From 7379e84e79f955ba5776e9ca147558adfc9767d0 Mon Sep 17 00:00:00 2001
From: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Date: Tue, 15 Jul 2025 17:30:20 +0200
Subject: [PATCH] Silently ban OpenVAS BSC scanner from apex
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

It is spamming our logs with refused connection lines:

apex% sudo journalctl -b0 | grep 'refused connection.*SRC=192.168.8.16' | wc -l
13945

Reviewed-by: Aleix Boné <abonerib@bsc.es>
---
 m/apex/configuration.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/m/apex/configuration.nix b/m/apex/configuration.nix
index 0f59f8f..59f21d7 100644
--- a/m/apex/configuration.nix
+++ b/m/apex/configuration.nix
@@ -65,6 +65,14 @@
       ProxyJump raccoon
   '';
 
+  networking.firewall = {
+    extraCommands = ''
+      # Blackhole BSC vulnerability scanner (OpenVAS) as it is spamming our
+      # logs. Insert as first position so we also protect SSH.
+      iptables -I nixos-fw 1 -p tcp -s 192.168.8.16 -j nixos-fw-refuse
+    '';
+  };
+
   # Use tent for cache
   nix.settings = {
     extra-substituters = [ "https://jungle.bsc.es/cache" ];