Banned IP in loop

I’ve been dealing with ssh and other port attacks today as well and noticed this problem, logged by emond.

Apple Mac OS X Leopard Server (10.5) has got an Adaptive Firewall feature – as a very useful function, that can set an IP address and a time-to-live value in minutes, then that ip instantly gets banned for about that many minutes.

Symptom presents in /var/log/system.log:

Oct 26 10:16:44 server emond[113]: Host at 69.162.110.123 will be blocked for at least 15.00 minutes
Oct 26 10:16:44 server emond[4349]: DoRunAction (child): setting the uid/gid to 0/0
Oct 26 10:16:49 server emond[113]: Host at by will be blocked for at least 15.00 minutes
Oct 26 10:16:49 server emond[4363]: DoRunAction (child): setting the uid/gid to 0/0
Oct 26 10:16:49 server emond[113]: Host at 69.162.110.123 will be blocked for at least 15.00 minutes
Oct 26 10:16:49 server emond[4365]: DoRunAction (child): setting the uid/gid to 0/0

As a solution, run afctl command with super-user account:

sudo /usr/libexec/afctl -f

Command afctl should set the start_behavior key to enable in file /etc/af.plist:

start_behavior
enable

Just verify, and fix the key firewall_address (ip address to bind) by hand:

firewall_address
xxx.xxx.xxx.xxx

Restart firewall module by serveradmin:

sudo serveradmin stop ipfilter
sudo serveradmin start ipfilter