Client banned based on IP?

Hi,

my erpnext hosted on ubuntu 16 was working fine till this morning. Then suddenly I started to got “Refused to connect” responses.

After a while I have realised Im getting this error if I usig my home internet connetction with a fix IP address. As soon as I change to any other network (so other public ip too) all working in order.

Is there any IP blocking mechanism in the standard ErpNext system ?
Or what can be the issue ?

Thank for the ideas in advance

1 Like

In your installation, go to the User List, click on your user, and go check Security Settings. Is “Restrict IP” filled?

sample link location: https://demo.erpnext.com/desk#Form/User/demo%40erpnext.com

Hi Felix,

Thx for the idea.

I have checked, the restrict IP field is empty.

I have chcked with otherd users too. Any user using my home network refused, on other networks working in order.
Worth to mention I can reach my server on ssh menawhile I’m getting the conntection refused message in the browser. (on my home netw)

Can you show a screenshot? if the message shows in your browser, it might be your home or server firewall.

Hi,

just simple timeout in the browser :

image

  • there is no proxy on the network
  • firewall on the router comletely swithed off - does not help
  • I have tested with more pc/mac - same behaviour - not a client or browser issue.
  • from the router I can ping and traceroute the erpnext server
  • I have called my network provider (UPC), their helpdesk guy was able to reach the site

I have no more ideas what to check :frowning:

Likely then a closed port?

It does respond to ssh

frappe@erpnext:~/frappe-bench$ nc -vv erp.systemfox.com 22
Connection to erp.systemfox.com 22 port [tcp/ssh] succeeded!
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2

You may want to check all normal services running under supervisor are working

Ie

Sudo systemctl supervisor status

Shows nginx redid etc all functioning fine

Maybe your router is to blame?

For eg NAT does port-based redirects, so external WAN clients can connect but not local LAN network clients…

just found my IP address in the /var/log/fail2ban.log :


2017-11-01 11:29:59,243 fail2ban.filter [1666]: INFO [nginx-proxy] Found 80.98.155.154
2017-11-01 11:30:28,953 fail2ban.filter [1666]: INFO [nginx-proxy] Found 80.98.155.154
2017-11-01 11:30:29,309 fail2ban.actions [1666]: NOTICE [nginx-proxy] Ban 80.98.155.154

no idea yet why was it banned and how is it working, how to unban…

Sounds like your on the right track now.

Can you whitelist an IP with fail2ban ?

Yes Im looking for now how to whitelist or unban, but also a question for me what was the reason of the ban…
I have done nothing special, I was just using the system as a regular user.

Solved now using the fail2ban-client as describen here

thanks to All for taking care !

Thank you @Rokasan

Your question prompted me to check my /var/log/nginx/error.log

All the connection attempt activity there gives me cause for concern.

I need to do a security audit review and investigate my need for a proxy

Hi All,

I have same problem, it’s for client, it will occur like every 2-3 days, the Client’s IP will be blocked for about 10 mins.

I can solve it with iptables -F to flush all the -A rules to make the system back to work. But it will occur again definitely.

I checked web.error.log, I noticed the worker keep exit and booting, I don’t know if this is normal?

I can flush the rules to remove the BAN or just wait a while, the ban will be released (Sometimes I didn’t do anything it will recover).

But it seems a bit annoying. I need to know what has caused the problem? How to avoid valid user IP banned by the f2b-NoNginxProxy?

Hi All,

Just now I tried to add my client IP and my IP into the white-list with the command fail2ban-client set JAIL_NAME addignoreip IP, to find your jail name, you can use command fail2ban-client status.

To get the white list you can use command: fail2ban-client get JAIL_NAME ignoreip

image

Please let me know if I’m doing right thing, many thanks!

If it helps you, I will be very happy!

3 Likes

Looks like the fail2ban still bans pos connected to the server on offline mode.

One of my clients IP was getting banned for some time, This was occurring everyday.
I have added the Static IP to the ignore list, will test it for few days and get back to this thread.

Thanks for the guide.

This is helpful.

I added the Static IP’s to the Whitelist but now one of the outlet dont have static IP anymore, So i had to stop fail2ban service.

is there any way to make it less strict?

You could tweak the config of fail2ban yourself as this is just a standard install. Frappe haven’t done anything specific with this. But obviously if you reduce the IP checks you run the risk of security problems with possible attacks

Otherwise you could use a DNS service like the free noip.com on your pos terminal so that you have a standard DNS hostname instead of an IP that you base fail2ban rules on even with the IP changing at times.

Yes I want thinking the same to put DDNS, As I read about it in some other thread, But will have to make it everywhere. WIll try this method also, As I am not comfortable to disable the fail2ban service.

Tweaking will not help as it is again making the server vulnerable just like disabling the service.

I will try the DDNS and check how it goes.

Yes using ddns isn’t perfect as it can take say up to 30s to change up on the hostname.

But if can work and may be your best solution

Julian