From fdaf215c2c30a742f7813d804eb9a198d1b2ca48 Mon Sep 17 00:00:00 2001 From: ppom <> Date: Sun, 3 Sep 2023 13:26:27 +0200 Subject: [PATCH] documentation --- README.md | 14 ++++---------- app/reaction.yml | 16 ++++++++++------ config/reaction.yml | 2 +- 3 files changed, 15 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index e7580b7..f4089e3 100644 --- a/README.md +++ b/README.md @@ -13,13 +13,15 @@ and takes action, such as banning ips. i was using fail2ban since quite a long time, but i was a bit frustrated by it's cpu consumption and all its heavy default configuration. -in my view, a security-oriented program should be simple to configure (`sudo` is a very bad exemple!) +in my view, a security-oriented program should be simple to configure (`sudo` is a very bad example!) and an always-running daemon should be implemented in a fast language. ## configuration this configuration file is all that should be needed to prevent bruteforce attacks on an ssh server. +see [reaction.service](./config/reaction.service) and [reaction.yml](./config/reaction.yml) for the fully explained examples. + `/etc/reaction.yml` ```yaml definitions: @@ -67,7 +69,6 @@ StateDirectory=reaction RuntimeDirectory=reaction WorkingDirectory=/var/lib/reaction ``` -See [reaction.service](./config/reaction.service) and [reaction.yml](./config/reaction.yml) for the fully commented examples. ### database @@ -78,16 +79,9 @@ if you don't know where to start it, `/var/lib/reaction` should be a sane choice the socket allowing communication between the cli and server will be created at `/run/reaction/reaction.socket`. -### terminology - -- **streams** are commands. they're run and their ouptut is captured. *example:* `tail -f /var/log/nginx/access.log` - - **filters** belong to a **stream**. they run actions when they match **regexes**. - - **regexes** are regexes. *example:* `login failed from user .* from ip ` - - **patterns** are also regexes. they're inserted inside **regexes**. example: `ip: ([0-9]{,3}.)[0-9]{,3}` - - **actions** are commands. example: `["echo" "matched "]` - ### compilation +you'll need the go toolchain. ```shell $ go build . ``` diff --git a/app/reaction.yml b/app/reaction.yml index 0165849..23cebd5 100644 --- a/app/reaction.yml +++ b/app/reaction.yml @@ -15,7 +15,9 @@ patterns: - 127.0.0.1 - ::1 -# streams are command that are run +# streams are commands +# they're run and their ouptut is captured +# *example:* `tail -f /var/log/nginx/access.log` # their output will be used by one or more filters streams: # streams have a user-defined name @@ -23,13 +25,14 @@ streams: # note that if the command is not in environment's `PATH` # its full path must be given. cmd: [ "journalctl" "-fu" "sshd.service" ] - # filters are a set of regexes on a stream - # when a regex matches, it will trigger the filter's actions + # filters run actions when they match regexes on a stream filters: # filters have a user-defined name failedlogin: - # reaction regex syntax is defined here: https://github.com/google/re2/wiki/Syntax + # reaction's regex syntax is defined here: https://github.com/google/re2/wiki/Syntax regex: + # is predefined in the patterns section + # ip's regex is inserted in the following regex - authentication failure;.*rhost= # if retry and retry-period are defined, # the actions will only take place if a same pattern is @@ -37,6 +40,7 @@ streams: retry: 3 # format is defined here: https://pkg.go.dev/time#ParseDuration retry-period: 6h + # actions are run by the filter when regexes are matched actions: # actions have a user-defined name ban: @@ -44,11 +48,11 @@ streams: cmd: *iptablesban unban: cmd: *iptablesunban - # if after is defined, the action will not take place immediately, but after a specified duration. + # if after is defined, the action will not take place immediately, but after a specified duration # same format as retry-period after: 48h # let's say reaction is quitting. does it run all those pending commands which had an `after` duration set? # if you want reaction to run those pending commands before exiting, you can set this: - # onexit: true + onexit: true # (defaults to false) # here it is not useful because we will flush the chain containing the bans anyway (see ./reaction.service) diff --git a/config/reaction.yml b/config/reaction.yml index bef3f04..492ca9a 120000 --- a/config/reaction.yml +++ b/config/reaction.yml @@ -1 +1 @@ -app/reaction.yml \ No newline at end of file +../app/reaction.yml \ No newline at end of file