Manually ban/unban IP

[ADeeeee]

Hi all,

I've searched for a while and it seems there's no description on the Internet or in README about how people ban or unban the IP addresses manually once it got banned via this middleware. I used this function sometimes when some allies got banned by accident or the fillter is just too strict.

My plan is using this middleware in my Kubernetes cluster with Traefik Ingress. Is there any way to do it? It'd be so helpful rather than only waiting it timed out.

e.g. The way I use it via Ubuntu standalone: fail2ban-client set [RULE-NAME] ban/ubanip [IP]

[tomMoulard]

Hello @ADeeeee,

Thanks for your interest in this Traefik plugin!

That's because there is no current way to do that once traefik started.

But you can manually whitelist or blacklist IP prior to starting the reverse proxy by doing something like :

whitelist:
    ip:
      - "::1"

[ADeeeee]

Hi Tom,

Thanks for the reply. I do have the whitelist already. Does it work if I edit the middleware by adding a banned IP in whitelist after the IP got banned? This would be a nice workaround if it does.

--edited-- BTW, does these format also works? Multiple single ports checking:

ports: 
  - "80"
  - "443"

IP subnet range:

whitelist:
  ip:
    - "192.168.0.0/16"

[tomMoulard]

When you update the plugin configuration, Traefik reloads the plugin entirely. So no more banned IP. Thus, if you whitelist an IP, it should work right in your case.

BTW, does these format also works? Multiple single ports checking

No

IP subnet range

Yes

[ADeeeee]

Hello Tom,

I've tried it on Kubernetes recently and found few issues and situations:

1. Blacklist is prior It should be reversed because it's so dangerous if any accident happens. It's confirmed when an IP address is both in blacklist and whitelist, it's still blocked with 403 forbidden.

2. Unable to unblock IP addresses Once an IP address got blocked via urlregex filter. You can't unblock it even with restart the pod, edit and save the middleware, or even whitelist the IP address (according to above). There's no way to restart the traefik at all, which could make the whole services on Kubernetes cluster disconnected for a while. Any solutions for this? This is kinda crucial important for avoiding accidents.

Just FYI and I guess I will wait for the features and also the stable plugin environment in Traefik. This is very cool. I hope I will be back one day it matches my requirement.

[tomMoulard]

Hi @ADeeeee,

It should be reversed because it's so dangerous if any accident happens

For now, we expect our users to know the risks and implications of a harsh f2b rule.

Unable to unblock IP addresses

As I said, there is no current way to unblock IP addresses dynamically. Restarting Traefik should be enough to clear the blacklisted IP pool. If you see a log like Plugin: FailToBan is up and running, it means that this plugin was loaded (or reloaded), so both pools are emptied, and the configuration is fresh