2023-03-23 21:14:53 +01:00
|
|
|
---
|
2023-04-11 13:14:46 +02:00
|
|
|
# TODO heavily comment this file
|
2023-03-23 21:14:53 +01:00
|
|
|
definitions:
|
2023-04-11 13:01:02 +02:00
|
|
|
- &iptablesban [ "iptables" "-w" "-I" "reaction" "1" "-s" "<ip>" "-j" "block" ]
|
|
|
|
|
- &iptablesunban [ "iptables" "-w" "-D" "reaction" "1" "-s" "<ip>" "-j" "block" ]
|
2023-03-23 21:14:53 +01:00
|
|
|
|
2023-03-24 17:36:41 +01:00
|
|
|
patterns:
|
|
|
|
|
ip: '(([0-9]{1,3}\.){3}[0-9]{1,3})|([0-9a-fA-F:]{2,90})'
|
2023-03-23 21:14:53 +01:00
|
|
|
|
|
|
|
|
streams:
|
2023-04-11 13:01:02 +02:00
|
|
|
ssh:
|
2023-04-11 13:14:46 +02:00
|
|
|
# note that if the command is not in environment's `PATH`
|
|
|
|
|
# its full path must be given.
|
2023-04-11 13:01:02 +02:00
|
|
|
cmd: [ "journalctl" "-fu" "sshd.service" ]
|
2023-03-23 21:14:53 +01:00
|
|
|
filters:
|
2023-04-11 13:01:02 +02:00
|
|
|
failedlogin:
|
2023-03-24 00:27:51 +01:00
|
|
|
regex:
|
2023-04-11 13:01:02 +02:00
|
|
|
- authentication failure;.*rhost=<ip>
|
|
|
|
|
retry: 3
|
|
|
|
|
retry-period: 6h
|
2023-03-23 21:14:53 +01:00
|
|
|
actions:
|
2023-04-11 13:01:02 +02:00
|
|
|
ban:
|
|
|
|
|
cmd: *iptablesban
|
|
|
|
|
unban:
|
|
|
|
|
cmd: *iptablesunban
|
|
|
|
|
after: 2d
|
