yo/reaction
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

new doc, new examples, support -help

Browse Source
This commit is contained in:
ppom 2023-10-22 12:00:00 +02:00
parent b7eeb51e82
commit 8c50f8412a
8 changed files with 256 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

162
README.md
View File

@ -1,52 +1,55 @@
# reaction
a program that scans program outputs, such as logs,
for repeated patterns, such as failed login attempts,
and takes action, such as banning ips.
A daemon that scans program outputs for repeated patterns, and takes action.
(adapted from [ fail2ban ](http://fail2ban.org)'s presentation 😄)
A common usage is to scan ssh and webserver logs, and to ban hosts that cause multiple authentication errors.
🚧 this program hasn't received external audit. however, it already works well on my servers 🚧
🚧 This program hasn't received external audit. however, it already works well on my servers 🚧
## rationale
## Rationale
i was using fail2ban since quite a long time, but i was a bit frustrated by its cpu consumption
I was using the honorable fail2ban since quite a long time, but i was a bit frustrated by its cpu consumption
and all its heavy default configuration.
in my view, a security-oriented program should be simple to configure (`sudo` is a very bad example!)
and an always-running daemon should be implemented in a fast language.
In my view, a security-oriented program should be simple to configure
and an always-running daemon should be implemented in a fast*er* language.
<a href="https://u.ppom.me/reaction.webm">📽️ french example</a>
reaction does not have all the features of the honorable fail2ban, but it's ~10x faster and has more manageable configuration.
## configuration
<a href="https://u.ppom.me/reaction.webm">📽️ french quick explanation 😉</a>
this configuration file is all that should be needed to prevent brute force attacks on an ssh server.
## Configuration
see [ reaction.service ](./config/reaction.service) and [reaction.yml](./app/reaction.yml) for the fully explained examples.
YAML and [JSONnet](https://jsonnet.org/) (more powerful) are supported.
both are extensions of JSON, so JSON is transitively supported.
- See [reaction.yml](./app/example.yml) or [reaction.jsonnet](./config/example.jsonnet) for a fully explained reference
- See [server.jsonnet](./config/server.jsonnet) for a real-world configuration
- See [reaction.service](./config/reaction.service) for a systemd service file
- This quick example shows what's needed to prevent brute force attacks on an ssh server:
<details open>
<summary><code>/etc/reaction.yml</code></summary>
`/etc/reaction.yml`
```yaml
definitions:
- &iptablesban [ "ip46tables" "-w" "-I" "reaction" "1" "-s" "<ip>" "-j" "block" ]
- &iptablesunban [ "ip46tables" "-w" "-D" "reaction" "1" "-s" "<ip>" "-j" "block" ]
patterns:
ip: '(([ 0-9 ]{1,3}\.){3}[0-9]{1,3})|([0-9a-fA-F:]{2,90})'
start:
- [ "ip46tables", "-w", "-N", "reaction" ]
- [ "ip46tables", "-w", "-A", "reaction", "-j", "ACCEPT" ]
- [ "ip46tables", "-w", "-I", "reaction", "1", "-s", "127.0.0.1", "-j", "ACCEPT" ]
- [ "ip46tables", "-w", "-I", "INPUT", "-p", "all", "-j", "reaction" ]
- [ 'ip46tables', '-w', '-N', 'reaction' ]
- [ 'ip46tables', '-w', '-A', 'reaction', '-j', 'ACCEPT' ]
- [ 'ip46tables', '-w', '-I', 'reaction', '1', '-s', '127.0.0.1', '-j', 'ACCEPT' ]
- [ 'ip46tables', '-w', '-I', 'INPUT', '-p', 'all', '-j', 'reaction' ]
stop:
- [ "ip46tables", "-w," "-D," "INPUT", "-p", "all", "-j", "reaction" ]
- [ "ip46tables", "-w," "-F," "reaction" ]
- [ "ip46tables", "-w," "-X," "reaction" ]
- [ 'ip46tables', '-w', '-D', 'INPUT', '-p', 'all', '-j', 'reaction' ]
- [ 'ip46tables', '-w', '-F', 'reaction' ]
- [ 'ip46tables', '-w', '-X', 'reaction' ]
streams:
ssh:
cmd: [ "journalctl" "-fu" "sshd.service" ]
cmd: [ 'journalctl', '-fu', 'sshd.service' ]
filters:
failedlogin:
regex:
@ -55,36 +58,46 @@ streams:
retryperiod: '6h'
actions:
ban:
cmd: *iptablesban
cmd: [ 'ip46tables', '-w', '-I', 'reaction', '1', '-s', '<ip>', '-j', 'block' ]
unban:
cmd: *iptablesunban
cmd: [ 'ip46tables', '-w', '-D', 'reaction', '1', '-s', '<ip>', '-j', 'block' ]
after: '48h'
```
jsonnet is also supported:
</details>
<details>
<summary><code>/etc/reaction.jsonnet</code></summary>
`/etc/reaction.jsonnet`
```jsonnet
local iptables(args) = [ 'ip46tables', '-w' ] + args;
local iptablesban(ip) = iptables([ '-A', 'reaction', '1', '-s', ip, '-j', 'DROP' ]);
local iptablesunban(ip) = iptables([ '-D', 'reaction', '1', '-s', ip, '-j', 'DROP' ]);
local banFor(time) = {
ban: {
cmd: iptables(['-A', 'reaction', '-s', '<ip>', '-j', 'reaction-log-refuse']),
},
unban: {
after: time,
cmd: iptables(['-D', 'reaction', '-s', '<ip>', '-j', 'reaction-log-refuse']),
},
};
{
patterns: {
ip: {
