(a current version is always available within the apnscp documentation)
apnscp utilizes firewalld for its firewall. Rampart is a module that serves as a wrapper for fail2ban, a brute-force deterrent that blocks threats through firewalld. These two components act in tandem to keep your server secure while exercising some intelligence. Rampart is for ephemeral blocks that automatically expire after a fixed duration (see network/setup-firewall) whereas a separate firewalld permanent whitelist/blacklist is provided.
During installation, apnscp will detect the connected IP address and whitelist it to avoid triggering a block by fail2ban, for example if you forget your password multiple times. If your IP address changes or you setup apnscp from behind a proxy, then you can easily update the whitelist with
cpcmd config_set rampart.whitelist
To view active whitelists use config_get:
cpcmd config_get rampart.whitelist
Whitelists may be IP address (126.96.36.199) or CIDR hosts (188.8.131.52/24). rampart.whitelist is an append-only operations. Edit /etc/fail2ban/jail.conf by hand to remove old IP addresses.
apnscp restricts access to all ports except for well-known services (HTTP, FTP, mail, SSH) and optional services (CP, user daemons). A second whitelist, which allows access to blocked ports as well as overrides Rampart can be set using
firewall-cmd --ipset=whitelist --add-entry=192.168.0.1/24
These entries are permanent.
Likewise a blacklist exists to block addresses that are not blocked by Rampart's adaptive firewall.
firewall-cmd --ipset=blacklist --add-entry=192.168.0.10
Blacklists are lower priority than whitelist and Rampart blocks.
Unbanning IP addresses
All IP addresses automatically unban from Rampart after a fixed duration. To manually unban an address from Rampart use cpcmd:
# Ban 192.168.0.4 in recidive, which is a long-term ban > 1 week cpcmd rampart_ban 192.168.0.4 recidive # Validate which jails 192.168.0.4 is present in cpcmd rampart_is_banned 192.168.0.4 # Unban 192.168.0.4 from all jails cpcmd rampart_unban 192.168.0.4
Permanent blacklist and whitelist entries can be removed with firewall-cmd
# Add 192.168.0.4 to the permanent whitelist firewall-cmd --ipset=whitelist --add-entry=192.168.0.4 # Show all whitelist entries ipset list whitelist # Remove 192.168.0.4 from whitelist firewall-cmd --ipset=whitelist --remove-entry=192.168.0.4