underpost 2.90.4 → 2.92.0

package/src/cli/ssh.js

@@ -4,7 +4,13 @@
  * @namespace UnderpostSSH
  */
 
+import { generateRandomPasswordSelection } from '../client/components/core/CommonJs.js';
+import Dns from '../server/dns.js';
 import { shellExec } from '../server/process.js';
+import { loggerFactory } from '../server/logger.js';
+import fs from 'fs-extra';
+
+const logger = loggerFactory(import.meta);
 
 /**
  * @class UnderpostSSH
@@ -14,30 +20,435 @@ import { shellExec } from '../server/process.js';
 class UnderpostSSH {
   static API = {
     /**
-     * @method callback
-     * @description Manages SSH key generation and connection setup based on the default deployment ID.
-     * This function will either generate a new SSH key pair or import an existing one,
-     * then initiate the SSH connection process.
-     * @param {object} [options={ generate: false }] - Options for the SSH callback.
-     * @param {boolean} [options.generate=false] - If true, generates a new SSH key pair. Otherwise, it imports the existing one.
+     * Main callback function for SSH operations including user management, key import/export, and SSH service configuration.
+     * @async
+     * @function callback
      * @memberof UnderpostSSH
+     * @param {Object} options - Configuration options for SSH operations
+     * @param {string} [options.deployId=''] - Deployment ID context for SSH operations
+     * @param {boolean} [options.generate=false] - Generate new SSH credentials
+     * @param {string} [options.user=''] - SSH user name (defaults to 'root')
+     * @param {string} [options.password=''] - SSH user password (auto-generated if not provided, overridden by saved config if user exists)
+     * @param {string} [options.host=''] - SSH host address (defaults to public IP, overridden by saved config if user exists)
+     * @param {string} [options.filter=''] - Filter for user/group listings
+     * @param {string} [options.groups=''] - Comma-separated list of groups for the user (defaults to 'wheel')
+     * @param {number} [options.port=22] - SSH port number
+     * @param {boolean} [options.start=false] - Start SSH service with hardened configuration
+     * @param {boolean} [options.userAdd=false] - Add a new SSH user and generate keys
+     * @param {boolean} [options.userRemove=false] - Remove an SSH user and cleanup keys
+     * @param {boolean} [options.userLs=false] - List all SSH users and groups
+     * @param {boolean} [options.reset=false] - Reset SSH configuration (clear authorized_keys and known_hosts)
+     * @param {boolean} [options.keysList=false] - List authorized SSH keys
+     * @param {boolean} [options.hostsList=false] - List known SSH hosts
+     * @param {boolean} [options.importKeys=false] - Import keys from private backup to user's SSH directory
+     * @param {boolean} [options.exportKeys=false] - Export keys from user's SSH directory to private backup
+     * @param {boolean} [options.disablePassword=false] - If true, do not set a password for the user
      * @returns {Promise<void>}
+     * @description
+     * Handles various SSH operations:
+     * - User creation with automatic key generation and backup
+     * - User removal with key cleanup
+     * - Key import/export between SSH directory and private backup location
+     * - SSH service initialization and hardening
+     * - User and group listing with optional filtering
      */
     callback: async (
       options = {
+        deployId: '',
         generate: false,
+        user: '',
+        password: '',
+        host: '',
+        filter: '',
+        groups: '',
+        port: 22,
+        start: false,
+        userAdd: false,
+        userRemove: false,
+        userLs: false,
+        reset: false,
+        keysList: false,
+        hostsList: false,
+        disablePassword: false,
       },
     ) => {
-      // Example usage for importing an existing key:
-      // node bin/deploy ssh root@<host> <password> import
+      let confNode, confNodePath;
+      if (!options.user) options.user = 'root';
+      if (!options.host) options.host = await Dns.getPublicIp();
+      if (!options.password) options.password = options.disablePassword ? '' : generateRandomPasswordSelection(16);
+      if (!options.groups) options.groups = 'wheel';
