Symbiosis firewall blacklist auto entries not updated


For a while now I’ve noticed Symbiosis blacklist entries are not being automatically added to the /etc/symbiosis/firewall/blacklist.d directory.

My IP is still whitelisted automatically.

Any suggestions where I can start looking to work out why this may not be happening any more? It’s been ‘down’ for months (though still presumably works with manually added entries).


Which version of Symbiosis? Entries are being added to /etc/symbiosis/firewall/blacklist.d on the vm I have running SymStretch.


I’m on Stretch, however it wasn’t working well under Jessie either.


I’m using Jessie for production but I’m currently testing Stretch. Spookily I received this output on Jessie this pm:

/usr/lib/ruby/vendor_ruby/symbiosis/firewall/pattern.rb:84:in rescue in block (2 levels) in apply': undefined methodverbose’ for #Symbiosis::Firewall::Pattern:0x000000024b9d10 (NoMethodError)
from /usr/lib/ruby/vendor_ruby/symbiosis/firewall/pattern.rb:81:in block (2 levels) in apply' from /usr/lib/ruby/vendor_ruby/symbiosis/firewall/pattern.rb:77:ineach’
from /usr/lib/ruby/vendor_ruby/symbiosis/firewall/pattern.rb:77:in block in apply' from /usr/lib/ruby/vendor_ruby/symbiosis/firewall/pattern.rb:76:ineach’
from /usr/lib/ruby/vendor_ruby/symbiosis/firewall/pattern.rb:76:in apply' from /usr/lib/ruby/vendor_ruby/symbiosis/firewall/blacklist.rb:119:inblock in do_read’
from /usr/lib/ruby/vendor_ruby/symbiosis/firewall/blacklist.rb:87:in each' from /usr/lib/ruby/vendor_ruby/symbiosis/firewall/blacklist.rb:87:indo_read’
from /usr/lib/ruby/vendor_ruby/symbiosis/firewall/blacklist.rb:59:in generate' from /usr/sbin/symbiosis-firewall-blacklist:221:in

Unsure what it means though!?!


I’ve just looked up on a client’s VM, still running Jessie but at least on the surface an identical machine, and it’s happily pushing auto entries to the blacklist directory. So what can I ‘diff’ or equivalent to find out why it’s working there and not on mine?


Late response (holiday taking) but if you’re still looking…

I believe the stock patterns are largely out-of-date so it may just be that machine_1 is getting hit on one of the pattern/rules that works (e.g. ssh login) while machine_2 isn’t. So, I’d start by looking at the logs and patterns, then the SQLite databases, then the code.

This post looks vaguely accurate on how to dig around.


After much searching and some experimentation, I look to have got fail2ban working with iptables and is now blocking brute-force attacks. Thanks for the input. Think I can now safely ignore the blacklist folder, although I think it still has use for very quick manual additions when I can’t remember the commands to add to iptables! :slight_smile: