[BlueOnyx:26299] Re: Saving APF Blacklist opens firewall

Michael Stauber mstauber at blueonyx.it
Thu Jun 15 11:52:08 -05 2023 

Hi John,

> Possibly fail2ban is what I want ... I am not sure.

Yeah, it's the best option for detecting and blocking illicit access to 
the server. I'm currently rolling up the latest version of Fail2ban for 
5209R/5210R/5211R and it should be out tomorrow.

> But the settings page in BlueOnyx is just a long list of checkboxes.  No 
> explanation of how each setting works.

Hover over any option with the mouse-pointer for a second or two and a 
helptext will appear.

> And the wiki link from the settings page says: "This topic does not 
> exist yet: You've followed a link to a topic that doesn't exist yet. If 
> permissions allow, you may create it by clicking on “Create this page”."

Which GUI pages is that? We do have Wiki-pages for most of them, so if 
there is something missing, I'd like to address it one of these days.

> There is also a settings page for Dfix2 that looks very appropriate.

I would advise against using Dfix2. Yeah, sure: It's a free package, but 
it's pretty ancient and works less well on more modern BlueOnyx versions.

> What I expected to see on the Dfix2 (or possibly fail2ban) settings page 
> was the ability to choose an input source, enter in the regex(s), and be 
> done.

Fail2ban is a very mature solution and it has regexp that cover pretty 
much all the eventualities that we usually want to block - and then 
some. But it as well doesn't allow you to modify regexp via the GUI. We 
simply can't validate user supplied regexp via the GUI and an incorrect 
regexp will usually cause issues.

But the Fail2ban configs are pretty straightforward and can easily be 
adapted. And it has such a widespread proliferation, that probably 
someone already has the perfect rule and regexp for exactly the case 
you're looking for.

Like said: The latest version will be available as PKG tomorrow and I 
would recommend to then give it a try. Fail2ban works nicely with APF 
and Firewalld and (if present) will use them to block offending IPs. In 
the absence of APF and Firewalld it'll use null-routes or (on 5209R) 
hosts.deny instead.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list