+      if (!options.port) options.port = 22;
+
+      // Load config and override password and host if user exists in config
+      if (options.deployId) {
+        confNodePath = `./engine-private/conf/${options.deployId}/conf.node.json`;
+        confNode = fs.existsSync(confNodePath) ? JSON.parse(fs.readFileSync(confNodePath, 'utf8')) : { users: {} };
+
+        if (confNode.users && confNode.users[options.user]) {
+          if (confNode.users[options.user].password) {
+            options.password = confNode.users[options.user].password;
+            logger.info(`Using saved password for user ${options.user}`);
+          }
+          if (confNode.users[options.user].host) {
+            options.host = confNode.users[options.user].host;
+            logger.info(`Using saved host for user ${options.user}: ${options.host}`);
+          }
+        }
+      }
+
+      let userHome = shellExec(`getent passwd ${options.user} | cut -d: -f6`, { silent: true, stdout: true }).trim();
+      options.userHome = userHome;
+
+      logger.info('options', options);
+
+      if (options.reset) {
+        shellExec(`> ${userHome}/.ssh/authorized_keys`);
+        shellExec(`> ${userHome}/.ssh/known_hosts`);
+        return;
+      }
+
+      if (options.keysList) shellExec(`cat ${userHome}/.ssh/authorized_keys`);
+      if (options.hostsList) shellExec(`cat ${userHome}/.ssh/known_hosts`);
+
+      if (options.userLs) {
+        const filter = options.filter ? `${options.filter}` : '';
+        const groupsOut = shellExec(`getent group${filter ? ` | grep '${filter}'` : ''}`, {
+          silent: true,
+          stdout: true,
+        });
+        const usersOut = shellExec(`getent passwd${filter ? ` | grep '${filter}'` : ''}`, {
+          silent: true,
+          stdout: true,
+        });
+        console.log('Groups'.bold.blue);
+        console.log(`group_name : password_x : GID(Internal Group ID) : user_list`.blue);
+        console.log(filter ? groupsOut.replaceAll(filter, filter.red) : groupsOut);
+        console.log('Users'.bold.blue);
+        console.log(`usuario : x : UID : GID : GECOS : home_dir : shell`.blue);
+        console.log(filter ? usersOut.replaceAll(filter, filter.red) : usersOut);
+      }
+
+      if (options.deployId) {
+        // Config already loaded above, just use it
+        if (!confNode) {
+          confNodePath = `./engine-private/conf/${options.deployId}/conf.node.json`;
+          confNode = fs.existsSync(confNodePath) ? JSON.parse(fs.readFileSync(confNodePath, 'utf8')) : { users: {} };
+        }
+
+        if (options.userAdd) {
+          // Check if user already exists in config
+          const userExistsInConfig = confNode.users && confNode.users[options.user];
+          const privateCopyDir = `./engine-private/conf/${options.deployId}/users/${options.user}`;
+          const privateKeyPath = `${privateCopyDir}/id_rsa`;
+          const publicKeyPath = `${privateCopyDir}/id_rsa.pub`;
+          const keysExistInBackup = fs.existsSync(privateKeyPath) && fs.existsSync(publicKeyPath);
+
+          if (userExistsInConfig && keysExistInBackup) {
+            logger.info(`User ${options.user} already exists in config. Importing existing keys...`);
+
+            // Check if system user exists
+            const userExists =
+              shellExec(`id -u ${options.user} 2>/dev/null || echo "not_found"`, {
+                silent: true,
+                stdout: true,
+              }).trim() !== 'not_found';
+
+            if (!userExists) {
+              shellExec(`useradd -m -s /bin/bash ${options.user}`);
+              shellExec(`echo "${options.user}:${options.password}" | chpasswd`);
+              if (options.groups)
+                for (const group of options.groups.split(',').map((g) => g.trim())) {
+                  shellExec(`usermod -aG "${group}" "${options.user}"`);
+                }
+            }
+
+            const userHome = shellExec(`getent passwd ${options.user} | cut -d: -f6`, {
+              silent: true,
+              stdout: true,
+            }).trim();
+            const sshDir = `${userHome}/.ssh`;
+
+            if (!fs.existsSync(sshDir)) {
+              shellExec(`mkdir -p ${sshDir}`);
+              shellExec(`chmod 700 ${sshDir}`);
