#!/bin/bash # Kolmisoft, 2015-2021 # Script check the database and unblock/whitelist selected blocked_ips # v. 1.3 if [[ "`/sbin/pidof -x $(basename $0) -o %PPID`" ]]; then echo "$(basename $0) script is already running with PID `/sbin/pidof -x $(basename $0) -o %PPID`" exit fi source /usr/src/m2/framework/bash_functions.sh k_detect_os k_iptables_locking_option server_config_file="/etc/m2/system.conf" log_file="/var/log/m2/m2_unblock_ip_from_gui.log" unblock_command="" unblock_command_output="" gui_chain="M2-BLOCKED-IP-FROM-GUI" whitelist_chain_gui="M2-WHITELIST-GUI" iptables_list=/tmp/gui_iptables/iptables_list_for_unblock_ip mkdir -p /tmp/gui_iptables format_date() { date "+%Y-%m-%d %H:%M:%S" } set_database_variables server_id=$(grep server_id $server_config_file | tr -d '[:space:]' | awk -F'=' '{print $2}') action_count=$(MYSQL_PWD="$DB_PASSWORD" /usr/bin/mysql -h "$DB_HOST" -u "$DB_USERNAME" $P_OPT "$DB_NAME" -sNe "select count(*) from blocked_ips where unblock in (1,4) and server_id=$server_id") if [[ -n $action_count ]] && (( action_count == 0)); then echo "$(format_date) [NOTICE] No IPs to unblock or unwhitelist" exit 0 fi /sbin/iptables-save > $iptables_list fail2ban_chains=("INPUT") while IFS= read -r line; do fail2ban_chains+=( "$line" ) done < <( grep INPUT $iptables_list | grep -Po '(f2b|fail2ban)-[\d\w-_]+') ip_blocked_from_gui() { local ip="$1" if grep "$gui_chain" $iptables_list | grep -Fq "$ip" then if grep -Ei 'fail2ban|f2b' $iptables_list | grep -Fq "$ip" then return 2 else return 1 fi else return 0 fi } unblock_function() { local string="$1" /sbin/iptables $l_opt -D "$gui_chain" -s "$ip_address" -m comment --comment "$string" -j DROP } unwhitelist_function() { local string="$1" /sbin/iptables $l_opt -D "$whitelist_chain_gui" -s "$ip_address" -m comment --comment "$string" -j ACCEPT } # if ip_chain is one of fail2ban/INPUT chains, try to remove IP from that chain # If ip_chain is not in one of fail2ban/INPUT chains, this means that IP was blocked from gui unblock_error=0 while read -r table_id ip_address ip_chain do ip_blocked_from_gui "$ip_address" result="$?" if [[ "$result" == "1" || ( "$result" == 2 && ! ( "$ip_chain" == "fail2ban"* || "$ip_chain" == "f2b"* )) ]] then if [ "$ip_chain" == "$gui_chain" ] then # comment is empty echo "$(format_date) [NOTICE] Trying to unblock ip $ip_address from $gui_chain (no reason given from GUI)" if unblock_command_output=$(/sbin/iptables $l_opt -D "$gui_chain" -s "$ip_address" -j DROP 2>&1); then echo "$(format_date) [NOTICE] $ip_address from $ip_chain successfully unblocked!" else unblock_error=1 fi else echo "$(format_date) [NOTICE] Trying to unblock ip $ip_address from $gui_chain (reason: $ip_chain)" if unblock_command_output=$(unblock_function "$ip_chain" 2>&1); then echo "$(format_date) [NOTICE] $ip_address with reason $ip_chain successfully unblocked!" else unblock_error=1 fi fi if [[ $unblock_error == "1" ]]; then echo "$(format_date) [ERROR] failed to unblock $ip_address with/from $ip_chain" echo "$(format_date) [ERROR] Iptables error was:" echo "$(format_date) [ERROR] $unblock_command_output" fi # delete from blocked from gui list if IP was blocked from gui_chain MYSQL_PWD="$DB_PASSWORD" /usr/bin/mysql -h "$DB_HOST" -u "$DB_USERNAME" $P_OPT "$DB_NAME" -e "delete from blocked_ips where unblock=2 and blocked_ip='$ip_address' and server_id=$server_id" elif [[ ( $centos_version -ge 7 || $ROCKY9 == 1 ) && "$ip_chain" == f2b-* ]]; then f2b_jail_name_full="$ip_chain" f2b_jail_name=${f2b_jail_name_full##f2b-} echo "$(format_date) [NOTICE] Trying to unblock $ip_address from f2b jail $f2b_jail_name: /bin/fail2ban-client set $f2b_jail_name unbanip $ip_address" /bin/fail2ban-client set "$f2b_jail_name" unbanip "$ip_address" else echo "$(format_date) [NOTICE] Trying to unblock