regex: @'(?:(?:[ 0-9 ]{1,3}\.){3}[0-9]{1,3})|(?:[0-9a-fA-F:]{2,90})',
},
},
start: {
iptables([ "-N", "reaction" ]),
iptables([ "-A", "reaction", "-j", "ACCEPT" ]),
iptables([ "-I", "reaction", "1", "-s", "127.0.0.1", "-j", "ACCEPT" ]),
iptables([ "-I", "INPUT", "-p", "all", "-j", "reaction" ]),
},
stop: {
iptables([ "-D,", "INPUT", "-p", "all", "-j", "reaction" ]),
iptables([ "-F,", "reaction" ]),
iptables([ "-X,", "reaction" ]),
},
start: [
iptables([ '-N', 'reaction' ]),
iptables([ '-A', 'reaction', '-j', 'ACCEPT' ]),
iptables([ '-I', 'reaction', '1', '-s', '127.0.0.1', '-j', 'ACCEPT' ]),
iptables([ '-I', 'INPUT', '-p', 'all', '-j', 'reaction' ]),
],
stop: [
iptables([ '-D,', 'INPUT', '-p', 'all', '-j', 'reaction' ]),
iptables([ '-F,', 'reaction' ]),
iptables([ '-X,', 'reaction' ]),
],
streams: {
ssh: {
cmd: [ 'journalctl', '-fu', 'sshd.service' ],
@ -93,16 +106,7 @@ local iptablesunban(ip) = iptables([ '-D', 'reaction', '1', '-s', ip, '-j', 'DRO
regex: [ @'authentication failure;.*rhost=<ip>' ],
retry: 3,
retryperiod: '6h',
actions: {
ban: {
cmd: iptablesban('<ip>'),
},
unban: {
cmd: iptablesunban('<ip>'),
after: '48h',
onexit: true,
},
},
actions: banFor('48h'),
},
},
},
@ -110,57 +114,45 @@ local iptablesunban(ip) = iptables([ '-D', 'reaction', '1', '-s', ip, '-j', 'DRO
}
```
note that both yaml and jsonnet are extensions of json, so json is also inherently supported.
</details>
`/etc/systemd/system/reaction.service`
```systemd
[ Unit ]
WantedBy=multi-user.target
[ Service ]
ExecStart=/path/to/reaction -c /etc/reaction.yml
### Database
StateDirectory=reaction
RuntimeDirectory=reaction
WorkingDirectory=/var/lib/reaction
```
The embedded database is stored in the working directory.
If you don't know where to start reaction, `/var/lib/reaction` should be a sane choice.
### database
### CLI
the working directory of `reaction` will be used to create and read from the embedded database.
if you don't know where to start it, `/var/lib/reaction` should be a sane choice.
### socket
the socket allowing communication between the cli and server will be created at `/run/reaction/reaction.socket`.
- `reaction start` runs the server
- `reaction show` show pending actions (ie. bans)
- `reaction flush` permits to run pending actions (ie. clear bans)
- `reaction test-regex` permits to test regexes
- `reaction help` for full usage.
### `ip46tables`
`ip46tables` is a minimal c program present in its own subdirectory with only standard posix dependencies.
it permits to configure `iptables` and `ip6tables` at the same time.
it will execute `iptables` when detecting ipv4, `ip6tables` when detecting ipv6 and both if no ip address is present on the command line.
It permits to configure `iptables` and `ip6tables` at the same time.
It will execute `iptables` when detecting ipv4, `ip6tables` when detecting ipv6 and both if no ip address is present on the command line.
### compilation
### Compilation
you'll need the go toolchain for reaction and a c compiler for ip46tables.
You'll need the go toolchain for reaction and a c compiler for ip46tables.
```shell
$ make
```
alternatively,
Alternatively,
```shell
# creates ./reaction
$ go build .
# creates ./ip46tables
$ gcc ip46tables.d/ip46tables.c -o ip46tables
```
### nixos
### NixOS
in addition to the [ package ](https://framagit.org/ppom/nixos/-/blob/cf5448b21ae3386265485308a6cd077e8068ad77/pkgs/reaction/default.nix)
and [ module ](https://framagit.org/ppom/nixos/-/blob/cf5448b21ae3386265485308a6cd077e8068ad77/modules/common/reaction.nix)
that i didn't try to upstream to nixpkgs yet (although they are ready), i use extensively reaction on my servers. if you're using nixos,
consider reading and building upon [ my own building blocks ](https://framagit.org/ppom/nixos/-/blob/cf5448b21ae3386265485308a6cd077e8068ad77/modules/common/reaction-variables.nix),
[ my own non-root reaction conf, including conf for SSH, port scanning & Nginx common attack URLS ](https://framagit.org/ppom/nixos/-/blob/cf5448b21ae3386265485308a6cd077e8068ad77/modules/common/reaction-custom.nix),
and the configuration for [ nextcloud ](https://framagit.org/ppom/nixos/-/blob/cf5448b21ae3386265485308a6cd077e8068ad77/modules/musi/file.ppom.me.nix#L53),
[ vaultwarden ](https://framagit.org/ppom/nixos/-/blob/cf5448b21ae3386265485308a6cd077e8068ad77/modules/musi/vaultwarden.nix#L45),
and [ maddy ](https://framagit.org/ppom/nixos/-/blob/cf5448b21ae3386265485308a6cd077e8068ad77/modules/musi/mail.nix#L74). see also an [example](https://framagit.org/ppom/nixos/-/blob/cf5448b21ae3386265485308a6cd077e8068ad77/modules/musi/mail.nix#L85) where it does something else than banning IPs.
- [ package ](https://framagit.org/ppom/nixos/-/blob/main/pkgs/reaction/default.nix)
- [ module ](https://framagit.org/ppom/nixos/-/blob/main/modules/common/reaction.nix)