+            }
+
+            const userKeyPath = `${sshDir}/id_rsa`;
+            const userPubKeyPath = `${sshDir}/id_rsa.pub`;
+
+            // Import keys from backup
+            fs.copyFileSync(privateKeyPath, userKeyPath);
+            fs.copyFileSync(publicKeyPath, userPubKeyPath);
+            if (options.disablePassword) {
+              shellExec(`cat >> ${sshDir}/authorized_keys <<EOF
+no-port-forwarding,no-X11-forwarding,no-agent-forwarding ${fs.readFileSync(userPubKeyPath, 'utf8')}
+EOF`);
+              shellExec(`echo '${options.user} ALL=(ALL) NOPASSWD: ALL' | sudo tee /etc/sudoers.d/90_${options.user}`);
+            } else {
+              shellExec(`cat ${userPubKeyPath} >> ${sshDir}/authorized_keys`);
+              shellExec(`echo "${options.user}:${options.password}" | sudo chpasswd`);
+            }
+            shellExec(`ssh-keyscan -p ${options.port} -H localhost >> ${sshDir}/known_hosts`);
+            shellExec(`ssh-keyscan -p ${options.port} -H 127.0.0.1 >> ${sshDir}/known_hosts`);
+            if (options.host) shellExec(`ssh-keyscan -p ${options.port} -H ${options.host} >> ${sshDir}/known_hosts`);
+
+            shellExec(`chmod 600 ${sshDir}/authorized_keys`);
+            shellExec(`chmod 644 ${sshDir}/known_hosts`);
+            shellExec(`chmod 600 ${userKeyPath}`);
+            shellExec(`chmod 644 ${userPubKeyPath}`);
+            shellExec(`chown -R ${options.user}:${options.user} ${sshDir}`);
+
+            logger.info(`Keys imported from ${privateCopyDir} to ${sshDir}`);
+            logger.info(`User added with existing keys`);
+            return;
+          }
+
+          // New user or no existing keys - create new user and generate keys
+          shellExec(`useradd -m -s /bin/bash ${options.user}`);
+          shellExec(`echo "${options.user}:${options.password}" | chpasswd`);
+          if (options.groups)
+            for (const group of options.groups.split(',').map((g) => g.trim())) {
+              shellExec(`usermod -aG "${group}" "${options.user}"`);
+            }
+
+          const userHome = shellExec(`getent passwd ${options.user} | cut -d: -f6`, {
+            silent: true,
+            stdout: true,
+          }).trim();
+          const sshDir = `${userHome}/.ssh`;
+
+          if (!fs.existsSync(sshDir)) {
+            shellExec(`mkdir -p ${sshDir}`);
+            shellExec(`chmod 700 ${sshDir}`);
+          }
+
+          const keyPath = `${sshDir}/id_rsa`;
+          const pubKeyPath = `${sshDir}/id_rsa.pub`;
+
+          if (!fs.existsSync(keyPath)) {
+            shellExec(
+              `ssh-keygen -t ed25519 -f ${keyPath} -N "${options.password}" -q -C "${options.user}@${options.host}"`,
+            );
+          }
+
+          if (options.disablePassword) {
+            shellExec(`cat >> ${sshDir}/authorized_keys <<EOF
+no-port-forwarding,no-X11-forwarding,no-agent-forwarding ${fs.readFileSync(pubKeyPath, 'utf8')}
+EOF`);
+            shellExec(`echo '${options.user} ALL=(ALL) NOPASSWD: ALL' | sudo tee /etc/sudoers.d/90_${options.user}`);
+          } else {
+            shellExec(`cat ${pubKeyPath} >> ${sshDir}/authorized_keys`);
+            shellExec(`echo "${options.user}:${options.password}" | sudo chpasswd`);
+          }
+          shellExec(`ssh-keyscan -p ${options.port} -H localhost >> ${sshDir}/known_hosts`);
+          shellExec(`ssh-keyscan -p ${options.port} -H 127.0.0.1 >> ${sshDir}/known_hosts`);
+          if (options.host) shellExec(`ssh-keyscan -p ${options.port} -H ${options.host} >> ${sshDir}/known_hosts`);
+
+          shellExec(`chmod 600 ${sshDir}/authorized_keys`);
+          shellExec(`chmod 644 ${sshDir}/known_hosts`);
+          shellExec(`chmod 600 ${keyPath}`);
+          shellExec(`chmod 644 ${pubKeyPath}`);
+          shellExec(`chown -R ${options.user}:${options.user} ${sshDir}`);
+
+          // Save a copy of the keys to the private folder
+          fs.ensureDirSync(privateCopyDir);
+
+          const privateKeyCopyPath = `${privateCopyDir}/id_rsa`;
+          const publicKeyCopyPath = `${privateCopyDir}/id_rsa.pub`;
+
+          fs.copyFileSync(keyPath, privateKeyCopyPath);
+          fs.copyFileSync(pubKeyPath, publicKeyCopyPath);
+
+          logger.info(`Keys backed up to ${privateCopyDir}`);
 
