: June 07, 2017, 01:47:31 pm »
Did finally find the solution for this:

LoadModule mod_ban.c
must be before
LoadModule mod_ifsession.c
in config-file

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5394
    • View Profile
    • http://www.castaglia.org/
Re: Never ban IP
« Reply #10 on: June 07, 2017, 03:52:56 pm »
Hmm.  Good catch, and subtle.  I'll try to capture this in the mod_ban docs more clearly as a FAQ/gotcha.  I'm glad you were able to get it working!

 

sighted planning