PSAD / removed iptables block

Question

I'm pretty new to PSAD but eagerly getting into it to have a safer installation. But some understanding is missing

I've had yesterday the following notification :

[psad-status] removed iptables block against xxx.xxx.xxx.xx

It was an automatic notification, my problem right here is that there is no particular reason that I understand so far that would white-list automatically an IP

This is quite a problem as I'd like to rely on a strict behaviour, but without understanding well what happened, can't be sure about it. Nothing accurate found googling about this specific one

Thanks a lot for your help

score 0 · Answer 1 · answered Aug 14 '15 at 02:10

It didn't whitelist that IP, it merely unblacklisted it. Presumably it did so because a previous time-based block expired. The documentation, or more detailed logging, may provide you with more information about exactly what happened in this particular instance.

score 0 · Answer 2 · edited Jun 11 '20 at 10:02

0

That message is caused by an address being removed from the blacklist because it has reached the timeout limit.

AUTO_BLOCK_TIMEOUT

Defines the length of time that an auto-generated block rule will remain in effect (ENABLE_AUTO_IDS must be set to "Y" for this keyword to be used). The default is "3600" seconds (one hour).

edited Jun 11 '20 at 10:02

Community

1

answered Aug 14 '15 at 06:14

user9517

114,104
20
206
289

PSAD / removed iptables block

2 Answers2