Silently ban OpenVAS BSC scanner from apex

It is spamming our logs with refused connection lines: apex% sudo journalctl -b0 | grep 'refused connection.*SRC=192.168.8.16' | wc -l 13945 Reviewed-by: Aleix Boné <abonerib@bsc.es>
2025-07-15 17:30:20 +02:00 · 2025-07-15 17:30:20 +02:00 · a6698e6a6b
commit a6698e6a6b
parent b394c5a8f4
1 changed files with 8 additions and 0 deletions
--- a/m/apex/configuration.nix
+++ b/m/apex/configuration.nix
@ -65,6 +65,14 @@
      ProxyJump raccoon
  '';

+  networking.firewall = {
+    extraCommands = ''
+      # Blackhole BSC vulnerability scanner (OpenVAS) as it is spamming our
+      # logs. Insert as first position so we also protect SSH.
+      iptables -I nixos-fw 1 -p tcp -s 192.168.8.16 -j nixos-fw-refuse
+    '';
+  };
+
  # Use tent for cache
  nix.settings = {
    extra-substituters = [ "https://jungle.bsc.es/cache" ];