24
app/example.yml
View File

@ -3,8 +3,8 @@
# using YAML anchors `&name` and pointers `*name`
# definitions are not readed by reaction
definitions:
- &iptablesban [ "ip46tables", "-w", "-A", "reaction", "1", "-s", "<ip>", "-j", "DROP" ]
- &iptablesunban [ "ip46tables", "-w", "-D", "reaction", "1", "-s", "<ip>", "-j", "DROP" ]
- &iptablesban [ 'ip46tables', '-w', '-A', 'reaction', '1', '-s', '<ip>', '-j', 'DROP' ]
- &iptablesunban [ 'ip46tables', '-w', '-D', 'reaction', '1', '-s', '<ip>', '-j', 'DROP' ]
# ip46tables is a minimal C program (only POSIX dependencies) present as a subdirectory.
# it permits to handle both ipv4/iptables and ipv6/ip6tables commands
@ -20,20 +20,20 @@ patterns:
# Those commands will be executed in order at start, before everything else
start:
- [ "ip46tables", "-w", "-N", "reaction" ]
- [ "ip46tables", "-w", "-A", "reaction", "-j", "ACCEPT" ]
- [ "ip46tables", "-w", "-I", "reaction", "1", "-s", "127.0.0.1", "-j", "ACCEPT" ]
- [ "ip46tables", "-w", "-I", "INPUT", "-p", "all", "-j", "reaction" ]
- [ 'ip46tables', '-w', '-N', 'reaction' ]
- [ 'ip46tables', '-w', '-A', 'reaction', '-j', 'ACCEPT' ]
- [ 'ip46tables', '-w', '-I', 'reaction', '1', '-s', '127.0.0.1', '-j', 'ACCEPT' ]
- [ 'ip46tables', '-w', '-I', 'INPUT', '-p', 'all', '-j', 'reaction' ]
# Those commands will be executed in order at stop, after everything else
stop:
- [ "ip46tables", "-w,", "-D", "INPUT", "-p", "all", "-j", "reaction" ]
- [ "ip46tables", "-w", "-F", "reaction" ]
- [ "ip46tables", "-w", "-X", "reaction" ]
- [ 'ip46tables', '-w,', '-D', 'INPUT', '-p', 'all', '-j', 'reaction' ]
- [ 'ip46tables', '-w', '-F', 'reaction' ]
- [ 'ip46tables', '-w', '-X', 'reaction' ]
# streams are commands
# they're run and their ouptut is captured
# they are run and their ouptut is captured
# *example:* `tail -f /var/log/nginx/access.log`
# their output will be used by one or more filters
streams:
@ -41,7 +41,7 @@ streams:
ssh:
# note that if the command is not in environment's `PATH`
# its full path must be given.
cmd: [ "journalctl", "-n0", "-fu", "sshd.service" ]
cmd: [ 'journalctl', '-n0', '-fu', 'sshd.service' ]
# filters run actions when they match regexes on a stream
filters:
# filters have a user-defined name
@ -73,7 +73,7 @@ streams:
onexit: true
# (defaults to false)
# here it is not useful because we will flush the chain containing the bans anyway
# (see /conf/reaction.service)
# (with the stop commands)
# persistence
# tldr; when an `after` action is set in a filter, such filter acts as a 'jail',

