reaction/app/example.yml

---
# definitions are just a place to put chunks of conf you want to reuse in another place
# using YAML anchors `&name` and pointers `*name`
# definitions are not readed by reaction
definitions:
  - &iptablesban [ 'ip46tables', '-w', '-A', 'reaction', '-s', '<ip>', '-j', 'DROP' ]
  - &iptablesunban [ 'ip46tables', '-w', '-D', 'reaction', '-s', '<ip>', '-j', 'DROP' ]
# ip46tables is a minimal C program (only POSIX dependencies) present as a subdirectory.
# it permits to handle both ipv4/iptables and ipv6/ip6tables commands

# if set to a positive number → max number of concurrent actions
# if set to a negative number → no limit
# if not specified or set to 0 → defaults to the number of CPUs on the system
concurrency: 0

# patterns are substitued in regexes.
# when a filter performs an action, it replaces the found pattern
patterns:
  ip:
    # reaction regex syntax is defined here: https://github.com/google/re2/wiki/Syntax
    # simple version: regex: '(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3})|(?:[0-9a-fA-F:]{2,90})'
    regex: '(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}|(?:(?:[0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,7}:|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(?::[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:(?:(?::[0-9a-fA-F]{1,4}){1,6})|:(?:(?::[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(?::[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(?:ffff(?::0{1,4}){0,1}:){0,1}(?:(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])|(?:[0-9a-fA-F]{1,4}:){1,4}:(?:(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9]))'
    ignore:
      - 127.0.0.1
      - ::1

# Those commands will be executed in order at start, before everything else
start:
  - [ 'ip46tables', '-w', '-N', 'reaction' ]
  - [ 'ip46tables', '-w', '-I', 'INPUT', '-p', 'all', '-j', 'reaction' ]

# Those commands will be executed in order at stop, after everything else
stop:
  - [ 'ip46tables', '-w,', '-D', 'INPUT', '-p', 'all', '-j', 'reaction' ]
  - [ 'ip46tables', '-w', '-F', 'reaction' ]
  - [ 'ip46tables', '-w', '-X', 'reaction' ]

# streams are commands
# they are run and their ouptut is captured
# *example:* `tail -f /var/log/nginx/access.log`
# their output will be used by one or more filters
streams:
  # streams have a user-defined name
  ssh:
    # note that if the command is not in environment's `PATH`
    # its full path must be given.
    cmd: [ 'journalctl', '-n0', '-fu', 'sshd.service' ]
    # filters run actions when they match regexes on a stream
    filters:
      # filters have a user-defined name
      failedlogin:
        # reaction's regex syntax is defined here: https://github.com/google/re2/wiki/Syntax
        regex:
          # <ip> is predefined in the patterns section
          # ip's regex is inserted in the following regex
          - 'authentication failure;.*rhost=<ip>'
          - 'Failed password for .* from <ip>'
          - 'Connection (reset|closed) by (authenticating|invalid) user .* <ip>'
        # if retry and retryperiod are defined,
        # the actions will only take place if a same pattern is
        # found `retry` times in a `retryperiod` interval
        retry: 3
        # format is defined here: https://pkg.go.dev/time#ParseDuration
        retryperiod: 6h
        # actions are run by the filter when regexes are matched
        actions:
          # actions have a user-defined name
          ban:
            # YAML substitutes *reference by the value anchored at &reference
            cmd: *iptablesban
          unban:
            cmd:  *iptablesunban
            # if after is defined, the action will not take place immediately, but after a specified duration
            # same format as retryperiod
            after: 48h
            # let's say reaction is quitting. does it run all those pending commands which had an `after` duration set?
            # if you want reaction to run those pending commands before exiting, you can set this:
            # onexit: true
            # (defaults to false)
            # here it is not useful because we will flush and delete the chain containing the bans anyway
            # (with the stop commands)