ip $ip_address from $ip_chain [id: $table_id, server_id: $server_id]" unblock_command=$(grep -Fi "$ip_chain" $iptables_list | grep -F "$ip_address" | sed 's/^-A/-D/' | head -n 1) if [ -z "$unblock_command" ]; then echo "$(format_date) [WARNING] Cannot find $ip_address in $ip_chain in iptables rules." else echo "$(format_date) [NOTICE] Executing command /sbin/iptables $unblock_command" unblock_command_output=$(/sbin/iptables $l_opt $unblock_command 2>&1) if [ "$?" == "0" ]; then echo "$(format_date) [NOTICE] $ip_address from $ip_chain successfully unblocked!" else echo "$(format_date) [ERROR] failed to unblock $ip_address from $ip_chain with command /sbin/iptables $l_opt $unblock_command" echo "$(format_date) [ERROR] iptables error was:" echo "$(format_date) [ERROR] $unblock_command_output" fi fi fi # delete from ips to unblock list MYSQL_PWD="$DB_PASSWORD" /usr/bin/mysql -h "$DB_HOST" -u "$DB_USERNAME" $P_OPT "$DB_NAME" -e "delete from blocked_ips where id=$table_id" done < <(MYSQL_PWD="$DB_PASSWORD" /usr/bin/mysql -h "$DB_HOST" -u "$DB_USERNAME" $P_OPT "$DB_NAME" -sNe "select id, blocked_ip, chain from blocked_ips where unblock=1 and server_id=$server_id") #Whitelist stuff # unwhitelist_error=0 while read -r table_id ip_address ip_chain; do if [ "$ip_chain" == "$whitelist_chain_gui" ]; then # comment is empty echo "$(format_date) [NOTICE] Trying to unblock ip $ip_address from $whitelist_chain_gui (no reason given from GUI)" if unwhitelist_command_output=$(/sbin/iptables $l_opt -D "$whitelist_chain_gui" -s "$ip_address" -j ACCEPT 2>&1); then echo "$(format_date) [NOTICE] $ip_address from $ip_chain successfully unwhitelisted!" else unwhitelist_error=1 fi else echo "$(format_date) [NOTICE] Trying to unblock ip $ip_address from $whitelist_chain_gui (reason: $ip_chain)" if unwhitelist_command_output=$(unwhitelist_function "$ip_chain" 2>&1); then echo "$(format_date) [NOTICE] $ip_address with reason $ip_chain successfully unwhitelisted!" else unwhitelist_error=1 fi fi if [[ $unwhitelist_error == "0" ]]; then : else echo "$(format_date) [ERROR] failed to unwhitelist $ip_address with/from $ip_chain" echo "$(format_date) [ERROR] Iptables error was:" echo "$(format_date) [ERROR] $unwhitelist_command_output" fi MYSQL_PWD="$DB_PASSWORD" /usr/bin/mysql -h "$DB_HOST" -u "$DB_USERNAME" $P_OPT "$DB_NAME" -e "delete from blocked_ips where unblock=5 and blocked_ip='$ip_address' and server_id=$server_id" MYSQL_PWD="$DB_PASSWORD" /usr/bin/mysql -h "$DB_HOST" -u "$DB_USERNAME" $P_OPT "$DB_NAME" -e "delete from blocked_ips where id=$table_id" # unwhitelist_command_args=$(grep -F "$whitelist_chain_gui" $iptables_list | grep -F "$ip_address" | sed 's/^-A/-D/' | head -n 1) # unwhitelist_command=$(echo $unwhitelist_command_args | sed "s#^#/sbin/iptables $l_opt #") # if echo "$unwhitelist_command" | grep -Fq "$ip_address"; then # if unwhitelist_command_output=$("$unwhitelist_command" 2>&1); then # echo "$(format_date) [NOTICE] $ip_address from $ip_chain successfully unwhitelisted!" # MYSQL_PWD="$DB_PASSWORD" /usr/bin/mysql -h "$DB_HOST" -u "$DB_USERNAME" $P_OPT "$DB_NAME" -e "delete from blocked_ips where unblock=5 and blocked_ip='$ip_address' and server_id=$server_id" # MYSQL_PWD="$DB_PASSWORD" /usr/bin/mysql -h "$DB_HOST" -u "$DB_USERNAME" $P_OPT "$DB_NAME" -e "delete from blocked_ips where id=$table_id" # else # echo "$(format_date) [ERROR] failed to unwhitelist $ip_address from $ip_chain with the following command" # echo "$unwhitelist_command" # echo "$(format_date) [ERROR] Iptables error was:" # echo "$(format_date) [ERROR] $unwhitelist_command_output" # fi # fi done < <(MYSQL_PWD="$DB_PASSWORD" /usr/bin/mysql -h "$DB_HOST" -u "$DB_USERNAME" $P_OPT "$DB_NAME" -sNe "select id, blocked_ip, chain from blocked_ips where unblock=4 and server_id=$server_id")