reaction/reaction.yml

---
definitions:
  - &iptablesban [ "iptables" "-w" "-I" "reaction" "1" "-s" "<ip>" "-j" "block" ]
  - &iptablesunban [ "iptables" "-w" "-D" "reaction" "1" "-s" "<ip>" "-j" "block" ]

patterns:
  ip: '(([0-9]{1,3}\.){3}[0-9]{1,3})|([0-9a-fA-F:]{2,90})'

streams:
  ssh:
    cmd: [ "journalctl" "-fu" "sshd.service" ]
    filters:
      failedlogin:
        regex:
          - authentication failure;.*rhost=<ip>
        retry: 3
        retry-period: 6h
        actions:
          ban:
            cmd: *iptablesban
          unban:
            cmd:  *iptablesunban
            after: 2d
First configuration read 2023-03-23 21:14:53 +01:00			`---`
			`definitions:`
First persistance work 2023-04-11 13:01:02 +02:00			`- &iptablesban [ "iptables" "-w" "-I" "reaction" "1" "-s" "<ip>" "-j" "block" ]`
			`- &iptablesunban [ "iptables" "-w" "-D" "reaction" "1" "-s" "<ip>" "-j" "block" ]`
First configuration read 2023-03-23 21:14:53 +01:00
Close #3 2023-03-24 17:36:41 +01:00			`patterns:`
			`ip: '(([0-9]{1,3}\.){3}[0-9]{1,3})\|([0-9a-fA-F:]{2,90})'`
First configuration read 2023-03-23 21:14:53 +01:00
			`streams:`
First persistance work 2023-04-11 13:01:02 +02:00			`ssh:`
			`cmd: [ "journalctl" "-fu" "sshd.service" ]`
First configuration read 2023-03-23 21:14:53 +01:00			`filters:`
First persistance work 2023-04-11 13:01:02 +02:00			`failedlogin:`
Close #1 #4 2023-03-24 00:27:51 +01:00			`regex:`
First persistance work 2023-04-11 13:01:02 +02:00			`- authentication failure;.*rhost=<ip>`
			`retry: 3`
			`retry-period: 6h`
First configuration read 2023-03-23 21:14:53 +01:00			`actions:`
First persistance work 2023-04-11 13:01:02 +02:00			`ban:`
			`cmd: *iptablesban`
			`unban:`
			`cmd: *iptablesunban`
			`after: 2d`