Honestly… Yes. Bolding the first hit i received reading the messages.
So… You have a Threat shield module installed. And at least a list is willing to be downloaded.
Please, consider to share a bit more about your current setup, otherwise trying to help would be like fishing during the night. Blindfolded
You can do a little log scrubbing using the time of your email message, for find if there’s reported any kind of error about fetching the rules.
Moreover, IDK if the retrieve of the rules can be scheduled and how often.
Doing that more than twice a week seems to me… Excessive, because before put an IP in that kind of list should be done if “enough” data is collected that that connection is doing something wrong.
I could try to login as a lot of asian and russian IP addresses try to do on a lot of system. But before classify my connection as evil, i mean… At least 10.000 tries should be raised in a short amount of time (1 day). Don’t quote me on that, please, it’s only my opinion and i am not figuring myself as a security expert.
Behavior could be dependent not only from the module, the lists chosen, but also on the availability of the servers providing lists.
Therefore, maybe for months something outside your setup did not change and yesterday did.
Obviously this not help easing the situation o make go away the undesired message, but maybe on this NethServer theres not much you can do.
How to figure it out if something can be done or not? Via the logs. Lists are downloaded via http, which has got a lot of errorcodes telling why you can’t have the file the installation asked for.
(adding TLS don’t change the protocol answers)
For telling about a possible comparable scenario…
This installation was not able to retrieve updates. Other three installations on the same site were able. At first glance, I considered as cause of issue the mirrors system, blocking connections to my setup “suddenly”.
That was not the real cause of the issue: the firewall appliance in front of all the installation was limiting the number of connection for that installation (via IPsec monitor quite different devices on other 5 sites) so…
Then if I read you correctly, there is a new bug.
If the threat filter has a few preset lists to use and those change download location or are removed altogether, it is a matter of the people maintaining this “app” (as NS calls them), to update those lists and kill the dead links.
In that case I wonder how nobody else reported this. People don’t use threat filter app?