From a26014399bcbedb8befb4257cb6502bf6952df4b Mon Sep 17 00:00:00 2001
From: ppom <>
Date: Thu, 23 Mar 2023 14:24:26 +0100
Subject: [PATCH] =?UTF-8?q?Reflect=20last=20reflections=20=F0=9F=94=84?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 cdc.md | 29 +++++++++++++++++++----------
 1 file changed, 19 insertions(+), 10 deletions(-)

diff --git a/cdc.md b/cdc.md
index 806de88..b3cd9c4 100644
--- a/cdc.md
+++ b/cdc.md
@@ -5,19 +5,28 @@
 Avec un défaut à `/etc/reaction/reactiond.conf`
 
 ```yaml
-actions:
-  iptables:
-    
+definitions:
+  - &iptablesban iptables -I reaction 1 -s <ip> -j block
+  - &iptablesunban iptables -D reaction 1 -s <ip> -j block
+
 regexes:
-  IP: '(([0-9]{1,3}\.){3}[0-9]{1,3})|([0-9a-fA-F:]{2,90})'
+  ip: '(([0-9]{1,3}\.){3}[0-9]{1,3})|([0-9a-fA-F:]{2,90})'
 
 streams:
- nextcloud:
-   cmd: journalctl -fu phpfpm-nextcloud.service
-   actions:
-     - regex: '"message":"Login failed: .\+ (Remote IP: \(?<IP>[0-9a-fA-F.:]\+\))"'
-       # Can also be a list
-       cmd: iptables -I f2b-nextcloud 1 -s <ip> -j <blocktype>
+  nextcloud:
+    cmd: journalctl -fu phpfpm-nextcloud.service
+    filters:
+      failed-login:
+        regex:
+          - '"message":"Login failed: .\+ (Remote IP: <ip>)"'
+        retry: 3
+        retry-period: 1h
+        actions:
+          ban:
+            cmd: *iptablesban
+          unban:
+            cmd: *iptablesunban 
+            after: 1h
 ```
 
 reactionc: le client