Skip Navigation
Text:
Increase font size
Decrease font size

    Unblocking an IP Address

    — filed under:

    How to a "Blocked" IP address from the Linux firewall

    Reviewed by Murray Anderegg 02/27/2013

    The department blocks the IP addresses of systems from which multiple bad passwords are entered within a certain amount of time.  Blocks are temporary and should automatically clear after a period of time. The period of time starts at no less than 10 minutes and increases by 50% for every set of failed attempts afterwards, e.g. no less than 15 minutes, followed by no less than 22 minutes, followed by no less than 33 minutes, etc. Eventually a block can become permanent for an extremely persistent system. If you think this has happened to you, send email to help@cs.unc.edu to get the block removed.

    The rest of this document describes what an administrator needs to do to remove a "block" on an IP address from a machine.

    When an address is blocked, it should be placed into a chain in the firewall called 'sshguard'. On an older ssh installation, the addresses were placed into a chain in the firewall called 'STASIS'.

    Required information

    To remove the block on an IP number, you will need the following information:

    • the machine that the user is trying to access
      the userid for the user
      the IP address from which the user has been trying to access the machine

    If the user does not know this, then use 'sudo' on the machine to look for failed logins by the userid.  This is done with:

    • /bin/egrep 'ailed.*userid' /var/log/secure
    • For example:
    • /bin/egrep 'ailed.*anderegg' /var/log/secure

    To remove a block:

    ssh to the machine that has blocked the user.

    Search for the IP address in the firewall with:

    sudo /sbin/iptables --list sshguard --numeric --verbose --line-numbers

    sudo /sbin/iptables --list STASIS --numeric --verbose --line-numbers

    If you need to, you can search the firewall for just that IP address with:

    • sudo /sbin/iptables --list --numeric --verbose --line-numbers | /bin/grep ipaddr
    • For example,
    • sudo /sbin/iptables --list --numeric --verbose --line-numbers | /bin/grep 152.2.129.83

    Removing an address in the sshguard chain

    If the address has been placed into the sshguard chain in the firewall, then the way to get the user out is to restart the sshguard service:

    On Red Hat systems, sudo /sbin/service sshguard restart

    On Ubuntu systems, sudo /usr/sbin/invoke-rc.d sshguard restart

    Then recheck that the IP address is no longer in the firewall.

    Removing an address in the STASIS chain

    When you have decided that the address is indeed blocked by the firewall, run the following command:

    • sudo /sbin/iptables --delete rule -s ipaddr/32 -d 0/0 -j DROP
    • For example,
    • sudo /sbin/iptables --delete STASIS -s 152.2.129.83/32 -d 0/0 -j DROP

    Now search for the IP address again in STASIS, in case the user ended up in the firewall more than once.  All instances of the IP address must be removed from the STASIS firewall chain.

    You can also flush all of the blocked IP addresses from the firewall by running:  sudo /sbin/iptables --flush STASIS

    Document Actions