7
app/main.go
View File

@ -118,13 +118,10 @@ func Main() {
logger.Fatalln("No argument provided. Try `reaction help`")
basicUsage()
os.Exit(1)
} else if os.Args[1] == "-h" || os.Args[1] == "--help" {
basicUsage()
os.Exit(0)
}
f := flag.NewFlagSet(os.Args[1], flag.ExitOnError)
switch os.Args[1] {
case "help", "-h", "--help":
case "help", "-h", "-help", "--help":
basicUsage()
case "example-conf":
@ -224,7 +221,7 @@ func Main() {
}
default:
logger.Fatalln("subcommand not recognized")
logger.Fatalf("subcommand %v not recognized. Try `reaction help`", os.Args[1])
basicUsage()
os.Exit(1)
}

14
config/example.jsonnet
View File

@ -3,11 +3,8 @@
// JSONNET is a superset of JSON, so one can write plain JSON files if wanted.
// Note that YAML is also supported, see ./example.yml
// A JSONNET function
// JSONNET functions
local iptables(args) = ['ip46tables', '-w'] + args;
// variables defined for later use.
local iptablesban = iptables(['-A', 'reaction', '1', '-s', '<ip>', '-j', 'drop']);
local iptablesunban = iptables(['-D', 'reaction', '1', '-s', '<ip>', '-j', 'drop']);
// ip46tables is a minimal C program (only POSIX dependencies) present as a subdirectory.
// it permits to handle both ipv4/iptables and ipv6/ip6tables commands
@ -48,7 +45,7 @@ local iptablesunban = iptables(['-D', 'reaction', '1', '-s', '<ip>', '-j', 'drop
],
// streams are commands
// they're run and their ouptut is captured
// they are run and their ouptut is captured
// *example:* `tail -f /var/log/nginx/access.log`
// their output will be used by one or more filters
streams: {
@ -77,11 +74,10 @@ local iptablesunban = iptables(['-D', 'reaction', '1', '-s', '<ip>', '-j', 'drop
actions: {
// actions have a user-defined name
ban: {
// JSONNET substitutes the variable (defined at the beginning of the file)
cmd: iptablesban,
cmd: iptables(['-A', 'reaction', '-s', '<ip>', '-j', 'reaction-log-refuse']),
},
unban: {
cmd: iptablesunban,
cmd: iptables(['-D', 'reaction', '-s', '<ip>', '-j', 'reaction-log-refuse']),
// if after is defined, the action will not take place immediately, but after a specified duration
// same format as retryperiod
after: '48h',
@ -90,7 +86,7 @@ local iptablesunban = iptables(['-D', 'reaction', '1', '-s', '<ip>', '-j', 'drop
onexit: true,
// (defaults to false)
// here it is not useful because we will flush the chain containing the bans anyway
// (see /conf/reaction.service)
// (with the stop commands)
},
},
},

