reaction/config/example.jsonnet

// This file is using JSONNET, a complete configuration language based on JSON
// See https://jsonnet.org
// JSONNET is a superset of JSON, so one can write plain JSON files if wanted.
// Note that YAML is also supported, see ./example.yml

// JSONNET functions
local iptables(args) = ['ip46tables', '-w'] + args;
// ip46tables is a minimal C program (only POSIX dependencies) present in a subdirectory of this repo.
// it permits to handle both ipv4/iptables and ipv6/ip6tables commands

{
  // patterns are substitued in regexes.
  // when a filter performs an action, it replaces the found pattern
  patterns: {
    ip: {
      // reaction regex syntax is defined here: https://github.com/google/re2/wiki/Syntax
      // jsonnet's @'string' is for verbatim strings
      regex: @'(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3})|(?:[0-9a-fA-F:]{2,90})',
      ignore: ['127.0.0.1', '::1'],
    },
  },

  // Those commands will be executed in order at start, before everything else
  start: [
    // Create an iptables chain for reaction
    iptables(['-N', 'reaction']),
    // Insert this chain as the first item of the INPUT chain (for incoming connections)
    iptables(['-I', 'INPUT', '-p', 'all', '-j', 'reaction']),
  ],

  // Those commands will be executed in order at stop, after everything else
  stop: [
    // Remove the chain from the INPUT chain
    iptables(['-D,', 'INPUT', '-p', 'all', '-j', 'reaction']),
    // Empty the chain
    iptables(['-F,', 'reaction']),
    // Delete the chain
    iptables(['-X,', 'reaction']),
  ],

  // streams are commands
  // they are run and their ouptut is captured
  // *example:* `tail -f /var/log/nginx/access.log`
  // their output will be used by one or more filters
  streams: {
    // streams have a user-defined name
    ssh: {
      // note that if the command is not in environment's `PATH`
      // its full path must be given.
      cmd: ['journalctl', '-n0', '-fu', 'sshd.service'],
      // filters run actions when they match regexes on a stream
      filters: {
        // filters have a user-defined name
        failedlogin: {
          // reaction's regex syntax is defined here: https://github.com/google/re2/wiki/Syntax
          regex: [
            // <ip> is predefined in the patterns section
            // ip's regex is inserted in the following regex
            @'authentication failure;.*rhost=<ip>',
            @'Failed password for .* from <ip>',
            @'Connection reset by authenticating user .* <ip>',
          ],
          // if retry and retryperiod are defined,
          // the actions will only take place if a same pattern is
          // found `retry` times in a `retryperiod` interval
          retry: 3,
          // format is defined here: https://pkg.go.dev/time#ParseDuration
          retryperiod: '6h',
          // actions are run by the filter when regexes are matched
          actions: {
            // actions have a user-defined name
            ban: {
              cmd: iptables(['-A', 'reaction', '-s', '<ip>', '-j', 'DROP']),
            },
            unban: {
              cmd: iptables(['-D', 'reaction', '-s', '<ip>', '-j', 'DROP']),
              // if after is defined, the action will not take place immediately, but after a specified duration
              // same format as retryperiod
              after: '48h',
              // let's say reaction is quitting. does it run all those pending commands which had an `after` duration set?
              // if you want reaction to run those pending commands before exiting, you can set this:
              // onexit: true,
              // (defaults to false)
              // here it is not useful because we will flush and delete the chain containing the bans anyway
              // (with the stop commands)
            },
          },
        },
      },
    },
  },
}

// persistence

// tldr; when an `after` action is set in a filter, such filter acts as a 'jail',
// which is persisted after reboots.

// full;
// when a filter is triggered, there are 2 flows:
//
// if none of its actions have an `after` directive set:
// no action will be replayed.
//
// else (if at least one action has an `after` directive set):
// if reaction stops while `after` actions are pending:
// and reaction starts again while those actions would still be pending:
// reaction executes the past actions (actions without after or with then+after < now)
// and plans the execution of future actions (actions with then+after > now)
support json, jsonnet, yaml formats - jsonnet, json and yaml support for configuration - json and yaml support for output formats fix #40 fix #27 2023-10-04 12:00:00 +02:00			`// This file is using JSONNET, a complete configuration language based on JSON`
			`// See https://jsonnet.org`
			`// JSONNET is a superset of JSON, so one can write plain JSON files if wanted.`
Implement start/stop commands fix #41 update README and configuration files accordingly 2023-10-18 12:00:00 +02:00			`// Note that YAML is also supported, see ./example.yml`
support json, jsonnet, yaml formats - jsonnet, json and yaml support for configuration - json and yaml support for output formats fix #40 fix #27 2023-10-04 12:00:00 +02:00
new doc, new examples, support -help 2023-10-22 12:00:00 +02:00			`// JSONNET functions`
Implement start/stop commands fix #41 update README and configuration files accordingly 2023-10-18 12:00:00 +02:00			`local iptables(args) = ['ip46tables', '-w'] + args;`
fix confs iptables 2023-11-05 12:00:00 +01:00			`// ip46tables is a minimal C program (only POSIX dependencies) present in a subdirectory of this repo.`
ip46tables wrote `ip46tables` C minimal program to handle both ipv4 and ipv6 at the same time. fix #22 2023-10-05 12:00:00 +02:00			`// it permits to handle both ipv4/iptables and ipv6/ip6tables commands`
support json, jsonnet, yaml formats - jsonnet, json and yaml support for configuration - json and yaml support for output formats fix #40 fix #27 2023-10-04 12:00:00 +02:00
			`{`
			`// patterns are substitued in regexes.`
			`// when a filter performs an action, it replaces the found pattern`
			`patterns: {`
			`ip: {`
			`// reaction regex syntax is defined here: https://github.com/google/re2/wiki/Syntax`
			`// jsonnet's @'string' is for verbatim strings`
			`regex: @'(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3})\|(?:[0-9a-fA-F:]{2,90})',`
			`ignore: ['127.0.0.1', '::1'],`
			`},`
			`},`