# persistence
# tldr; when an `after` action is set in a filter, such filter acts as a 'jail',
# which is persisted after reboots.
#
# when a filter is triggered, there are 2 flows:
#
# if none of its actions have an `after` directive set:
# no action will be replayed.
#
# else (if at least one action has an `after` directive set):
# if reaction stops while `after` actions are pending:
# and reaction starts again while those actions would still be pending:
# reaction executes the past actions (actions without after or with then+after < now)
# and plans the execution of future actions (actions with then+after > now)
New unified CLI design fixes #25 thanks @bertille-ddp for comments && suggestions! 2023-09-03 12:13:18 +02:00			`---`
			`# definitions are just a place to put chunks of conf you want to reuse in another place`
explain how persistence works fix #35 2023-10-01 12:00:00 +02:00			# using YAML anchors `&name` and pointers `*name`
			`# definitions are not readed by reaction`
New unified CLI design fixes #25 thanks @bertille-ddp for comments && suggestions! 2023-09-03 12:13:18 +02:00			`definitions:`
fix confs iptables 2023-11-05 12:00:00 +01:00			`- &iptablesban [ 'ip46tables', '-w', '-A', 'reaction', '-s', '<ip>', '-j', 'DROP' ]`
			`- &iptablesunban [ 'ip46tables', '-w', '-D', 'reaction', '-s', '<ip>', '-j', 'DROP' ]`
ip46tables wrote `ip46tables` C minimal program to handle both ipv4 and ipv6 at the same time. fix #22 2023-10-05 12:00:00 +02:00			`# ip46tables is a minimal C program (only POSIX dependencies) present as a subdirectory.`
			`# it permits to handle both ipv4/iptables and ipv6/ip6tables commands`
New unified CLI design fixes #25 thanks @bertille-ddp for comments && suggestions! 2023-09-03 12:13:18 +02:00
Add global concurrency parameter. fix #56 Fix bug which caused pending actions to be run multiple times when pending time finished Fix bug which caused 1. past pending actions to rerun on exit 2. maximum one pending action per pattern/action couple to run on exit 2024-01-05 12:00:00 +01:00			`# if set to a positive number → max number of concurrent actions`
			`# if set to a negative number → no limit`
			`# if not specified or set to 0 → defaults to the number of CPUs on the system`
			`concurrency: 0`

New unified CLI design fixes #25 thanks @bertille-ddp for comments && suggestions! 2023-09-03 12:13:18 +02:00			`# patterns are substitued in regexes.`
			`# when a filter performs an action, it replaces the found pattern`
			`patterns:`
			`ip:`
			`# reaction regex syntax is defined here: https://github.com/google/re2/wiki/Syntax`
Revert "quick fix IP regexes. see #62" This reverts commit c2723d3829361e85b682e0a0bdc6c0b213cdd2ee. fix #62 2024-01-04 12:00:00 +01:00			`# simple version: regex: '(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3})\|(?:[0-9a-fA-F:]{2,90})'`
			regex: '(?:25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)(?:\.(?:25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)){3}\|(?:(?:[0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}\|(?:[0-9a-fA-F]{1,4}:){1,7}:\|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}\|(?:[0-9a-fA-F]{1,4}:){1,5}(?::[0-9a-fA-F]{1,4}){1,2}\|(?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3}\|(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}\|(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}\|[0-9a-fA-F]{1,4}:(?:(?::[0-9a-fA-F]{1,4}){1,6})\|:(?:(?::[0-9a-fA-F]{1,4}){1,7}\|:)\|fe80:(?::[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}\|::(?:ffff(?::0{1,4}){0,1}:){0,1}(?:(?:25[0-5]\|(?:2[0-4]\|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(?:25[0-5]\|(?:2[0-4]\|1{0,1}[0-9]){0,1}[0-9])\|(?:[0-9a-fA-F]{1,4}:){1,4}:(?:(?:25[0-5]\|(?:2[0-4]\|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(?:25[0-5]\|(?:2[0-4]\|1{0,1}[0-9]){0,1}[0-9]))'
New unified CLI design fixes #25 thanks @bertille-ddp for comments && suggestions! 2023-09-03 12:13:18 +02:00			`ignore:`
			`- 127.0.0.1`
			`- ::1`

