Since we use our own CA, we need wget to verify it against that. Include
the certificate and link to it.

The Mirai botnet use some more interesting ports.

Add definitions so the events from http proxies may be inserted into the
DB.

• Add the new type of server.
• Add some more columns to the DB, for new information types.
• Fix order in the initdb script, so it actually works.

The new updater won't have pre-processed packages. Use the original
OpenWRT repositories.

It produced no usable output, took a bunch of resources and was
otherwise annoying.

So we can cache and reuse the result of an expensive query for the fake
blacklist.

To allow repack to work.

As it is needed by pg_repack and this is one of the large tables where
it makes sense to repack.

And avoid the cost of their updates.

Then we can drop the other index, as it is not used.

• Update the scripts to be more up to date.
• Import the remaining script to the repository.
• Not reviewed ‒ single-purpose scripts run manually.

That way we are sure we have the current state still in the table. Also,
when deleting several days old events, we still have recent history.
This is to prevent the last event of too long active client from
dropping out.

Create the table for the plugin history storage. Update the clean up
script, so the history is cleaned up accordingly.

With SELECT *, it is impossible to drop columns (needed during migration
to new data types).

The ssh honeypot now provides local IP addresses. Use them in the
export.

Some data come from attacker. And not all attackers know that passwords
should be in UTF8, so accept everything simply as raw data.

Allow changing the size of an IPset. The infrastructure should be able
to handle it now.

Don't include the addresses excluded from analysis into the export.
Also, reuse some code from the builders of address lists.

• Simplify the rules for inclusion in the blacklist. Count score for
  each client, leave out the low-score clients (hardcoded for 100 now,
  adjusting the scores for events to match that) and sum them together
  across each attacker IP. These are compared to limits.
• Split the computation of this into several views, to improve
  readability and understandability (this way it looks more procedural,
  as the views can be understood to be done one by one).
• Include the ssh honeypot as one of the sources.

Ensure the inet→text conversion in build_fwup_sets.pl doesn't produce
/32 at the end, as ucollect master doesn't handle that.

Keep the attackers that drop out of the fake logs still blocked if they
get caught on the firewall. Do so by scanning the firewall logs for
addresses we would like to delete from the filter.

When the set size needs to be updated, warn about it, as the firewall
definitions need to be updated.

The firewall rules use names ending with _X, the plain ones are the
temporary sets.