reaction/app/example.yml

109 lines
5.6 KiB
YAML
Raw Permalink Normal View History

---
# This example configuration file is a good starting point, but you're
# strongly encouraged to take a look at the full documentation: https://reaction.ppom.me
#
# This file is using the well-established YAML configuration language.
# Note that the more powerful JSONnet configuration language is also supported
# and that the documentation uses JSONnet
# definitions are just a place to put chunks of conf you want to reuse in another place
2023-10-01 12:00:00 +02:00
# using YAML anchors `&name` and pointers `*name`
# definitions are not readed by reaction
definitions:
2023-11-05 12:00:00 +01:00
- &iptablesban [ 'ip46tables', '-w', '-A', 'reaction', '-s', '<ip>', '-j', 'DROP' ]
- &iptablesunban [ 'ip46tables', '-w', '-D', 'reaction', '-s', '<ip>', '-j', 'DROP' ]
# ip46tables is a minimal C program (only POSIX dependencies) present as a subdirectory.
# it permits to handle both ipv4/iptables and ipv6/ip6tables commands
# if set to a positive number → max number of concurrent actions
# if set to a negative number → no limit
# if not specified or set to 0 → defaults to the number of CPUs on the system
concurrency: 0
# patterns are substitued in regexes.
# when a filter performs an action, it replaces the found pattern
patterns:
ip:
# reaction regex syntax is defined here: https://github.com/google/re2/wiki/Syntax
# simple version: regex: '(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3})|(?:[0-9a-fA-F:]{2,90})'
regex: '(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}|(?:(?:[0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,7}:|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(?::[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:(?:(?::[0-9a-fA-F]{1,4}){1,6})|:(?:(?::[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(?::[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(?:ffff(?::0{1,4}){0,1}:){0,1}(?:(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])|(?:[0-9a-fA-F]{1,4}:){1,4}:(?:(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9]))'
ignore:
- 127.0.0.1
- ::1
# Patterns can be ignored based on regexes, it will try to match the whole string detected by the pattern
# ignoreregex:
# - '10\.0\.[0-9]{1,3}\.[0-9]{1,3}'
# Those commands will be executed in order at start, before everything else
start:
2023-10-22 12:00:00 +02:00
- [ 'ip46tables', '-w', '-N', 'reaction' ]
- [ 'ip46tables', '-w', '-I', 'INPUT', '-p', 'all', '-j', 'reaction' ]
- [ 'ip46tables', '-w', '-I', 'FORWARD', '-p', 'all', '-j', 'reaction' ]
# Those commands will be executed in order at stop, after everything else
stop:
2023-10-22 12:00:00 +02:00
- [ 'ip46tables', '-w,', '-D', 'INPUT', '-p', 'all', '-j', 'reaction' ]
- [ 'ip46tables', '-w,', '-D', 'FORWARD', '-p', 'all', '-j', 'reaction' ]
2023-10-22 12:00:00 +02:00
- [ 'ip46tables', '-w', '-F', 'reaction' ]
- [ 'ip46tables', '-w', '-X', 'reaction' ]
2023-09-03 13:26:27 +02:00
# streams are commands
2023-10-22 12:00:00 +02:00
# they are run and their ouptut is captured
2023-09-03 13:26:27 +02:00
# *example:* `tail -f /var/log/nginx/access.log`
# their output will be used by one or more filters
streams:
# streams have a user-defined name
ssh:
# note that if the command is not in environment's `PATH`
# its full path must be given.
2023-10-22 12:00:00 +02:00
cmd: [ 'journalctl', '-n0', '-fu', 'sshd.service' ]
2023-09-03 13:26:27 +02:00
# filters run actions when they match regexes on a stream
filters:
# filters have a user-defined name
failedlogin:
2023-09-03 13:26:27 +02:00
# reaction's regex syntax is defined here: https://github.com/google/re2/wiki/Syntax
regex:
2023-09-03 13:26:27 +02:00
# <ip> is predefined in the patterns section
# ip's regex is inserted in the following regex
2023-11-05 12:00:00 +01:00
- 'authentication failure;.*rhost=<ip>'
- 'Failed password for .* from <ip>'
2024-01-06 12:00:00 +01:00
- 'Connection (reset|closed) by (authenticating|invalid) user .* <ip>'
# if retry and retryperiod are defined,
# the actions will only take place if a same pattern is
# found `retry` times in a `retryperiod` interval
retry: 3
# format is defined here: https://pkg.go.dev/time#ParseDuration
retryperiod: 6h
2023-09-03 13:26:27 +02:00
# actions are run by the filter when regexes are matched
actions:
# actions have a user-defined name
ban:
2023-10-01 12:00:00 +02:00
# YAML substitutes *reference by the value anchored at &reference
cmd: *iptablesban
unban:
cmd: *iptablesunban
2023-09-03 13:26:27 +02:00
# if after is defined, the action will not take place immediately, but after a specified duration
# same format as retryperiod
after: 48h
# let's say reaction is quitting. does it run all those pending commands which had an `after` duration set?
# if you want reaction to run those pending commands before exiting, you can set this:
# onexit: true
# (defaults to false)
2023-11-05 12:00:00 +01:00
# here it is not useful because we will flush and delete the chain containing the bans anyway
2023-10-22 12:00:00 +02:00
# (with the stop commands)
2023-10-01 12:00:00 +02:00
# persistence
# tldr; when an `after` action is set in a filter, such filter acts as a 'jail',
# which is persisted after reboots.
#
# when a filter is triggered, there are 2 flows:
#
# if none of its actions have an `after` directive set:
# no action will be replayed.
#
# else (if at least one action has an `after` directive set):
# if reaction stops while `after` actions are pending:
# and reaction starts again while those actions would still be pending:
# reaction executes the past actions (actions without after or with then+after < now)
# and plans the execution of future actions (actions with then+after > now)