Howto remove my IP from the local blocklist

[hksolutions]

Hi, I'm using the maltrail plugin on my OpnSense appliance. Eveything is working lika a charm.

But after a few tests I saw that my local computer ip was also on the blocklist.

When I enable the 'block firewall rule', it will block all ip addresses on the blocklist, So also my ip. I can Bypass it with the whitelist function, but can I remove my ip from the blocklist, so it can detect new IDS problems in the future? (And put it back on the list when there is a new security problem)

Is there a file that I can edit?

Thank you!

[MikhailKasimov]

Hello!

Whitelist is placed in /misc/whitelist.txt path.

but can I remove my ip from the blocklist

Just move your IP from your local blocklist to whitelist and restart MT's sensor.

[hksolutions]

Hello!

Whitelist is placed in /misc/whitelist.txt path.

but can I remove my ip from the blocklist

Just move your IP from your local blocklist to whitelist and restart MT's sensor.

I've found the file in /usr/local/share/maltrail/misc/whitelist.txt edited the file, saved and then restarted the maltrail service.

After that, still no internet connection when I enable the firewall rule 'block source: BlocklistMaltrail"

When I disable the Firewall rule, there is internet, so my ip is not whitelisted :D The fail2ban is not single file with IP's?

[MikhailKasimov]

@mimugmail Need your assistance a little bit. How does this work in OPNSense?

[mimugmail]

It would be best to just put a firewall rule above this alias rule which accepts your IP.

[hksolutions]

this is indeed (temporary) a possibility to whitelist, but then you also have no filtering in the future because you bypass eveything I think?

Suppose you get a virus, the IDS is triggered.. U remove the virus, but your IP is still blocked.. Or the IDS is not triggered because your IP is whitelisted/ bypassed :)

[mimugmail]

Yes, but a whitelist option in MT would also eliminate this. You have to find out the reason why you are on this list

[hksolutions]

Dear, I did a few security tests (pentests) to test the filter. It worked, because it blocked my IP :) So this is the reason.

I understand the whitelist function, but when I whitelist my ip and have a real security problem in the future, it will let everything from my IP through.

When I can remove the 'custom fail2ban IP's' it can block my ip in the future again when there is a real problem.

[mimugmail]

So you need to know how to remove yourself from dynamically learned blacklist

[hksolutions]

So you need to know how to remove yourself from dynamically learned blacklist

Yes indeed 🌝

[xkpx64]

OpnSense user here too, recently start to using this plugin and i can tell its awesome! Great work! I got myself in this situation with banning me for reason that i scanned the network or someone on my network got virus: So in opnsense i checked Only Maltrail -> WAN. Sometimes when i get banned i just delete the logs from /var/log/maltrail/x.log , but this is mad aproach.

[mimugmail]

1.8 is the version If the plugin, inside its 0.47 (with 22.1.10). Just add an accept rule for your IP before the drop

[NeoLizzard]

I had a similar problem on opnsense - my way of fixing it was removing all lines with the ip in question from the logs on "per line"-basis via shell on the opnsense firewall.

The command I used to do this was: (XXX.XXX.XXX.XXX was the IP in question)

sed -i '' '/XXX.XXX.XXX.XXX/d' /var/log/maltrail/*

With this immediately the IP was gone from maltrail gui AND /fail2ban BlocklistMaltrail URL Table

Explanation - I was searching for a place where the List is beeing stored to remove the IP from the Blacklist - but then I figured out, that it's beeing created in runtime by reading the logs and the IP's that are found inside there, were used to parse the /fail2ban IP Table - so the only way I saw to remove an IP after beeing detected, was to query all Logs for it and remove them there.

Hope it helps. Worked for me at least.

And for those not using opnsense - keep in mind that the sed string is different for other Systems!

To remove the line and print the output to standard out: sed '/pattern to match/d' ./infile

To directly modify the file – does not work with BSD sed: sed -i '/pattern to match/d' ./infile

Same, but for BSD sed (Mac OS X and FreeBSD) – does not work with GNU sed: sed -i '' '/pattern to match/d' ./infile

To directly modify the file (and create a backup) – works with BSD and GNU sed: sed -i.bak '/pattern to match/d' ./infile

Quote from: https://stackoverflow.com/questions/5410757/how-to-delete-from-a-text-file-all-lines-that-contain-a-specific-string

[stamparm]

@NeoLizzard you can try to use https://github.com/stamparm/maltrail/blob/master/maltrail.conf#L121-L122

[NeoLizzard]

@stamparm I use the whitelist myself aswell - but when you put the IP in whitelist on opnsense, after it was already listed, it got not removed from the /fail2ban list. That's why I used the other approache - to remove the IP in runtime.

After beeing put on whitelist it just stop it from beeing parsed and added to the /fail2ban list - but it didn't got removed (at least in my case)

[atlanticfirst]

@stamparm I use the whitelist myself aswell - but when you put the IP in whitelist on opnsense, after it was already listed, it got not removed from the /fail2ban list. That's why I used the other approache - to remove the IP in runtime.

After beeing put on whitelist it just stop it from beeing parsed and added to the /fail2ban list - but it didn't got removed (at least in my case)

try the following steps 1 clean out the logs on /var/log/maltrail/xxxx-xx-xx.log 2 disable "Add Blocklist Alias"
3 re-enable it

it works on my opnsense firewall maybe you can try clean out "FAIL2BAN_REGEX" in maltrail.conf，it looks like the same thing