-      // Example usage for generating a new key:
-      // node bin/deploy ssh root@<host> <password>
+          confNode.users[options.user] = {
+            ...confNode.users[options.user],
+            ...options,
+            keyPath,
+            pubKeyPath,
+            privateKeyCopyPath,
+            publicKeyCopyPath,
+          };
+          fs.outputFileSync(confNodePath, JSON.stringify(confNode, null, 4), 'utf8');
+          logger.info(`User added`);
+          return;
+        }
+        if (options.userRemove) {
+          const groups = shellExec(`id -Gn ${options.user}`, { silent: true, stdout: true }).trim().replace(/ /g, ', ');
+          shellExec(`userdel -r ${options.user}`);
 
+          // Remove the private key copy folder
+          const privateCopyDir = `./engine-private/conf/${options.deployId}/users/${options.user}`;
+          if (fs.existsSync(privateCopyDir)) {
+            fs.removeSync(privateCopyDir);
+            logger.info(`Private key copy removed from ${privateCopyDir}`);
+          }
+
+          delete confNode.users[options.user];
+          fs.outputFileSync(confNodePath, JSON.stringify(confNode, null, 4), 'utf8');
+          logger.info(`User removed`);
+          if (groups) logger.info(`User removed from groups: ${groups}`);
+          return;
+        }
+        if (options.userLs) {
+          logger.info(`Users:`);
+          Object.keys(confNode.users).forEach((user) => {
+            logger.info(`- ${user}`);
+          });
+          return;
+        }
+      }
+
+      if (options.generate)
+        UnderpostSSH.API.generateKeys({ user: options.user, password: options.password, host: options.host });
+      if (options.start) {
+        UnderpostSSH.API.chmod({ user: options.user });
+        UnderpostSSH.API.initService({ port: options.port });
+      }
+    },
+    /**
+     * Generates new SSH ED25519 key pair and stores copies in multiple locations.
+     * @function generateKeys
+     * @memberof UnderpostSSH
+     * @param {Object} params - Key generation parameters
+     * @param {string} params.user - Username for the SSH key comment
+     * @param {string} params.password - Password to encrypt the private key
+     * @param {string} params.host - Host address for the SSH key comment
+     * @returns {void}
+     * @description
+     * Creates a new SSH ED25519 key pair and distributes it to:
+     * - User's ~/.ssh/ directory
+     * - ./engine-private/deploy/ directory
+     * Cleans up temporary key files after copying.
+     */
+    generateKeys: ({ user, password, host }) => {
+      shellExec(`sudo rm -rf ./id_rsa`);
+      shellExec(`sudo rm -rf ./id_rsa.pub`);
+
+      shellExec(`ssh-keygen -t ed25519 -f id_rsa -N "${password}" -q -C "${user}@${host}"`);
+
+      shellExec(`sudo cp ./id_rsa ~/.ssh/id_rsa`);
+      shellExec(`sudo cp ./id_rsa.pub ~/.ssh/id_rsa.pub`);
+
+      shellExec(`sudo cp ./id_rsa ./engine-private/deploy/id_rsa`);
+      shellExec(`sudo cp ./id_rsa.pub ./engine-private/deploy/id_rsa.pub`);
+
+      shellExec(`sudo rm -rf ./id_rsa`);
+      shellExec(`sudo rm -rf ./id_rsa.pub`);
+    },
+    /**
+     * Sets proper permissions and ownership for SSH directories and files.
+     * @function chmod
+     * @memberof UnderpostSSH
+     * @param {Object} params - Permission configuration parameters
+     * @param {string} params.user - Username for setting ownership
+     * @returns {void}
+     * @description
+     * Applies secure permissions to SSH files:
+     * - ~/.ssh/ directory: 700
+     * - ~/.ssh/authorized_keys: 600
+     * - ~/.ssh/known_hosts: 644
+     * - ~/.ssh/id_rsa: 600
+     * - /etc/ssh/ssh_host_ed25519_key: 600
