emond keeps me locked out of my server via SSH
I've been grappling with emond (and maybe afctl) all afternoon, and I'm trying to figure out how to fix this. Basically, I'm trying to SSH into my Mac Mini server (10.9.5 with Server 3.2.2) but I keep getting blocked by emond after 2 failed password attempts for 300 minutes. All I'm trying to do is clone a repository of mine.
My questions are:
1) Where can I change the time of this setting? I've looked at the files that the Apple man pages for emond refer to for their default settings and I don't see anything in there for the 300 minute block. The only other time I find is in DHABlockList.plist and it's only set for 60 (minutes, I presume).
2) Where can I change the number of failed log in attempts before the user gets blocked by emond?
3) Even after removing my local IP address from the adaptive firewall's block list, and then explicitly adding it to the white list, I'm still unable to connect over SSH without the server rejecting the login attempt because I'm blocked. Is there another setting for emond that I can change to allow my local IP address in?
Edit: Here's an example of the log I see. I should note that this message is emond blocking the IP address of the server (Which is confusing since this is the IP its running on). The machine I'm using is at 192.168.1.154. This message was created after I logged in over SSH, logged out, then tried to log back in from my machine.
emond (Event Monitor Daemon) is just a "proxy" here. Based on several rules the daemon initiates several actions like logging events, sending emails or blocking hosts or users with the help of afctl activating the pf-anchor here: /Applications/Server.app/Contents/ServerRoot/private/etc/pf.anchors/400.AdaptiveFirewall.
The rule for the adaptive firewall is located at
/Applications/Server.app/Contents/ServerRoot/private/etc/emond.d/rules
and is named AdaptiveFirewall.plist.
To modify the rule afctl is the mean of choice.
To run afctl enter:
sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl
The following list contains all avaible commands:
-a ip_address [-t ttl] adds the given IPv4 or IPv6 address to the blacklist for ttl minutes
-r ip_address removes the given ip address from the blacklist
-w ip_address adds the given ip address to the whitelist
-x ip_address removes the given ip address from the whitelist
-d disables all firewall rules managed by afctl
-e enables all firewall rules disabled by -d
-c self configure, populates the whitelist
-T failure_threshold sets the threshold of bad auth attempts for a single host
-H default_ttl sets the default block time
-X disables the adaptive firewall
-f enables the adaptive firewall and forces it into an active state
To change the block time enter:
sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -H time
To change the failure threshold enter:
sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -T number
To whitelist an ip enter:
sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -w ip-address
To check if your whitelist is properly populated open /var/db/af/whitelist. It should contain all IPv4/v6-addresses - 127.0.0.1 included - of your server as well as your DNS-server and all other IP which have to be white-listed.
You probably have to re-configure and activate it afterwards with:
sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -c
sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -f
All entered values don't seem to give precise results. E.g. after entering
sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -T 3
I experienced blocks after 1-4 failed password attempts and the real block time may vary widely.