Brute force ban list disappearing

Murus
Post Reply
FbxSteve
Posts: 5
Joined: Tue Sep 15, 2015 8:16 pm

Brute force ban list disappearing

Post by FbxSteve » Sun Nov 29, 2015 4:02 pm

I had been running Murus 1.3 since September and it had accumulated an extensive brute force ban list. Yesterday, I updated to 1.3.5. In the process, all addresses in the brute force ban list disappeared from Tools>Proactivity>Adaptive Services. Using the very welcome addition of the ability to block all connections from a particular country, I blocked all connections from China (where the vast majority of the addresses on the brute force ban list originated). Shortly after the update, an IP address within the U.S. appeared in the ban list. This morning, I added two more countries (Russia and Ukraine) to the ban list, stopped and restarted the PF firewall, and in the process this U.S. address disappeared. What's going on with these banned addresses? Am I losing them each time I stop and restart?

hany
Posts: 480
Joined: Wed Dec 10, 2014 5:20 pm

Re: Brute force ban list disappearing

Post by hany » Tue Dec 01, 2015 3:49 pm

Yes, brute force ban list is not persistent. It is stored in a runtime PF table, and in case PF is reset, the table itself is emptied. This cannot be changed, but there's room for improvements.
Look, Murus offers a persistent black list which can contain groups, and a special hardcoded and blacklisted group named "blocked-hosts" that can contain addresses. These 2 are the places to put persistent bans for groups and addresses. Unfortunately, there is no fast way to "move" adaptive services' blocked IPs (from proactivity window) to the "blocked-hosts" persistent group. So, with current version of Murus, you must do it by hand.
That's a Murus functionality flaw.

Next Murus minor update will *for sure* introduce a way to do what you need.
For example, there may be a button in proactivity window to "synch" these adaptive blocks with ban list (actually with "blocked-hosts" blacklisted group".
If you have a better idea let me know, I'll start implementing it just right now.

And, by the way, thank you for submitting us this issue.

FbxSteve
Posts: 5
Joined: Tue Sep 15, 2015 8:16 pm

Re: Brute force ban list disappearing

Post by FbxSteve » Wed Dec 02, 2015 1:25 am

Hi,

Thanks for the response. I think a button in the Proactivity window to copy the brute-force banned IP addresses to the "blocked-hosts" blacklisted group would be a great way to resolve this issue.

And thanks for developing Murus-it is a great product that has solved so many problems for me!

Post Reply