+     * Sets ownership to specified user for ~/.ssh/ and contents.
+     */
+    chmod: ({ user }) => {
+      shellExec(`sudo chmod 700 ~/.ssh/`);
+      shellExec(`sudo chmod 600 ~/.ssh/authorized_keys`);
+      shellExec(`sudo chmod 644 ~/.ssh/known_hosts`);
+      shellExec(`sudo chmod 600 ~/.ssh/id_rsa`);
+      shellExec(`sudo chmod 600 /etc/ssh/ssh_host_ed25519_key`);
+      shellExec(`chown -R ${user}:${user} ~/.ssh`);
+    },
+    /**
+     * Initializes and hardens SSH service configuration for RHEL-based systems.
+     * @function initService
+     * @memberof UnderpostSSH
+     * @param {Object} params - Service configuration parameters
+     * @param {number} params.port - Port number for SSH service
+     * @returns {void}
+     * @description
+     * Configures SSH daemon with hardened security settings:
+     * - Disables password authentication (key-only)
+     * - Disables root login
+     * - Enables ED25519 host key
+     * - Disables X11 forwarding and TCP forwarding
+     * - Sets client alive intervals to prevent ghost connections
+     * - Configures PAM for RHEL/SELinux compatibility
+     *
+     * After configuration:
+     * - Enables sshd service for auto-start on boot
+     * - Restarts sshd service to apply changes
+     * - Displays service status with colored output
+     */
+    initService: ({ port }) => {
       shellExec(
-        `node bin/deploy ssh root@${process.env.DEFAULT_DEPLOY_HOST} ${process.env.DEFAULT_DEPLOY_PASSWORD ?? `''`}${
-          options.generate === true ? '' : ' import'
-        }`,
+        `sudo tee /etc/ssh/sshd_config <<EOF
+# ==============================================================
+# RHEL Hardened SSHD Configuration
+# ==============================================================
+
+# --- Network Settings ---
+Port ${port ? port : '22'}
+# Explicitly listen on all interfaces (IPv4 and IPv6)
+
+# --- Host Keys ---
+# ED25519 is the modern standard (Fast & Secure)
+HostKey /etc/ssh/ssh_host_ed25519_key
+# RSA is kept for compatibility with older clients (Optional)
+# HostKey /etc/ssh/ssh_host_rsa_key
+
+# --- Logging ---
+SyslogFacility AUTHPRIV
+# VERBOSE logs the key fingerprint used for login (Audit trail)
+LogLevel VERBOSE
+
+# --- Authentication & Security ---
+# STRICTLY KEY-BASED AUTHENTICATION
+PubkeyAuthentication yes
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+PermitEmptyPasswords no
+
+# PREVENT ROOT LOGIN
+# Administrators should log in as a standard user and use 'sudo'
+PermitRootLogin no
+
+# Security checks on ownership of ~/.ssh/ files
+StrictModes yes
+MaxAuthTries 3
+LoginGraceTime 60
+
+# --- PAM (Pluggable Authentication Modules) ---
+# REQUIRED: Must be 'yes' on RHEL for proper session/SELinux handling.
+# Since PasswordAuthentication is 'no', PAM will not ask for passwords.
+UsePAM yes
+
+# --- Session & Network Health ---
+# Disconnect idle sessions after 5 minutes (300s * 0) to prevent ghost connections
+ClientAliveInterval 300
+ClientAliveCountMax 0
+
+# --- Feature Restrictions ---
+# Disable GUI forwarding unless explicitly needed
+X11Forwarding no
+# Disable DNS checks for faster logins (unless you use Host based auth)
+UseDNS no
+# Disable tunneling unless needed
+PermitTunnel no
+AllowTcpForwarding no
+
+# --- Subsystem ---
+Subsystem sftp /usr/libexec/openssh/sftp-server
+EOF`,
+        { disableLog: true },
+      );
+      shellExec(`sudo systemctl enable sshd`);
+      shellExec(`sudo systemctl restart sshd`);
+
+      const status = shellExec(`sudo systemctl status sshd`, { silent: true, stdout: true });
+      console.log(
+        status.match('running') ? status.replaceAll(`running`, `running`.green) : `ssh service not running`.red,
       );
     },
   };

