Symbiosis firewall blacklist auto entries not updated


#1

For a while now I’ve noticed Symbiosis blacklist entries are not being automatically added to the /etc/symbiosis/firewall/blacklist.d directory.

My IP is still whitelisted automatically.

Any suggestions where I can start looking to work out why this may not be happening any more? It’s been ‘down’ for months (though still presumably works with manually added entries).


#2

Which version of Symbiosis? Entries are being added to /etc/symbiosis/firewall/blacklist.d on the vm I have running SymStretch.


#3

I’m on Stretch, however it wasn’t working well under Jessie either.


#4

I’m using Jessie for production but I’m currently testing Stretch. Spookily I received this output on Jessie this pm:

/usr/lib/ruby/vendor_ruby/symbiosis/firewall/pattern.rb:84:in rescue in block (2 levels) in apply': undefined methodverbose’ for #Symbiosis::Firewall::Pattern:0x000000024b9d10 (NoMethodError)
from /usr/lib/ruby/vendor_ruby/symbiosis/firewall/pattern.rb:81:in block (2 levels) in apply' from /usr/lib/ruby/vendor_ruby/symbiosis/firewall/pattern.rb:77:ineach’
from /usr/lib/ruby/vendor_ruby/symbiosis/firewall/pattern.rb:77:in block in apply' from /usr/lib/ruby/vendor_ruby/symbiosis/firewall/pattern.rb:76:ineach’
from /usr/lib/ruby/vendor_ruby/symbiosis/firewall/pattern.rb:76:in apply' from /usr/lib/ruby/vendor_ruby/symbiosis/firewall/blacklist.rb:119:inblock in do_read’
from /usr/lib/ruby/vendor_ruby/symbiosis/firewall/blacklist.rb:87:in each' from /usr/lib/ruby/vendor_ruby/symbiosis/firewall/blacklist.rb:87:indo_read’
from /usr/lib/ruby/vendor_ruby/symbiosis/firewall/blacklist.rb:59:in generate' from /usr/sbin/symbiosis-firewall-blacklist:221:in

Unsure what it means though!?!


#5

I’ve just looked up on a client’s VM, still running Jessie but at least on the surface an identical machine, and it’s happily pushing auto entries to the blacklist directory. So what can I ‘diff’ or equivalent to find out why it’s working there and not on mine?


#6

Late response (holiday taking) but if you’re still looking…

I believe the stock patterns are largely out-of-date so it may just be that machine_1 is getting hit on one of the pattern/rules that works (e.g. ssh login) while machine_2 isn’t. So, I’d start by looking at the logs and patterns, then the SQLite databases, then the code.

This post looks vaguely accurate on how to dig around.


#7

After much searching and some experimentation, I look to have got fail2ban working with iptables and is now blocking brute-force attacks. Thanks for the input. Think I can now safely ignore the blacklist folder, although I think it still has use for very quick manual additions when I can’t remember the commands to add to iptables! :slight_smile: