First commit
This commit is contained in:
parent
5aa31c9947
commit
287c5176a3
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
work
|
25
Makefile
Normal file
25
Makefile
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
# Created by: johan <johan@nosd.in>
|
||||||
|
# security/reaction/Makefile 2024-06-22 09:00:42Z
|
||||||
|
|
||||||
|
PORTNAME= reaction
|
||||||
|
PORTVERSION= 1.4.1
|
||||||
|
DISTVERSIONPREFIX=v
|
||||||
|
CATEGORIES= security
|
||||||
|
|
||||||
|
MAINTAINER= johan@nosd.in
|
||||||
|
COMMENT= A daemon that scans program outputs for repeated patterns, and takes action.
|
||||||
|
WWW= https://blog.ppom.me/en-reaction/
|
||||||
|
|
||||||
|
LICENSE= AGPLv3
|
||||||
|
|
||||||
|
USES= go:1.21,modules
|
||||||
|
GO_MODULE= framagit.org/ppom/reaction
|
||||||
|
EXTRA_PATCHES+= ${FILESDIR}/socket.patch
|
||||||
|
|
||||||
|
USE_RC_SUBR= reaction
|
||||||
|
|
||||||
|
post-install:
|
||||||
|
${MKDIR} ${STAGEDIR}${ETCDIR}
|
||||||
|
${INSTALL_DATA} ${FILESDIR}/reaction.yml ${STAGEDIR}${ETCDIR}/reaction.yml.sample
|
||||||
|
|
||||||
|
.include <bsd.port.mk>
|
5
distinfo
Normal file
5
distinfo
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
TIMESTAMP = 1719048554
|
||||||
|
SHA256 (go/security_reaction/reaction-v1.4.1/v1.4.1.mod) = d0a20ffdac66b5293db4bfe7fa4da341c19a38f07190fb22031abce52caaf344
|
||||||
|
SIZE (go/security_reaction/reaction-v1.4.1/v1.4.1.mod) = 164
|
||||||
|
SHA256 (go/security_reaction/reaction-v1.4.1/v1.4.1.zip) = 894c88e7277765b9932e4fb0ac3da0b7f2102d026f557c60bdc2bb831085f99c
|
||||||
|
SIZE (go/security_reaction/reaction-v1.4.1/v1.4.1.zip) = 69078
|
50
files/reaction.in
Normal file
50
files/reaction.in
Normal file
@ -0,0 +1,50 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
# PROVIDE: reaction
|
||||||
|
# REQUIRE: LOGIN
|
||||||
|
# KEYWORD: shutdown
|
||||||
|
#
|
||||||
|
# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
|
||||||
|
# to enable this service:
|
||||||
|
#
|
||||||
|
# reaction_enable (bool): Set to NO by default.
|
||||||
|
# Set it to YES to enable reaction.
|
||||||
|
# reaction_args (string): Set extra arguments to pass to reaction
|
||||||
|
# Default is "".
|
||||||
|
# reaction_config (string): Set reaction configuration file
|
||||||
|
# Default is "/usr/local/etc/reaction.yml".
|
||||||
|
|
||||||
|
. /etc/rc.subr
|
||||||
|
|
||||||
|
name=reaction
|
||||||
|
rcvar=reaction_enable
|
||||||
|
|
||||||
|
load_rc_config $name
|
||||||
|
|
||||||
|
: ${reaction_enable:="NO"}
|
||||||
|
: ${reaction_args:=""}
|
||||||
|
: ${reaction_config:="/usr/local/etc/reaction/reaction.yml"}
|
||||||
|
: ${reaction_restart_delay:=3}
|
||||||
|
|
||||||
|
pidfile=/var/run/reaction.pid
|
||||||
|
command="/usr/sbin/daemon"
|
||||||
|
reaction_command="%%PREFIX%%/bin/reaction start"
|
||||||
|
command_args="-rP ${pidfile} -S -R ${reaction_restart_delay} \
|
||||||
|
-T ${name} ${reaction_command} \
|
||||||
|
-c ${reaction_config}"
|
||||||
|
required_files="${reaction_config}"
|
||||||
|
|
||||||
|
start_precmd=reaction_prestart
|
||||||
|
|
||||||
|
# put db in /var/run/reaction/
|
||||||
|
reaction_prestart()
|
||||||
|
{
|
||||||
|
if [ ! -e /var/run/reaction ]; then
|
||||||
|
mkdir -p /var/run/reaction
|
||||||
|
fi
|
||||||
|
cd /var/run/reaction/
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
load_rc_config $name
|
||||||
|
run_rc_command "$1"
