First commit

.gitignore

@@ -0,0 +1 @@
+work

Makefile

@@ -0,0 +1,25 @@
+# Created by: johan <johan@nosd.in>
+# security/reaction/Makefile 2024-06-22 09:00:42Z
+
+PORTNAME=	reaction
+PORTVERSION=	1.4.1
+DISTVERSIONPREFIX=v
+CATEGORIES=	security
+
+MAINTAINER=	johan@nosd.in
+COMMENT=	A daemon that scans program outputs for repeated patterns, and takes action.
+WWW=		https://blog.ppom.me/en-reaction/
+
+LICENSE=	AGPLv3
+
+USES=		go:1.21,modules
+GO_MODULE=	framagit.org/ppom/reaction
+EXTRA_PATCHES+=	${FILESDIR}/socket.patch
+
+USE_RC_SUBR=	reaction
+
+post-install:
+		${MKDIR} ${STAGEDIR}${ETCDIR}
+		${INSTALL_DATA} ${FILESDIR}/reaction.yml ${STAGEDIR}${ETCDIR}/reaction.yml.sample
+
+.include <bsd.port.mk>

distinfo

@@ -0,0 +1,5 @@
+TIMESTAMP = 1719048554
+SHA256 (go/security_reaction/reaction-v1.4.1/v1.4.1.mod) = d0a20ffdac66b5293db4bfe7fa4da341c19a38f07190fb22031abce52caaf344
+SIZE (go/security_reaction/reaction-v1.4.1/v1.4.1.mod) = 164
+SHA256 (go/security_reaction/reaction-v1.4.1/v1.4.1.zip) = 894c88e7277765b9932e4fb0ac3da0b7f2102d026f557c60bdc2bb831085f99c
+SIZE (go/security_reaction/reaction-v1.4.1/v1.4.1.zip) = 69078

files/reaction.in

@@ -0,0 +1,50 @@
+#!/bin/sh
+
+# PROVIDE: reaction
+# REQUIRE: LOGIN
+# KEYWORD: shutdown
+#
+# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
+# to enable this service:
+#
+# reaction_enable (bool):          Set to NO by default.
+#               Set it to YES to enable reaction.
+# reaction_args (string):          Set extra arguments to pass to reaction
+#               Default is "".
+# reaction_config (string):        Set reaction configuration file
+#               Default is "/usr/local/etc/reaction.yml".
+
+. /etc/rc.subr
+
+name=reaction
+rcvar=reaction_enable
+
+load_rc_config $name
+
+: ${reaction_enable:="NO"}
+: ${reaction_args:=""}
+: ${reaction_config:="/usr/local/etc/reaction/reaction.yml"}
+: ${reaction_restart_delay:=3}
+
+pidfile=/var/run/reaction.pid
+command="/usr/sbin/daemon"
+reaction_command="%%PREFIX%%/bin/reaction start"
+command_args="-rP ${pidfile} -S -R ${reaction_restart_delay} \
+    -T ${name} ${reaction_command} \
+    -c ${reaction_config}"
+required_files="${reaction_config}"
+
+start_precmd=reaction_prestart
+
+# put db in /var/run/reaction/
+reaction_prestart()
+{
+    if [ ! -e /var/run/reaction ]; then
+        mkdir -p /var/run/reaction
+    fi
+    cd /var/run/reaction/
+}
+
+
+load_rc_config $name
+run_rc_command "$1"

