Question

Hello,

I'm working on a TRB245 and have seen that there are DROPs for a specific IP in the iptables commented with ipb.

I guess it means 'automatic IP Block'

I couldn't find anything describing that comment, and I cannot see this address anyware in the configuration.

I then found a log entry stating that a blocking rule as been applied. But I don't see a way to unblock ist over the webui. Per cli, it's obvious but what is the common user expected to do?

Answer 1

Hello,

Could you provide more details regarding the rules, for example, are those default rules, are they created by specific configurations/actions or what IPs are blocked?

Best regards,

Žygimantas

Comments

HI Žygimantas

There's nothing special about it. It is the out-of-the-box firewall config and the ip blocking has happened upon 10 ssh logon failures:

2022-05-10 02:33:02	IP Block	IP (10.253.102.1) attempt 10/10. Firewall rule created.
2022-05-10 02:33:02	SSH	Bad password attempt for root from 10.253.102.1:50800
2022-05-10 02:33:01	IP Block	IP (10.253.102.1) attempt 9/10.

I do not say that this should not happen. It is in principle correct but should it really block forever? And why the whole IP without a port?

And there's no attack prevention active by default, except SYN flood protection. So, why did it block that IP anyway?

And why is it not listed anywhere?

I can send the config but there is no config apart from defaults.

---

Hello,

There is a limit of consecutive failed login attempts a single IP can make. Once that limit is reached, it is permanently blocked until manually removed. Now, as you have mentioned, the block can be removed via CLI/SSH, however, it can be done in the WebUI as well. Login to the web interface, navigate to System -> Access control and switch to Security tab. The number of login attempts can be set there and blocked users can be allowed to access the device.

Best regards,

Žygimantas