3. PfblockerNG problems

PfblockerNG problems

  • S

    I setup pfblockerng with my own custom list in txt formart.
    Every fail2ban entry on my server gets add it to my deny.txt file. For the initial ipv4 setup list it downloads the file just fine and list all the ips as normal.
    The problem comes when I try to force update or when the cron runs the pfblcokerng db does not update. I am not sure why?!?

    ===[  Aliastables / Rules  ]================================

    No Changes to Firewall Rules, Skipping Filter Reload
    No Changes to Aliases, Skipping pfctl Update

    UPDATE PROCESS ENDED

    There is more ips in the file… How come is not adding them?

    0
  • Moderator

    Hi serialdie,

    I posted a patch in the pfBNG thread… I will be submitting a PR to get this fixed soon..

    Please patch the file  /usr/local/www/pfblockerng/pfblockerng.php  as indicated in the following thread below:
    https://forum.pfsense.org/index.php?topic=86212.msg526272#msg526272

    Following that, goto the Log browser, "Deny" and find the List in question (fail2ban) and delete that file by clicking the "x" on the right side… Follow that with a "Force Update"

    Thanks!

    0
  • S

    BBcan177,

    Thank you so much!

    0
  • S

    @BBcan177,

    Do you take donations?

    0
  • H

    I see the following unexpected behaviour. pfBlockerNG [Alerts(Permit) last 5 entries]:

    the reporting is in "overwrite-mode" i.s.o. appending a record per detection on same port (22).
    Not just for the same IP, even for another IP.
    But [Status: System logs: Firewall] has several entries reported.

    What settings are needed for "append-mode" reporting ?

    0
  • D
    Banned

    @hda:

    the reporting is in "overwrite-mode" i.s.o. appending a record per detection on same port (22).
    Not just for the same IP, even for another IP.

    Eh? Perhaps you could post some screenshots of the issue…

    0
  • S

    @doktornotor:

    @hda:

    the reporting is in "overwrite-mode" i.s.o. appending a record per detection on same port (22).
    Not just for the same IP, even for another IP.

    Eh? Perhaps you could post some screenshots of the issue…

    Its fixed. I hit a few bugs that I worked out with the developer. Thanks! :)

    0
  • D
    Banned

    Oh, OK… I'm using the -dev stuff, so usually things are updated before I notice anything.

    0
  • H

    @doktornotor:

    Eh? Perhaps you could post some screenshots of the issue…

    Fixed what ? or I wait for pfBng > 1.09 ?




    0
  • S

    @hda:

    @doktornotor:

    Eh? Perhaps you could post some screenshots of the issue…

    Fixed what ? or I wait for pfBng > 1.09 ?

    Look here https://forum.pfsense.org/index.php?topic=86212.855

    0
  • Moderator

    @hda:

    I see the following unexpected behaviour. pfBlockerNG [Alerts(Permit) last 5 entries]:

    the reporting is in "overwrite-mode" i.s.o. appending a record per detection on same port (22).
    Not just for the same IP, even for another IP.
    But [Status: System logs: Firewall] has several entries reported.

    What settings are needed for "append-mode" reporting ?

    Hi hda,

    If i understand your question, you are asking to see duplicate alerts in the Alerts Tab? Is that correct? You can put a

    //  in front of  continue;

    in the code below to have it display duplicate entries…

    Edit file :  /usr/local/www/pfblockerng/pfblockerng_alerts.php  Line: 455

    
                        // Skip Repeated Alerts 
			if (($pfbalert[3] . $pfbalert[8] . $pfbalert[10]) == $previous_dstip || ($pfbalert[3] . $pfbalert[7] . $pfbalert[9]) == $previous_srcip) {
				//continue;
			}

    Its best to open a new thread as the other issues in this thread are related to something else…

    0
  • Moderator

    OK I took a look at the screen shot and see what you mean… Could you change the following line and let me know if that fixes your issue please?

    Edit file :   /usr/local/www/pfblockerng/pfblockerng_alerts.php   Line: 454
                           ```

    // Skip repeated alerts
                            if (($pfbalert[7] . $pfbalert[3] . $pfbalert[8] . $pfbalert[10]) == $previous_ip) {
                                    continue;
                            }

    
and also change line:  492

    $previous_ip = $pfbalert[7] . $pfbalert[3] . $pfbalert[8] . $pfbalert[10];

    
Let me know if you need any help with that?

Thanks!
    0
  • H

    @BBcan177:

    … Could you change the following line and let me know if that fixes your issue please?
    ...

    Thank you for pointing me at the code spot(s). I have made the changes as per your last writing here above, BUT with commented out "continue".

    I found out that one have to Update Reload pfBlockerNG AND also to reload (by picking anyone rule and do Save & apply changes) the pfSense Firewall, in order to activate the renewed php-file. What is the proper protocol for restarting all ?

    Yes this works as I see now every attempt time-registered, except when the first attempt after reload is on a valid-port (listen "xyz22") i.s.o. the dummy-port (22).
    So, restated, if the first attempt is on the dummy-port (nothing listening on 22), then the entry (in Firewall-log & Alerts) is made, otherwise on an listening port no entry made at first attempt after reload/restart.

    Results in attach.

    Thank You !

    Edit: I see entry-2 should be from rule 112 i.s.o.107.


    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy