How It Works

This page explains the core workflows in Bloqd.

Server Registration

When you add a new server, Bloqd:

Generates an install token containing:
- API key for the agent
- Selected jail configurations
- Server name and settings

User runs the installer on the target server:

curl -sSL https://bloqd.example.com/api/v1/installer/script/inst_xxx | sudo bash

Installer performs setup:
- Installs dependencies (Python, fail2ban, jq)
- Downloads and configures the agent
- Sets up fail2ban with selected jails
- Creates systemd service
- Starts the agent
Agent registers with server:
- Sends hostname, OS info, fail2ban version
- Server marks install token as used
- Server creates server record in database

Whitelist Synchronization

Bloqd maintains a central whitelist that syncs to all servers.

Adding an Entry

User adds IP/CIDR in dashboard
Entry stored in whitelist table
WebSocket notifies connected clients

Sync Process

Every 5 minutes (configurable), each agent:

Fetches whitelist: GET /api/v1/whitelist/plain
Compares with local file
If different, writes new whitelist
Reloads fail2ban: fail2ban-client reload

Whitelist Format

The whitelist is stored as plain text for fail2ban compatibility:

# Bloqd whitelist - do not edit manually
168.1.100
0.0.0/8
db8::/32

Ban Reporting

When fail2ban bans an IP, Bloqd captures it immediately.

fail2ban Action

Each jail includes the Bloqd action:

[sshd]
enabled = true
action = %(action_)s
         bloqd-report

The action script (/usr/local/bin/bloqd-report) writes to a Unix socket:

echo "$IP|$JAIL|$LOGLINES" | nc -U /var/run/bloqd-agent/report.sock

Agent Processing

The Reporter module:

Reads from Unix socket
Parses IP, jail name, and log excerpt
Adds metadata (hostname, timestamp)
Sends to server: POST /api/v1/report

Server Processing

Validates the report
Checks for duplicates (15-min window)
Performs GeoIP lookup
Stores in ban_reports table
Broadcasts via WebSocket
Sends Discord notification (if enabled)
Reports to AbuseIPDB (if enabled)

Remote Commands

Bloqd can execute commands on managed servers.

Supported Commands

Command	Description
`jail_enable`	Enable a fail2ban jail
`jail_disable`	Disable a fail2ban jail
`fail2ban_reload`	Reload fail2ban configuration
`ip_ban`	Manually ban an IP
`ip_unban`	Unban an IP
`ip_unban_all`	Unban all IPs in a jail
`whitelist_sync`	Force whitelist sync
`agent_update`	Update the agent

Execution Flow

User initiates command in dashboard
Server queues command in database with "pending" status
Agent polls for commands every 30 seconds
Agent acknowledges command (status: "acknowledged")
Agent executes the command
Agent reports result (status: "completed" or "failed")
Server broadcasts result via WebSocket

Security

Commands are restricted to a predefined list. The agent never executes arbitrary shell commands unless explicitly allowed in configuration.

Health Monitoring

Agents report server health metrics.

Collected Metrics

Metric	Description
`cpu_percent`	CPU usage percentage
`memory_percent`	RAM usage percentage
`disk_percent`	Disk usage percentage
`load_average`	1, 5, 15 minute load averages
`uptime`	Server uptime in seconds
`fail2ban_status`	Running/stopped
`enabled_jails`	List of active jails

Reporting Interval

Heartbeat: Every 60 seconds
Full metrics: Every 5 minutes
Health report: Every 15 minutes

Server Status

The dashboard shows server status based on last heartbeat:

Status	Condition
Online	Seen within 90 minutes
Offline	Not seen for 90+ minutes

Real-Time Updates

Bloqd uses WebSocket for instant updates.

Events

Event	Triggered When
`ban`	New ban reported
`server_status`	Server comes online/offline
`server_jails_updated`	Jail list changes
`sync_complete`	Whitelist sync completes
`command_result`	Command finishes

Connection

Dashboard connects on page load:

const ws = new WebSocket('wss://bloqd.example.com/ws');
ws.onmessage = (event) => {
  const { type, data } = JSON.parse(event.data);
  // Handle event
};

Integrations

AbuseIPDB

When enabled, Bloqd automatically reports malicious IPs:

Ban received from agent
Map jail to AbuseIPDB category (e.g., sshd → category 22)
Check rate limit (1000/day default)
Submit report with IP, category, and comment
Store report record to prevent duplicates

Discord

Real-time notifications via webhook:

Event occurs (ban, sync, error)
Format embed with appropriate color
POST to Discord webhook URL
Handle rate limits gracefully

Email/SMTP

Daily summary reports and alerts:

Scheduler triggers at configured hour
Aggregate bans from last 24 hours
Generate HTML email
Send via configured SMTP server

Server Registration​

Whitelist Synchronization​

Adding an Entry​

Sync Process​

Whitelist Format​

Ban Reporting​

fail2ban Action​

Agent Processing​

Server Processing​

Remote Commands​

Supported Commands​

Execution Flow​

Security​

Health Monitoring​

Collected Metrics​

Reporting Interval​

Server Status​

Real-Time Updates​

Events​

Connection​

Integrations​

AbuseIPDB​

Discord​

Email/SMTP​