|
110
files/reaction.yml
Normal file
110
files/reaction.yml
Normal file
@ -0,0 +1,110 @@
|
|||||||
|
---
|
||||||
|
# This example configuration file is a good starting point, but you're
|
||||||
|
# strongly encouraged to take a look at the full documentation: https://reaction.ppom.me
|
||||||
|
#
|
||||||
|
# This file is using the well-established YAML configuration language.
|
||||||
|
# Note that the more powerful JSONnet configuration language is also supported
|
||||||
|
# and that the documentation uses JSONnet
|
||||||
|
|
||||||
|
# definitions are just a place to put chunks of conf you want to reuse in another place
|
||||||
|
# using YAML anchors `&name` and pointers `*name`
|
||||||
|
# definitions are not readed by reaction
|
||||||
|
definitions:
|
||||||
|
- &pfban [ 'pfctl', '-t', 'banned', '-T', 'add', '<ip>' ]
|
||||||
|
- &pfunban [ 'pfctl', '-t', 'banned', '-T', 'delete', '<ip>' ]
|
||||||
|
|
||||||
|
# set/remove ip in 'banned' table. reaction table could be declared in pf.conf with :
|
||||||
|
# block drop in quick from <banned> to any label "ssh bruteforce"
|
||||||
|
|
||||||
|
# if set to a positive number → max number of concurrent actions
|
||||||
|
# if set to a negative number → no limit
|
||||||
|
# if not specified or set to 0 → defaults to the number of CPUs on the system
|
||||||
|
concurrency: 0
|
||||||
|
|
||||||
|
# patterns are substitued in regexes.
|
||||||
|
# when a filter performs an action, it replaces the found pattern
|
||||||
|
patterns:
|
||||||
|
ip:
|
||||||
|
# reaction regex syntax is defined here: https://github.com/google/re2/wiki/Syntax
|
||||||
|
# simple version: regex: '(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3})|(?:[0-9a-fA-F:]{2,90})'
|
||||||
|
regex: '(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}|(?:(?:[0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,7}:|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(?::[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:(?:(?::[0-9a-fA-F]{1,4}){1,6})|:(?:(?::[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(?::[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(?:ffff(?::0{1,4}){0,1}:){0,1}(?:(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])|(?:[0-9a-fA-F]{1,4}:){1,4}:(?:(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9]))'
|
||||||
|
ignore:
|
||||||
|
- 127.0.0.1
|
||||||
|
- ::1
|
||||||
|
# Patterns can be ignored based on regexes, it will try to match the whole string detected by the pattern
|
||||||
|
# ignoreregex:
|
||||||
|
# - '10\.0\.[0-9]{1,3}\.[0-9]{1,3}'
|
||||||
|
#user:
|
||||||
|
# regex: '[a-zA-Z0-9\_\-\.]+'
|
||||||
|
|
||||||
|
# Those commands will be executed in order at start, before everything else
|
||||||
|
#start:
|
||||||
|
# # Optionnaly flush table banned
|
||||||
|
# - [ 'pfctl', '-t', 'banned', '-T', 'flush' ]
|
||||||
|
|
||||||
|
# Those commands will be executed in order at stop, after everything else
|
||||||
|
#stop:
|
||||||
|
# # Optionnaly flush table banned
|
||||||
|
# - [ 'pfctl', '-t', 'banned', '-T', 'flush' ]
|
||||||
|
|
||||||
|
# streams are commands
|
||||||
|
# they are run and their ouptut is captured
|
||||||
|
# *example:* `tail -f /var/log/nginx/access.log`
|
||||||
|
# their output will be used by one or more filters
|
||||||
|
streams:
|
||||||
|
# streams have a user-defined name
|
||||||
|
ssh:
