rarias/bscpkgs
rarias/bscpkgs
Archived
2
0
Fork 3
Code Issues 2 Pull Requests 4 Actions Packages Projects Releases Wiki Activity

Silently ban OpenVAS BSC scanner from apex

Browse Source 
It is spamming our logs with refused connection lines:

apex% sudo journalctl -b0 | grep 'refused connection.*SRC=192.168.8.16' | wc -l
13945

Reviewed-by: Aleix Boné <abonerib@bsc.es>
This commit is contained in:
Rodrigo Arias 2025-07-15 17:30:20 +02:00
parent b802f88df9
commit 7379e84e79
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
m/apex/configuration.nix
View File

@ -65,6 +65,14 @@
ProxyJump raccoon ProxyJump raccoon
''; '';
networking.firewall = {
extraCommands = ''
# Blackhole BSC vulnerability scanner (OpenVAS) as it is spamming our
# logs. Insert as first position so we also protect SSH.
iptables -I nixos-fw 1 -p tcp -s 192.168.8.16 -j nixos-fw-refuse
'';
};
# Use tent for cache # Use tent for cache
nix.settings = { nix.settings = {
extra-substituters = [ "https://jungle.bsc.es/cache" ]; extra-substituters = [ "https://jungle.bsc.es/cache" ];