package/src/client/components/core/CommonJs.js

@@ -798,7 +798,6 @@ const generateRandomPasswordSelection = (length) => {
     ',',
     '.',
     '|',
-    '\\',
   ];
   const numbers = ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9'];
 

package/src/db/mongo/MongooseDB.js

@@ -31,7 +31,11 @@ class MongooseDBService {
     logger.info('MongooseDB connect', { host, name, uri });
     return await mongoose
       .createConnection(uri, {
-        // Options like useNewUrlParser and useUnifiedTopology are often set here.
+        serverSelectionTimeoutMS: 5000,
+        // readPreference: 'primary',
+        // directConnection: true,
+        // useNewUrlParser: true,
+        // useUnifiedTopology: true,
       })
       .asPromise();
   }

package/src/index.js

@@ -36,7 +36,7 @@ class Underpost {
    * @type {String}
    * @memberof Underpost
    */
-  static version = 'v2.90.4';
+  static version = 'v2.92.0';
   /**
    * Repository cli API
    * @static

package/src/server/dns.js

@@ -100,6 +100,160 @@ class Dns {
     return ipv4.address;
   }
 
+  /**
+   * Setup nftables tables and chains if they don't exist.
+   * @static
+   * @memberof DnsManager
+   */
+  static setupNftables() {
+    shellExec(`sudo nft add table inet filter 2>/dev/null || true`, { silent: true });
+    shellExec(
+      `sudo nft add chain inet filter input '{ type filter hook input priority 0; policy accept; }' 2>/dev/null || true`,
+      { silent: true },
+    );
+    shellExec(
+      `sudo nft add chain inet filter output '{ type filter hook output priority 0; policy accept; }' 2>/dev/null || true`,
+      { silent: true },
+    );
+    shellExec(
+      `sudo nft add chain inet filter forward '{ type filter hook forward priority 0; policy accept; }' 2>/dev/null || true`,
+      { silent: true },
+    );
+  }
+
+  /**
+   * Bans an IP address from ingress traffic.
+   * @static
+   * @memberof DnsManager
+   * @param {string} ip - The IP address to ban.
+   */
+  static banIngress(ip) {
+    Dns.setupNftables();
+    if (!validator.isIP(ip)) {
+      logger.error(`Invalid IP address: ${ip}`);
+      return;
+    }
+    shellExec(`sudo nft add rule inet filter input ip saddr ${ip} counter drop`, { silent: true });
+    logger.info(`Banned ingress for IP: ${ip}`);
+  }
+
+  /**
+   * Bans an IP address from egress traffic.
+   * @static
+   * @memberof DnsManager
+   * @param {string} ip - The IP address to ban.
+   */
+  static banEgress(ip) {
+    Dns.setupNftables();
+    if (!validator.isIP(ip)) {
+      logger.error(`Invalid IP address: ${ip}`);
+      return;
+    }
+    shellExec(`sudo nft add rule inet filter output ip daddr ${ip} counter drop`, { silent: true });
+    shellExec(`sudo nft add rule inet filter forward ip daddr ${ip} counter drop`, { silent: true });
+    logger.info(`Banned egress for IP: ${ip}`);
+  }
+
+  /**
+   * Helper to get nftables rule handles for a specific IP and chain.
+   * @static
+   * @memberof DnsManager
+   * @param {string} chain - The chain name (input, output, forward).
+   * @param {string} ip - The IP address.
+   * @param {string} type - The type (saddr or daddr).
+   * @returns {string[]} Array of handles.
+   */
+  static getNftHandles(chain, ip, type) {
+    const output = shellExec(`sudo nft -a list chain inet filter ${chain}`, { stdout: true, silent: true });
+    const lines = output.split('\n');
+    const handles = [];
+    // Regex to match IP and handle. Note: output format depends on nft version but usually contains "handle <id>" at end.
