In cPGuard, we have multiple modules that work at different layers to stop various attacks. The IPDB firewall module is a system-level firewall that can block many of the attacks before it reaches your application servers.
The main components of the IPDB firewall are
1. The Cloud Advisor:- is a server cluster containing multiple servers dedicated to collecting, building, and distributing a list of unsafe IPs. We have a huge list of bad IPs built on data collected from attacks we have blocked (WAF, Bruteforce, CSF, and access logs), our partners like Malware.Expert and other 3rd party sources. Our algorithms, after whitelisting major providers like Cloudflare, Google, etc to avoid false positives, dynamically score IPs based on various parameters to build a refined list containing only the latest and relevant threats
2. The Server Agent: cPGuard server application downloads the list of bad IPs from the cloud advisor and creates a blocklist using IPSET and IPTABLES to effectively block requests from these IPs. The block list is periodically reloaded to fetch the latest IPs and drop old IPs from the list
How to enable the IPDB Firewall?
You can enable IPDB Firewall from cPGuard >> Settings >> Security Tools >> IPDB Firewall or using the following command
cpgcli ipdb --enable
You can optionally enable or disable the IPDB logging when when you enable/disable IPDB module. Given below is the complete CLI tool options for IPDB
--enable | --disable --log-enable| --log-disable --restart | --reload | --check-ip IP --country-whitelist --add Country-Code | --country-whitelist --remove Country-Code
How can I ensure that IPDB Firewall is working?
To confirm that the IPDB firewall is functioning good once it is enabled, you can check the log file /var/log/messages where you can see the log like following
Nov 10 13:02:13 server kernel: IPDB Blocked: IN=eth0 OUT= MAC=e:00:00:00:01:01:08:00 SRC=x.x.x.x DST=y.y.y.y LEN=60 TOS=0x00 PREC=0x20 TTL=49 ID=59669 DF PROTO=TCP SPT=31310 DPT=465 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 10 13:02:15 server3kernel: IPDB Blocked: IN=eth0 OUT= MAC=e:00:00:00:01:01:08:00 SRC=x.x.x.x DST=y.y.y.y LEN=60 TOS=0x00 PREC=0x20 TTL=49 ID=59670 DF PROTO=TCP SPT=31310 DPT=465 WINDOW=29200 RES=0x00 SYN URGP=0
How to check whether an IP is blocked in IPDB Firewall?
You can check it through the IPDB page in the UI or use the cpgcli CLI tool to check an IP address against the IPDB Firewall from the command line.
cpgcli ipdb --check-ip <IP Adress>
How to whitelist an IP address from IPDB Firewall?
You can use the cpgcli CLI tool to whitelist an IP address against the IPDB Firewall from the command line.
cpgcli ip --allow <IP Address>
Supported format for IP Range whitelist are given below
- CIDR format: 1.2.3/24
- Single IP address: 126.96.36.199
How to disable IPDB Firewall?
You can disable IPDB Firewall from cPGuard >> Settings >> Security Tools >> IPDB Firewall or using the following command
cpgcli ipdb --disable
I need more details or I have a suggestion to enhance this module
Feel free to reach our support team with your query and we will be happy to assist you regarding it.
PS : In case of Virtuozzo/OpenVZ based virtual servers, IPDB will not work if “ipset” is not enabled from the host server.