|
||||||
|
# note that if the command is not in environment's `PATH`
|
||||||
|
# its full path must be given.
|
||||||
|
cmd: [ 'tail', '-F', '/var/log/auth.log' ]
|
||||||
|
# filters run actions when they match regexes on a stream
|
||||||
|
filters:
|
||||||
|
# filters have a user-defined name
|
||||||
|
failedlogin:
|
||||||
|
# reaction's regex syntax is defined here: https://github.com/google/re2/wiki/Syntax
|
||||||
|
regex:
|
||||||
|
# <ip> is predefined in the patterns section
|
||||||
|
# ip's regex is inserted in the following regex
|
||||||
|
- 'authentication failure;.*rhost=<ip>'
|
||||||
|
- 'Failed password for .* from <ip>'
|
||||||
|
- 'Connection (reset|closed) by (authenticating|invalid) user .* <ip>'
|
||||||
|
#- 'Connection (reset|closed) by (authenticating|invalid) user <user> <ip>'
|
||||||
|
# if retry and retryperiod are defined,
|
||||||
|
# the actions will only take place if a same pattern is
|
||||||
|
# found `retry` times in a `retryperiod` interval
|
||||||
|
retry: 3
|
||||||
|
# format is defined here: https://pkg.go.dev/time#ParseDuration
|
||||||
|
retryperiod: 6h
|
||||||
|
# actions are run by the filter when regexes are matched
|
||||||
|
actions:
|
||||||
|
# actions have a user-defined name
|
||||||
|
ban:
|
||||||
|
# YAML substitutes *reference by the value anchored at &reference
|
||||||
|
cmd: *pfban
|
||||||
|
unban:
|
||||||
|
cmd: *pfunban
|
||||||
|
# if after is defined, the action will not take place immediately, but after a specified duration
|
||||||
|
# same format as retryperiod
|
||||||
|
after: 48h
|
||||||
|
# let's say reaction is quitting. does it run all those pending commands which had an `after` duration set?
|
||||||
|
# if you want reaction to run those pending commands before exiting, you can set this:
|
||||||
|
# onexit: true
|
||||||
|
# (defaults to false)
|
||||||
|
# here it is not useful because we will flush and delete the chain containing the bans anyway
|
||||||
|
# (with the stop commands)
|
||||||
|
|
||||||
|
# persistence
|
||||||
|
# tldr; when an `after` action is set in a filter, such filter acts as a 'jail',
|
||||||
|
# which is persisted after reboots.
|
||||||
|
#
|
||||||
|
# when a filter is triggered, there are 2 flows:
|
||||||
|
#
|
||||||
|
# if none of its actions have an `after` directive set:
|
||||||
|
# no action will be replayed.
|
||||||
|
#
|
||||||
|
# else (if at least one action has an `after` directive set):
|
||||||
|
# if reaction stops while `after` actions are pending:
|
||||||
|
# and reaction starts again while those actions would still be pending:
|
||||||
|
# reaction executes the past actions (actions without after or with then+after < now)
|
||||||
|
# and plans the execution of future actions (actions with then+after > now)
|
||||||
|
|
11
files/socket.patch
Normal file
11
files/socket.patch
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
--- app/main.go
|
||||||
|
+++ app/main.go
|
||||||
|
@@ -29,7 +29,7 @@ func addBoolFlag(names []string, f *flag.FlagSet) *bool {
|
||||||
|
var SocketPath *string
|
||||||
|
|
||||||
|
func addSocketFlag(f *flag.FlagSet) *string {
|
||||||
|
- return addStringFlag([]string{"s", "socket"}, "/run/reaction/reaction.sock", f)
|
||||||
|
+ return addStringFlag([]string{"s", "socket"}, "/var/run/reaction/reaction.sock", f)
|
||||||
|
}
|
||||||
|
|
||||||
|
func addConfFlag(f *flag.FlagSet) *string {
|
3
pkg-descr
Normal file
3
pkg-descr
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
A daemon that scans program outputs for repeated patterns, and takes action.
|
||||||
|
|
||||||
|
WWW: https://blog.ppom.me/en-reaction/
|
Loading…
Reference in New Issue
Block a user