24
config/heavy-load.yml
View File

@ -9,7 +9,7 @@ patterns:
streams:
tailDown1:
cmd: [ "sh", "-c", "sleep 2; seq 100010 | while read i; do echo found $(($i % 100)); done" ]
cmd: [ 'sh', '-c', 'sleep 2; seq 100010 | while read i; do echo found $(($i % 100)); done' ]
filters:
findIP:
regex:
@ -18,13 +18,13 @@ streams:
retryperiod: 1m
actions:
damn:
cmd: [ "echo", "<num>" ]
cmd: [ 'echo', '<num>' ]
undamn:
cmd: [ "echo", "undamn", "<num>" ]
cmd: [ 'echo', 'undamn', '<num>' ]
after: 1m
onexit: false
tailDown2:
cmd: [ "sh", "-c", "sleep 2; seq 100010 | while read i; do echo prout $(($i % 100)); done" ]
cmd: [ 'sh', '-c', 'sleep 2; seq 100010 | while read i; do echo prout $(($i % 100)); done' ]
filters:
findIP:
regex:
@ -33,13 +33,13 @@ streams:
retryperiod: 1m
actions:
damn:
cmd: [ "echo", "<num>" ]
cmd: [ 'echo', '<num>' ]
undamn:
cmd: [ "echo", "undamn", "<num>" ]
cmd: [ 'echo', 'undamn', '<num>' ]
after: 1m
onexit: false
tailDown3:
cmd: [ "sh", "-c", "sleep 2; seq 100010 | while read i; do echo nanana $(($i % 100)); done" ]
cmd: [ 'sh', '-c', 'sleep 2; seq 100010 | while read i; do echo nanana $(($i % 100)); done' ]
filters:
findIP:
regex:
@ -48,13 +48,13 @@ streams:
retryperiod: 2m
actions:
damn:
cmd: [ "true" ]
cmd: [ 'true' ]
undamn:
cmd: [ "true" ]
cmd: [ 'true' ]
after: 1m
onexit: false
tailDown4:
cmd: [ "sh", "-c", "sleep 2; seq 100010 | while read i; do echo nanana $(($i % 100)); done" ]
cmd: [ 'sh', '-c', 'sleep 2; seq 100010 | while read i; do echo nanana $(($i % 100)); done' ]
filters:
findIP:
regex:
@ -63,8 +63,8 @@ streams:
retryperiod: 2m
actions:
damn:
cmd: [ "echo", "<num>" ]
cmd: [ 'echo', '<num>' ]
undamn:
cmd: [ "echo", "undamn", "<num>" ]
cmd: [ 'echo', 'undamn', '<num>' ]
after: 1m
onexit: false

2
config/reaction.service
View File

@ -4,7 +4,7 @@ WantedBy=multi-user.target
# See `man systemd.exec` and `man systemd.service` for most options below
[Service]
ExecStart=/path/to/reaction -c /etc/reaction.yml
ExecStart=/path/to/reaction start -c /etc/reaction.yml
# Ask systemd to create /var/lib/reaction (/var/lib/ is implicit)
StateDirectory=reaction

