order 🧹

config/reaction.service

@@ -0,0 +1,25 @@
+# vim: ft=systemd
+[Unit]
+WantedBy=multi-user.target
+
+[Service]
+ExecStart=/path/to/reaction -c /etc/reaction.yml
+
+# Create an iptables chain for reaction
+ExecStartPre=/path/to/iptables -w -N reaction
+# Set its default to ACCEPT
+ExecStartPre=/path/to/iptables -w -A reaction -j ACCEPT
+# Insert this chain as the first item of the INPUT chain (for incoming connections)
+ExecStartPre=/path/to/iptables -w -I INPUT -p all -j reaction
+
+# Remove the chain from the INPUT chain
+ExecStopPost=/path/to/iptables -w -D INPUT -p all -j reaction
+# Empty the chain
+ExecStopPost=/path/to/iptables -w -F reaction
+# Delete te chain
+ExecStopPost=/path/to/iptables -w -X reaction
+
+# Ask systemd to create /var/lib/reaction (/var/lib/ is implicit)
+StateDirectory=reaction
+# Start reaction in its state directory
+WorkingDirectory=/var/lib/reaction

config/reaction.test.yml

@@ -0,0 +1,19 @@
+---
+patterns:
+  ip: '(([0-9]{1,3}\.){3}[0-9]{1,3})|([0-9a-fA-F:]{2,90})'
+
+streams:
+  tailDown:
+    cmd: [ "sh", "-c", "echo 'found 1.1.1.1' && sleep 2s && echo 'found 1.1.1.2' && sleep 2s && echo 'found 1.1.1.1' && sleep 1s" ]
+    filters:
+      findIP:
+        regex:
+          - found <ip>
+        retry: 2
+        retry-period: 5s
+        actions:
+          damn:
+            cmd: [ "echo", "<ip>" ]
+          sleepdamn:
+            cmd: [ "echo", "sleep", "<ip>" ]
+            after: 1s

config/reaction.yml

@@ -0,0 +1,44 @@
+---
+# TODO heavily comment this file
+# definitions are just a place to put chunks of conf you want to reuse in another place
+# they're not readed by reaction
+definitions:
+  - &iptablesban [ "iptables" "-w" "-I" "reaction" "1" "-s" "<ip>" "-j" "block" ]
+  - &iptablesunban [ "iptables" "-w" "-D" "reaction" "1" "-s" "<ip>" "-j" "block" ]
+
+# patterns are substitued in regexes.
+# when a filter performs an action, it replaces the found pattern
+patterns:
+  ip: '(([0-9]{1,3}\.){3}[0-9]{1,3})|([0-9a-fA-F:]{2,90})'
+
+# streams are command that are run
+# their output will be used by one or more filters
+streams:
+  # streams have a user-defined name
+  ssh:
+    # note that if the command is not in environment's `PATH`
+    # its full path must be given.
+    cmd: [ "journalctl" "-fu" "sshd.service" ]
+    # filters are a set of regexes on a stream
+    # when a regex matches, it will trigger the filter's actions
+    filters:
+      # filters have a user-defined name
+      failedlogin:
+        regex:
+          - authentication failure;.*rhost=<ip>
+        # if retry and retry-period are defined,
+        # the actions will only take place if a same pattern is
+        # found `retry` times in a `retry-period` interval
+        retry: 3
+        # format is defined here: https://pkg.go.dev/time#ParseDuration
+        retry-period: 6h
+        actions:
+          # actions have a user-defined name
+          ban:
+            # YAML substitutes *reference by the value at &reference
+            cmd: *iptablesban
+          unban:
+            cmd:  *iptablesunban
+            # if after is defined, the action will not take place immediately, but after a specified duration.
+            # same format as retry-period
+            after: 2d