Implement start/stop commands fix #41 update README and configuration files accordingly 2023-10-18 12:00:00 +02:00			`# Those commands will be executed in order at start, before everything else`
			`start:`
new doc, new examples, support -help 2023-10-22 12:00:00 +02:00			`- [ 'ip46tables', '-w', '-N', 'reaction' ]`
			`- [ 'ip46tables', '-w', '-I', 'INPUT', '-p', 'all', '-j', 'reaction' ]`
Implement start/stop commands fix #41 update README and configuration files accordingly 2023-10-18 12:00:00 +02:00
			`# Those commands will be executed in order at stop, after everything else`
			`stop:`
new doc, new examples, support -help 2023-10-22 12:00:00 +02:00			`- [ 'ip46tables', '-w,', '-D', 'INPUT', '-p', 'all', '-j', 'reaction' ]`
			`- [ 'ip46tables', '-w', '-F', 'reaction' ]`
			`- [ 'ip46tables', '-w', '-X', 'reaction' ]`
Implement start/stop commands fix #41 update README and configuration files accordingly 2023-10-18 12:00:00 +02:00
documentation 2023-09-03 13:26:27 +02:00			`# streams are commands`
new doc, new examples, support -help 2023-10-22 12:00:00 +02:00			`# they are run and their ouptut is captured`
documentation 2023-09-03 13:26:27 +02:00			# example: `tail -f /var/log/nginx/access.log`
New unified CLI design fixes #25 thanks @bertille-ddp for comments && suggestions! 2023-09-03 12:13:18 +02:00			`# their output will be used by one or more filters`
			`streams:`
			`# streams have a user-defined name`
			`ssh:`
			# note that if the command is not in environment's `PATH`
			`# its full path must be given.`
new doc, new examples, support -help 2023-10-22 12:00:00 +02:00			`cmd: [ 'journalctl', '-n0', '-fu', 'sshd.service' ]`
documentation 2023-09-03 13:26:27 +02:00			`# filters run actions when they match regexes on a stream`
New unified CLI design fixes #25 thanks @bertille-ddp for comments && suggestions! 2023-09-03 12:13:18 +02:00			`filters:`
			`# filters have a user-defined name`
			`failedlogin:`
documentation 2023-09-03 13:26:27 +02:00			`# reaction's regex syntax is defined here: https://github.com/google/re2/wiki/Syntax`
New unified CLI design fixes #25 thanks @bertille-ddp for comments && suggestions! 2023-09-03 12:13:18 +02:00			`regex:`
documentation 2023-09-03 13:26:27 +02:00			`# <ip> is predefined in the patterns section`
			`# ip's regex is inserted in the following regex`
more ssh regexes 2023-11-05 12:00:00 +01:00			`- 'authentication failure;.*rhost=<ip>'`
			`- 'Failed password for .* from <ip>'`
Generalisation of new SSH regex 2024-01-06 12:00:00 +01:00			`- 'Connection (reset\|closed) by (authenticating\|invalid) user .* <ip>'`
support json, jsonnet, yaml formats - jsonnet, json and yaml support for configuration - json and yaml support for output formats fix #40 fix #27 2023-10-04 12:00:00 +02:00			`# if retry and retryperiod are defined,`
New unified CLI design fixes #25 thanks @bertille-ddp for comments && suggestions! 2023-09-03 12:13:18 +02:00			`# the actions will only take place if a same pattern is`
support json, jsonnet, yaml formats - jsonnet, json and yaml support for configuration - json and yaml support for output formats fix #40 fix #27 2023-10-04 12:00:00 +02:00			# found `retry` times in a `retryperiod` interval
New unified CLI design fixes #25 thanks @bertille-ddp for comments && suggestions! 2023-09-03 12:13:18 +02:00			`retry: 3`
			`# format is defined here: https://pkg.go.dev/time#ParseDuration`
support json, jsonnet, yaml formats - jsonnet, json and yaml support for configuration - json and yaml support for output formats fix #40 fix #27 2023-10-04 12:00:00 +02:00			`retryperiod: 6h`
documentation 2023-09-03 13:26:27 +02:00			`# actions are run by the filter when regexes are matched`
New unified CLI design fixes #25 thanks @bertille-ddp for comments && suggestions! 2023-09-03 12:13:18 +02:00			`actions:`
			`# actions have a user-defined name`
			`ban:`
explain how persistence works fix #35 2023-10-01 12:00:00 +02:00			`# YAML substitutes *reference by the value anchored at &reference`
New unified CLI design fixes #25 thanks @bertille-ddp for comments && suggestions! 2023-09-03 12:13:18 +02:00			`cmd: *iptablesban`
			`unban:`
			`cmd: *iptablesunban`
documentation 2023-09-03 13:26:27 +02:00			`# if after is defined, the action will not take place immediately, but after a specified duration`
support json, jsonnet, yaml formats - jsonnet, json and yaml support for configuration - json and yaml support for output formats fix #40 fix #27 2023-10-04 12:00:00 +02:00			`# same format as retryperiod`
New unified CLI design fixes #25 thanks @bertille-ddp for comments && suggestions! 2023-09-03 12:13:18 +02:00			`after: 48h`
			# let's say reaction is quitting. does it run all those pending commands which had an `after` duration set?
			`# if you want reaction to run those pending commands before exiting, you can set this:`
comment suggestion for people that don't read the full file 2023-11-24 12:00:00 +01:00			`# onexit: true`
New unified CLI design fixes #25 thanks @bertille-ddp for comments && suggestions! 2023-09-03 12:13:18 +02:00			`# (defaults to false)`
fix confs iptables 2023-11-05 12:00:00 +01:00			`# here it is not useful because we will flush and delete the chain containing the bans anyway`
new doc, new examples, support -help 2023-10-22 12:00:00 +02:00			`# (with the stop commands)`
explain how persistence works fix #35 2023-10-01 12:00:00 +02:00
			`# persistence`
			# tldr; when an `after` action is set in a filter, such filter acts as a 'jail',
			`# which is persisted after reboots.`
			`#`
			`# when a filter is triggered, there are 2 flows:`
			`#`
			# if none of its actions have an `after` directive set:
			`# no action will be replayed.`
			`#`
			# else (if at least one action has an `after` directive set):
			# if reaction stops while `after` actions are pending:
			`# and reaction starts again while those actions would still be pending:`
			`# reaction executes the past actions (actions without after or with then+after < now)`
			`# and plans the execution of future actions (actions with then+after > now)`