On 23-09-22 08:15, Brook Milligan wrote:
| It seems that enabling blocklistd on any internet-facing host is
| best practice, no? If so, it seems relevant that an admin might
| want to keep tabs on what is being blocked.
This proposal seems more than reasonable to me.
I have used similar functionality on other systems, such as fail2ban.
(While fail2ban has finer-grained per-service reporting, I'm not
advocating for scope creep in your proposal.)
| I propose adding a bit to /etc/daily to run "blocklistctl dump" as
| part of the daily tasks. Of course, it would be controlled by a
| variable, default off, in /etc/daily.conf, so current behavior would
| not change unless opted in. See the attached patch.
Looks ok. Bikeshed request - rename the variables. You currently have:
report_blocklist=NO
blocklistctl_flags=""
and for consistency it might be better as
report_blocklist=NO
report_blocklist_flags=""
?
| Bikeshed topic: should this be in /etc/security instead?
I have no preference either way.
cheers,
Luke.
