thank you Michael
I haven't Fail2ban enabled because I can't restart it (version 0.9.6-4 on
5209R), but Dfix2 that says in /etc/apf/deny_hosts.rules:
# added 84.226.70.22 on 12/02/20 09:39:32 with comment: dFixblock2
84.226.70.22
maybe Dfix2 messed around with the Whitelist...
anyway, the user confessed he's running an NT machine (remember?:-) which is
known not to be patched anymore, so I told him to deconnect it from his network.
the log files weren't revealing, just that 84.226.70.22 was whitelisted:
apf(23931): {trust IPv4} allow all to/from 84.226.70.22
best regards
で⊃ Meaulnes Legler
Zurich, Switzerland
+41¦0 44 260-1660
On 04.12.20 17:01, Michael Stauber wrote:
Hi Meaulnes,
• how comes an entry in Allow Host Rules isn't permanent and can get
ignored?
• how can I find out which device behind this router using that
offending IP is abusing the output flow rating? E-mail clients usually
list in their outgoing mails the app name and the platform, can I read
such data in some APF log?
Entries in the APF Allow Host Rules are permanent and I don't know how
these could get lost.
However, there is a rare race-time issue where Fail2ban might order an
IP to be blocked and APF will erroneously block it even if the IP has
been whitelisted. Like said: This is rare, but I have seen it happen. :-/
If you have Fail2ban, then you might want to go to "Server Management" /
"Security" / "Fail2ban" and add the whitelisted IP(s) to "Ignore IP's".
That will make sure Fail2ban doesn't blacklist them at all.
As for logfiles: /var/log/messages and /var/log/fail2ban.log might shed
some light on what happened. Just grep these for the IP in question to
see how, why and when this happened.
_______________________________________________
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx
