emond (Event Monitor Daemon) is just a "proxy" here. Based on several rules the daemon initiates several actions like logging events, sending emails or blocking hosts or users with the help of afctl activating the pf-anchor here:
/Applications/Server.app/Contents/ServerRoot/private/etc/pf.anchors/400.AdaptiveFirewall.
The rule for the adaptive firewall is located at
/Applications/Server.app/Contents/ServerRoot/private/etc/emond.d/rules
and is named AdaptiveFirewall.plist.
To modify the rule afctl is the mean of choice.
To run afctl enter:
sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl
The following list contains all avaible commands:
-a ip_address [-t ttl] adds the given IPv4 or IPv6 address to the blacklist for ttl minutes
-r ip_address removes the given ip address from the blacklist
-w ip_address adds the given ip address to the whitelist
-x ip_address removes the given ip address from the whitelist
-d disables all firewall rules managed by afctl
-e enables all firewall rules disabled by -d
-c self configure, populates the whitelist
-T failure_threshold sets the threshold of bad auth attempts for a single host
-H default_ttl sets the default block time
-X disables the adaptive firewall
-f enables the adaptive firewall and forces it into an active state
To change the block time enter:
sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -H time
To change the failure threshold enter:
sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -T number
To whitelist an ip enter:
sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -w ip-address
To check if your whitelist is properly populated open /var/db/af/whitelist.
It should contain all IPv4/v6-addresses - 127.0.0.1 included - of your server as well as your DNS-server and all other IP which have to be white-listed.
You probably have to re-configure and activate it afterwards with:
sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -c
sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -f
All entered values don't seem to give precise results.
E.g. after entering
sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -T 3
I experienced blocks after 1-4 failed password attempts and the real block time may vary widely.
Best Answer
Something to try, add an ampersand to the end of your commands.
The idea here is that the ampersand will cause the command to run in the background allowing the loop to continue to the next step.
As an example, if you were to run the following in Terminal you'll see that the second sleep reports out before the first one.
I hope this helps