Differences

This shows you the differences between two versions of the page.

--- wiki:firewall [2023/07/24 22:21] – guidebeacon
+++ wiki:firewall [2023/10/05 19:29] (current) – guidebeacon
@@ Line 29: / Line 29: @@
 To remove an IP from the whitelist, just click delete from the same interface.
-Additionally, IPs added to the whitelist may be included as administratively allowed IPs in nftables by the ''/etc/cron.daily/update_firewall.sh'' script.
+Do not forget to update the firewall by running the script: ''/etc/cron.daily/update_firewall.sh''
+The script runs daily, but running it now will immediately update the firewall.
+**Do not forget to add the IP to each of the 2 accounts, master on chost and beacontechnology on kingscpw01.**
+[[wiki:firewall#allowing_ips_to_locked_down_cpanel_accounts|Click here to learn more]]
 ==== Blacklist Management ====
@@ Line 41: / Line 47: @@
   - Search for the IP in question, if the IP is unknown, ask the user to go to: ipecho.net and read the IP back.
   - When the record is located, click "Delete"
+==== Troubleshooting ====
+It may  be the case that sometimes the script gives an error for various reasons, here are some steps to try to fix it:
+  - Try rebooting server
+  - Try making a change in cpHulk like adding/removing an IP and trying again
+  - Try this command: ''nft flush set inet filter ccblockset'' and try again
+  - try this command: WARNING, may result in getting locked out, add your IP to ''/etc/sysconfig/nftables.conf'' before proceeding... ''nft flush set inet filter adminwhitelist''
 ===== Host Access Control =====
@@ Line 65: / Line 80: @@
 Also note that rules are dynamically loaded into nftables by ''update_firewall.sh''.
+===== update_firewall.sh =====
+This script help managing nftables
+<code bash update_firewall.sh>
+#!/bin/bash
+# this script extends cpHulk to assist managing nftables.
+# country codes selected in CPhulk will be banned at the IP level
+# whitelisted ips will be included as administratively allowed
+set -e
+trap 'catch $? $LINENO' EXIT
+catch() {
+  if [ "$1" != "0" ]; then
+    echo failed to update firewall rules
+    echo "Error $1 occurred on $2"
+  fi
+}
+geoipdir='/usr/local/cpanel/3rdparty/share/geoipfree/country-cidrs'
+whitelist=$(mktemp)
+blacklist=$(mktemp)
+# get list of CCs that are blocked
+cclist=$( whmapi1 --output=json load_cphulk_config |
+          jq -r '.data.cphulk_config.country_blacklist' )
+# loop over list and concat all subnets from cpanel free geoip
+for i in ${cclist//,/ }; do
+  grep -oP '(\d+\.){3}\d+/\d+' $geoipdir/$i | tr '\n' ',' >> $blacklist
+done
+# write list of whitelist ips to temp file
+whmapi1 --output=json read_cphulk_records list_name='white' |
+        jq -r '.data.ips_in_list | keys[]' | grep -oP '(\d+\.){3}\d+' > $whitelist
+# generate new rules for nftables
+{
+  echo 'flush set inet filter ccblockset'
+  echo 'flush set inet filter adminwhitelist'
+  # create whitelist set
+  echo -n 'add element inet filter adminwhitelist { '
+  cat $whitelist | tr '\n' ','
+  echo ' }'
+  # create blacklist set
+  echo -n 'add element inet filter ccblockset { '
+  cat $blacklist | tr '\n' ','
+  echo ' }'
+} | nft -f -
+echo firewall was successfully updated
+</code>
+===== Allowing IPs to locked down cpanel accounts =====
+On some accounts, there is htaccess that whitelists IPs for extra security.
+The htaccess is normally at: ''/home/username/public_html/.htaccess''
+The area you are looking for looks something like this:
+<code>order allow,deny
+allow from xxx.xxx.xxx.xxx
+allow from xxx.xxx.xxx.xxx
+allow from xxx.xxx.xxx.xxx
+allow from xxx.xxx.xxx.xxx</code>
+Just add a similar new entry below the last one in the list