+    // Example: ip saddr 1.2.3.4 counter packets 0 bytes 0 drop # handle 5
+    const regex = new RegExp(`ip ${type} ${ip} .* handle (\\d+)`);
+    for (const line of lines) {
+      const match = line.match(regex);
+      if (match) {
+        handles.push(match[1]);
+      }
+    }
+    return handles;
+  }
+
+  /**
+   * Unbans an IP address from ingress traffic.
+   * @static
+   * @memberof DnsManager
+   * @param {string} ip - The IP address to unban.
+   */
+  static unbanIngress(ip) {
+    const handles = Dns.getNftHandles('input', ip, 'saddr');
+    for (const handle of handles) {
+      shellExec(`sudo nft delete rule inet filter input handle ${handle}`, { silent: true });
+    }
+    logger.info(`Unbanned ingress for IP: ${ip}`);
+  }
+
+  /**
+   * Unbans an IP address from egress traffic.
+   * @static
+   * @memberof DnsManager
+   * @param {string} ip - The IP address to unban.
+   */
+  static unbanEgress(ip) {
+    const outputHandles = Dns.getNftHandles('output', ip, 'daddr');
+    for (const handle of outputHandles) {
+      shellExec(`sudo nft delete rule inet filter output handle ${handle}`, { silent: true });
+    }
+    const forwardHandles = Dns.getNftHandles('forward', ip, 'daddr');
+    for (const handle of forwardHandles) {
+      shellExec(`sudo nft delete rule inet filter forward handle ${handle}`, { silent: true });
+    }
+    logger.info(`Unbanned egress for IP: ${ip}`);
+  }
+
+  /**
+   * Lists all banned ingress IPs.
+   * @static
+   * @memberof DnsManager
+   */
+  static listBannedIngress() {
+    const output = shellExec(`sudo nft list chain inet filter input`, { stdout: true, silent: true });
+    console.log(output);
+  }
+
+  /**
+   * Lists all banned egress IPs.
+   * @static
+   * @memberof DnsManager
+   */
+  static listBannedEgress() {
+    console.log('--- Output Chain ---');
+    console.log(shellExec(`sudo nft list chain inet filter output`, { stdout: true, silent: true }));
+    console.log('--- Forward Chain ---');
+    console.log(shellExec(`sudo nft list chain inet filter forward`, { stdout: true, silent: true }));
+  }
+
+  /**
+   * Clears all banned ingress IPs.
+   * @static
+   * @memberof DnsManager
+   */
+  static clearBannedIngress() {
+    shellExec(`sudo nft flush chain inet filter input`, { silent: true });
+    logger.info('Cleared all ingress bans.');
+  }
+
+  /**
+   * Clears all banned egress IPs.
+   * @static
+   * @memberof DnsManager
+   */
+  static clearBannedEgress() {
+    shellExec(`sudo nft flush chain inet filter output`, { silent: true });
+    shellExec(`sudo nft flush chain inet filter forward`, { silent: true });
+    logger.info('Cleared all egress bans.');
+  }
+
   /**
    * Performs the dynamic DNS update logic.
    * It checks if the public IP has changed and, if so, updates the configured DNS records.

package/src/server/start.js

@@ -119,7 +119,9 @@ class UnderpostStartUp {
      * @param {boolean} options.run - Whether to run the deployment.
      */
     async callback(deployId = 'dd-default', env = 'development', options = { build: false, run: false }) {
+      UnderpostRootEnv.API.set('container-status', `${deployId}-${env}-build-deployment`);
       if (options.build === true) await UnderpostStartUp.API.build(deployId, env);
+      UnderpostRootEnv.API.set('container-status', `${deployId}-${env}-initializing-deployment`);
       if (options.run === true) await UnderpostStartUp.API.run(deployId, env);
     },
     /**