Implement start/stop commands fix #41 update README and configuration files accordingly 2023-10-18 12:00:00 +02:00			`// Those commands will be executed in order at start, before everything else`
			`start: [`
			`// Create an iptables chain for reaction`
			`iptables(['-N', 'reaction']),`
			`// Insert this chain as the first item of the INPUT chain (for incoming connections)`
			`iptables(['-I', 'INPUT', '-p', 'all', '-j', 'reaction']),`
			`],`

			`// Those commands will be executed in order at stop, after everything else`
			`stop: [`
			`// Remove the chain from the INPUT chain`
			`iptables(['-D,', 'INPUT', '-p', 'all', '-j', 'reaction']),`
			`// Empty the chain`
			`iptables(['-F,', 'reaction']),`
			`// Delete the chain`
			`iptables(['-X,', 'reaction']),`
			`],`

support json, jsonnet, yaml formats - jsonnet, json and yaml support for configuration - json and yaml support for output formats fix #40 fix #27 2023-10-04 12:00:00 +02:00			`// streams are commands`
new doc, new examples, support -help 2023-10-22 12:00:00 +02:00			`// they are run and their ouptut is captured`
support json, jsonnet, yaml formats - jsonnet, json and yaml support for configuration - json and yaml support for output formats fix #40 fix #27 2023-10-04 12:00:00 +02:00			// example: `tail -f /var/log/nginx/access.log`
			`// their output will be used by one or more filters`
			`streams: {`
			`// streams have a user-defined name`
			`ssh: {`
			// note that if the command is not in environment's `PATH`
			`// its full path must be given.`
Configs refactor. New WIP config for activity watch like reaction server 2023-10-12 12:00:00 +02:00			`cmd: ['journalctl', '-n0', '-fu', 'sshd.service'],`
support json, jsonnet, yaml formats - jsonnet, json and yaml support for configuration - json and yaml support for output formats fix #40 fix #27 2023-10-04 12:00:00 +02:00			`// filters run actions when they match regexes on a stream`
			`filters: {`
			`// filters have a user-defined name`
			`failedlogin: {`
			`// reaction's regex syntax is defined here: https://github.com/google/re2/wiki/Syntax`
			`regex: [`
			`// <ip> is predefined in the patterns section`
			`// ip's regex is inserted in the following regex`
more ssh regexes 2023-11-05 12:00:00 +01:00			`@'authentication failure;.*rhost=<ip>',`
			`@'Failed password for .* from <ip>',`
			`@'Connection reset by authenticating user .* <ip>',`
support json, jsonnet, yaml formats - jsonnet, json and yaml support for configuration - json and yaml support for output formats fix #40 fix #27 2023-10-04 12:00:00 +02:00			`],`
			`// if retry and retryperiod are defined,`
			`// the actions will only take place if a same pattern is`
			// found `retry` times in a `retryperiod` interval
			`retry: 3,`
			`// format is defined here: https://pkg.go.dev/time#ParseDuration`
			`retryperiod: '6h',`
			`// actions are run by the filter when regexes are matched`
			`actions: {`
			`// actions have a user-defined name`
			`ban: {`
fix example 2023-11-27 12:00:00 +01:00			`cmd: iptables(['-A', 'reaction', '-s', '<ip>', '-j', 'DROP']),`
support json, jsonnet, yaml formats - jsonnet, json and yaml support for configuration - json and yaml support for output formats fix #40 fix #27 2023-10-04 12:00:00 +02:00			`},`
			`unban: {`
fix example 2023-11-27 12:00:00 +01:00			`cmd: iptables(['-D', 'reaction', '-s', '<ip>', '-j', 'DROP']),`
support json, jsonnet, yaml formats - jsonnet, json and yaml support for configuration - json and yaml support for output formats fix #40 fix #27 2023-10-04 12:00:00 +02:00			`// if after is defined, the action will not take place immediately, but after a specified duration`
			`// same format as retryperiod`
			`after: '48h',`
			// let's say reaction is quitting. does it run all those pending commands which had an `after` duration set?
			`// if you want reaction to run those pending commands before exiting, you can set this:`
comment suggestion for people that don't read the full file 2023-11-24 12:00:00 +01:00			`// onexit: true,`
support json, jsonnet, yaml formats - jsonnet, json and yaml support for configuration - json and yaml support for output formats fix #40 fix #27 2023-10-04 12:00:00 +02:00			`// (defaults to false)`
fix confs iptables 2023-11-05 12:00:00 +01:00			`// here it is not useful because we will flush and delete the chain containing the bans anyway`
new doc, new examples, support -help 2023-10-22 12:00:00 +02:00			`// (with the stop commands)`
support json, jsonnet, yaml formats - jsonnet, json and yaml support for configuration - json and yaml support for output formats fix #40 fix #27 2023-10-04 12:00:00 +02:00			`},`
			`},`
			`},`
			`},`
			`},`
			`},`
			`}`

			`// persistence`

			// tldr; when an `after` action is set in a filter, such filter acts as a 'jail',
			`// which is persisted after reboots.`

			`// full;`
			`// when a filter is triggered, there are 2 flows:`
			`//`
			// if none of its actions have an `after` directive set:
			`// no action will be replayed.`
			`//`
			// else (if at least one action has an `after` directive set):
			// if reaction stops while `after` actions are pending:
			`// and reaction starts again while those actions would still be pending:`
			`// reaction executes the past actions (actions without after or with then+after < now)`
			`// and plans the execution of future actions (actions with then+after > now)`