OPNsense Forum

English Forums => General Discussion => Topic started by: siga75 on November 12, 2019, 12:32:27 pm

Title: nginx banned IP timer
Post by: siga75 on November 12, 2019, 12:32:27 pm

is there an option to auto remove entries in the nginx ban table after a defined period? Should I define a cron job with "expiretable" command or something similar?

Title: Re: nginx banned IP timer
Post by: fabian on November 12, 2019, 06:19:50 pm

No, there is no automatic removal. Expire the table will not work as it will be filled again.

You have to delete the entries manually or via the API.

Title: Re: nginx banned IP timer
Post by: siga75 on November 12, 2019, 07:57:22 pm

THX Fabian,

I guess it handled here for the manual remove

/usr/local/opnsense/mvc/app/cache/_usr_local_opnsense_mvc_app_views_opnsense_nginx_ban.volt.php

<script>
$(function () {
    $("#grid-ban").UIBootgrid(
        { 'search':'/api/nginx/bans/searchban',
            'del':'/api/nginx/bans/delban/',
            'options': {
                selection:false,
                multiSelect:false,
                formatters: {
                    "delbtn": function (column, row) {
                        return `<button type="button" class="btn btn-xs btn-default command-delete" data-row-id="${row.uuid}"
><span class=\"fa fa-unlock-alt\"></span></button>`;
                    }
                },
            }
        }
    );

});

But since I don't know how to use it, could I simply do a sed on this file? I also have information of the timestamp. Or there's another place where you store those IPs?

# grep -B 1 -A 2 71.6.146.186 /conf/config.xml
      <ban uuid="62507f77-b0c4-494d-a328-06aa2d7f7573">
        <ip>71.6.146.186</ip>
        <time>1570404540</time>
      </ban>

Title: Re: nginx banned IP timer
Post by: fabian on November 12, 2019, 10:21:08 pm

You can just use curl for the api. Just have the dev tools (network tab) open while deleting an entry. You can just right click on copy as curl and then adjust it to look like in the docs.

If you work directly on the firewall, you may also delete the ban entries manually and then flush the table. The cron job will refill it after 1minute again. You can also delete IP addresses one by one from the table.

Another alternative would be that you implement that feature and create a PR. The file you would have to change would be:

https://github.com/opnsense/plugins/blob/master/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php

Title: Re: nginx banned IP timer
Post by: siga75 on November 13, 2019, 11:25:25 am

Thank you so much

Not so elegant, but does the job, I will eventually improve it

# /bin/sh
# key="/xxxxxxxxxWEy"
# secret="ippfxxxxxxxxxxxxdN"
# sed -n -e '/<Nginx/,/<\/Nginx>/p' /conf/config.xml | sed -n -e '/<ban uuid/,/<\/ban>/p' | awk -F'\"|<|>' -v TSTAMP=`date +%s` '/ban uuid/ {uuid=$3; getline; getline; if($3<TSTAMP-7*24*60*60) print uuid }' | while read UUID; do curl --ssl --insecure -X POST --data "{}" -H "Content-Type: application/json" --user "$key":"$secret" https://127.0.0.1:8443/api/nginx/bans/delban/$UUID; done
{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}{"result":"deleted"}#


# sed -n -e '/<Nginx/,/<\/Nginx>/p' /conf/config.xml | sed -n -e '/<ban uuid/,/<\/ban>/p'
      <ban uuid="da166ce2-f84f-4ae5-b23b-def173b2ca20">
        <ip>185.153.197.5</ip>
        <time>1573176421</time>
      </ban>
      <ban uuid="fc929064-aafb-4755-9a03-17464125103b">
        <ip>156.211.210.249</ip>
        <time>1573225981</time>
      </ban>
      <ban uuid="f8659144-cc18-4e1e-bf17-2633dfd24973">
        <ip>156.210.54.2</ip>
        <time>1573235581</time>
      </ban>
      <ban uuid="f7afc41c-d58f-42bb-9ef0-f0e2c55418b6">
        <ip>156.211.162.22</ip>
        <time>1573236961</time>
      </ban>
      <ban uuid="09a861c3-a5a9-4a2c-ac7b-3d87437371e4">
        <ip>207.241.229.160</ip>
        <time>1573516321</time>
      </ban>
      <ban uuid="211584f3-c055-47ed-b85a-d58b1610f768">
        <ip>198.108.66.176</ip>
        <time>1573532041</time>
      </ban>
      <ban uuid="ef17f478-9879-47a5-ae85-c923e06fd7e1">
        <ip>144.91.95.116</ip>
        <time>1573551841</time>
      </ban>