Manual removal from blacklists
Currently, if an IP address gets onto a blacklist (because it attacked over telnet, or something), it gets out some 10 days after it stops attacking. However, there might be times when we want to remove an IP address from the list manually sooner than that. On the other hand, we can't simply whitelist the address, since it could start attacking again and we would be unprotected.
The idea is to:
- Identify what tables the blacklist is generated from (currently it is likely
biflows
androuter_loggedpacket
). - Add a new column tentatively named
active
, which is true by default. - When computing the blacklist, consider only the rows that are active.
This way we could simply ignore all the attacks that happened until today, but still consider any future ones.
If this is considered/implemented after we switch the blacklist computation to some more streaming way (eg. keeping the current scores in RAM and updating them as new things arrive), we'll need to signal the thing keeping the score to drop the given IP address at the same time as we set the active
flags to false.