147
config/server.jsonnet Normal file
View File

@ -0,0 +1,147 @@
// This is the extensive configuration used on a **real** server!
local banFor(time) = {
ban: {
cmd: ['ip46tables', '-w', '-A', 'reaction', '-s', '<ip>', '-j', 'reaction-log-refuse'],
},
unban: {
after: time,
cmd: ['ip46tables', '-w', '-D', 'reaction', '-s', '<ip>', '-j', 'reaction-log-refuse'],
},
};
{
patterns: {
// IPs can be IPv4 or IPv6
// ip46tables (C program also in this repo) handles running the good commands
ip: {
regex: @'(([0-9]{1,3}\.){3}[0-9]{1,3})|([0-9a-fA-F:]{2,90})',
},
},
streams: {
// Ban hosts failing to connect via ssh
ssh: {
cmd: [' journalctl', '-fn0', '-u', 'sshd.service'],
filters: {
failedlogin: {
regex: [
@'authentication failure;.*rhost=<ip>',
@'Connection reset by authenticating user .* <ip>',
],
retry: 3,
retryperiod: '6h',
actions: banFor('48h'),
},
},
},
// Ban hosts which knock on closed ports.
// It needs this iptables chain to be used to drop packets:
// ip46tables -N log-refuse
// ip46tables -A log-refuse -p tcp --syn -j LOG --log-level info --log-prefix 'refused connection: '
// ip46tables -A log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse
// ip46tables -A log-refuse -j DROP
kernel: {
cmd: ['journalctl', '-fn0', '-k'],
filters: {
portscan: {
regex: ['refused connection: .*SRC=<ip>'],
retry: 4,
retryperiod: '1h',
actions: banFor('720h'),
},
},
},
// Note: nextcloud and vaultwarden could also be filters on the nginx stream
// I did use their own logs instead because it's less logs to parse than the front webserver
// Ban hosts failing to connect to Nextcloud
nextcloud: {
cmd: ['journalctl', '-fn0', '-u', 'phpfpm-nextcloud.service'],
filters: {
failedLogin: {
regex: [
@'"remoteAddr":"<ip>".*"message":"Login failed:',
@'"remoteAddr":"<ip>".*"message":"Trusted domain error.',
],
retry: 3,
retryperiod: '1h',
actions: banFor('1h'),
},
},
},
// Ban hosts failing to connect to vaultwarden
vaultwarden: {
cmd: ['journalctl', '-fn0', '-u', 'vaultwarden.service'],
filters: {
failedlogin: {
actions: banFor('2h'),
regex: [@'Username or password is incorrect\. Try again\. IP: <ip>\. Username:'],
retry: 3,
retryperiod: '1h',
},
},
},
// Used with this nginx log configuration:
// log_format withhost '$remote_addr - $remote_user [$time_local] $host "$request" $status $bytes_sent "$http_referer" "$http_user_agent"';
// access_log /var/log/nginx/access.log withhost;
nginx: {
cmd: ['tail', '-n0', '-f', '/var/log/nginx/access.log'],
filters: {
// Ban hosts failing to connect to Directus
directus: {
regex: [
@'^<ip> .* "POST /auth/login HTTP/..." 401 [0-9]+ .https://directusdomain',
],
retry: 6,
retryperiod: '4h',
actions: banFor('4h'),
},
// Ban hosts presenting themselves as bots of ChatGPT
gptbot: {
regex: [@'^<ip>.*GPTBot/1.0'],
action: banFor('720h'),
},
// Ban hosts failing to connect to slskd
slskd: {
regex: [
@'^<ip> .* "POST /api/v0/session HTTP/..." 401 [0-9]+ .https://slskddomain',
],
retry: 3,
retryperiod: '1h',
actions: banFor('6h'),
},
// Ban suspect HTTP requests
// Those are frequent malicious requests I got from bots
// Make sure you don't have honnest use cases for those requests, or your clients may be banned for 2 weeks!
suspectRequests: {
regex: [
// (?:[^/" ]*/)* is a "non-capturing group" regex that allow for subpath(s)
// example: /code/.env should be matched as well as /.env
// ^^^^^
@'^<ip>.*"GET /(?:[^/" ]*/)*\.env ',
@'^<ip>.*"GET /(?:[^/" ]*/)*info\.php ',
@'^<ip>.*"GET /(?:[^/" ]*/)*owa/auth/logon.aspx ',
@'^<ip>.*"GET /(?:[^/" ]*/)*auth.html ',
@'^<ip>.*"GET /(?:[^/" ]*/)*auth1.html ',
@'^<ip>.*"GET /(?:[^/" ]*/)*password.txt ',
@'^<ip>.*"GET /(?:[^/" ]*/)*passwords.txt ',
@'^<ip>.*"GET /(?:[^/" ]*/)*dns-query ',
// Do not include this if you have a Wordpress website ;)
@'^<ip>.*"GET /(?:[^/" ]*/)*wp-login\.php',
@'^<ip>.*"GET /(?:[^/" ]*/)*wp-includes',
// Do not include this if a client must retrieve a config.json file ;)
@'^<ip>.*"GET /(?:[^/" ]*/)*config\.json ',
],
action: banFor('720h'),
},
},
},
},
}

1
config/test.jsonnet
View File

@ -39,7 +39,6 @@
},
tailDown2: {
cmd: ['sh', '-c', 'echo coucou; sleep 2m'],
// cmd: ['sh', '-c', "echo 6 7 8 9 6 7 8 9 6 7 8 9 6 7 8 9 6 7 8 9 6 7 8 9 6 7 8 9 6 7 8 9 6 7 8 9 6 7 8 9 6 7 8 9 6 7 8 9 6 7 8 9 6 7 8 9 6 7 8 9 6 7 8 9 6 7 8 9 6 7 8 9 6 7 8 9 6 7 8 9 6 7 8 9 6 7 8 9 6 7 8 9 6 7 8 9 6 7 8 9 6 7 8 9 6 7 8 9 | tr ' ' '\n' | while read i; do sleep 3; echo found $(($i % 60)); done"],
filters: {
findIP: {
regex: ['^found <num>$'],