files/reaction.yml

@@ -0,0 +1,110 @@
+---
+# This example configuration file is a good starting point, but you're
+# strongly encouraged to take a look at the full documentation: https://reaction.ppom.me
+#
+# This file is using the well-established YAML configuration language.
+# Note that the more powerful JSONnet configuration language is also supported
+# and that the documentation uses JSONnet
+
+# definitions are just a place to put chunks of conf you want to reuse in another place
+# using YAML anchors `&name` and pointers `*name`
+# definitions are not readed by reaction
+definitions:
+  - &pfban [ 'pfctl', '-t', 'banned', '-T', 'add', '<ip>' ]
+  - &pfunban [ 'pfctl', '-t', 'banned', '-T', 'delete', '<ip>' ]
+
+# set/remove ip in 'banned' table. reaction table could be declared in pf.conf with :
+# block drop in quick from <banned> to any label "ssh bruteforce"
+
+# if set to a positive number → max number of concurrent actions
+# if set to a negative number → no limit
+# if not specified or set to 0 → defaults to the number of CPUs on the system
+concurrency: 0
+
+# patterns are substitued in regexes.
+# when a filter performs an action, it replaces the found pattern
+patterns:
+  ip:
+    # reaction regex syntax is defined here: https://github.com/google/re2/wiki/Syntax
+    # simple version: regex: '(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3})|(?:[0-9a-fA-F:]{2,90})'
+    regex: '(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}|(?:(?:[0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,7}:|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(?::[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:(?:(?::[0-9a-fA-F]{1,4}){1,6})|:(?:(?::[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(?::[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(?:ffff(?::0{1,4}){0,1}:){0,1}(?:(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])|(?:[0-9a-fA-F]{1,4}:){1,4}:(?:(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9]))'
+    ignore:
+      - 127.0.0.1
+      - ::1
+    # Patterns can be ignored based on regexes, it will try to match the whole string detected by the pattern
+    # ignoreregex:
+    #   - '10\.0\.[0-9]{1,3}\.[0-9]{1,3}'
+  #user:
+  #  regex: '[a-zA-Z0-9\_\-\.]+'
+
+# Those commands will be executed in order at start, before everything else
+#start:
+#  # Optionnaly flush table banned
+#  - [ 'pfctl', '-t', 'banned', '-T', 'flush' ]
+
+# Those commands will be executed in order at stop, after everything else
+#stop:
+#  # Optionnaly flush table banned
+#  - [ 'pfctl', '-t', 'banned', '-T', 'flush' ]
+
+# streams are commands
+# they are run and their ouptut is captured
+# *example:* `tail -f /var/log/nginx/access.log`
+# their output will be used by one or more filters
+streams:
+  # streams have a user-defined name
+  ssh:
+    # note that if the command is not in environment's `PATH`
+    # its full path must be given.
+    cmd: [ 'tail', '-F', '/var/log/auth.log' ]
+    # filters run actions when they match regexes on a stream
+    filters:
+      # filters have a user-defined name
+      failedlogin:
+        # reaction's regex syntax is defined here: https://github.com/google/re2/wiki/Syntax
+        regex:
+          # <ip> is predefined in the patterns section
+          # ip's regex is inserted in the following regex
+          - 'authentication failure;.*rhost=<ip>'
+          - 'Failed password for .* from <ip>'
+          - 'Connection (reset|closed) by (authenticating|invalid) user .* <ip>'
+          #- 'Connection (reset|closed) by (authenticating|invalid) user <user> <ip>'
+        # if retry and retryperiod are defined,
+        # the actions will only take place if a same pattern is
+        # found `retry` times in a `retryperiod` interval
+        retry: 3
+        # format is defined here: https://pkg.go.dev/time#ParseDuration
+        retryperiod: 6h
+        # actions are run by the filter when regexes are matched
+        actions:
+          # actions have a user-defined name
+          ban:
+            # YAML substitutes *reference by the value anchored at &reference
+            cmd: *pfban
+          unban:
+            cmd:  *pfunban
+            # if after is defined, the action will not take place immediately, but after a specified duration
+            # same format as retryperiod
+            after: 48h
+            # let's say reaction is quitting. does it run all those pending commands which had an `after` duration set?
+            # if you want reaction to run those pending commands before exiting, you can set this:
+            # onexit: true
+            # (defaults to false)
+            # here it is not useful because we will flush and delete the chain containing the bans anyway
+            # (with the stop commands)
+
+# persistence
+# tldr; when an `after` action is set in a filter, such filter acts as a 'jail',
+# which is persisted after reboots.
+#
+# when a filter is triggered, there are 2 flows:
+#
+# if none of its actions have an `after` directive set:
+# no action will be replayed.
+#
+# else (if at least one action has an `after` directive set):
+# if reaction stops while `after` actions are pending:
+# and reaction starts again while those actions would still be pending:
+# reaction executes the past actions (actions without after or with then+after < now)
+# and plans the execution of future actions (actions with then+after > now)
+

files/socket.patch

@@ -0,0 +1,11 @@
+--- app/main.go
++++ app/main.go
+@@ -29,7 +29,7 @@ func addBoolFlag(names []string, f *flag.FlagSet) *bool {
+ var SocketPath *string
+ 
+ func addSocketFlag(f *flag.FlagSet) *string {
+-	return addStringFlag([]string{"s", "socket"}, "/run/reaction/reaction.sock", f)
++	return addStringFlag([]string{"s", "socket"}, "/var/run/reaction/reaction.sock", f)
+ }
+ 
+ func addConfFlag(f *flag.FlagSet) *string {

pkg-descr

@@ -0,0 +1,3 @@
+A daemon that scans program outputs for repeated patterns, and takes action.
+
+WWW: https://blog.ppom.me/en-reaction/

pkg-plist

@@ -0,0 +1,2 @@
+bin/reaction
+@sample %%ETCDIR%%/reaction.yml.sample