documentation
This commit is contained in:
parent
799ba88823
commit
fdaf215c2c
14
README.md
14
README.md
@ -13,13 +13,15 @@ and takes action, such as banning ips.
|
|||||||
i was using fail2ban since quite a long time, but i was a bit frustrated by it's cpu consumption
|
i was using fail2ban since quite a long time, but i was a bit frustrated by it's cpu consumption
|
||||||
and all its heavy default configuration.
|
and all its heavy default configuration.
|
||||||
|
|
||||||
in my view, a security-oriented program should be simple to configure (`sudo` is a very bad exemple!)
|
in my view, a security-oriented program should be simple to configure (`sudo` is a very bad example!)
|
||||||
and an always-running daemon should be implemented in a fast language.
|
and an always-running daemon should be implemented in a fast language.
|
||||||
|
|
||||||
## configuration
|
## configuration
|
||||||
|
|
||||||
this configuration file is all that should be needed to prevent bruteforce attacks on an ssh server.
|
this configuration file is all that should be needed to prevent bruteforce attacks on an ssh server.
|
||||||
|
|
||||||
|
see [reaction.service](./config/reaction.service) and [reaction.yml](./config/reaction.yml) for the fully explained examples.
|
||||||
|
|
||||||
`/etc/reaction.yml`
|
`/etc/reaction.yml`
|
||||||
```yaml
|
```yaml
|
||||||
definitions:
|
definitions:
|
||||||
@ -67,7 +69,6 @@ StateDirectory=reaction
|
|||||||
RuntimeDirectory=reaction
|
RuntimeDirectory=reaction
|
||||||
WorkingDirectory=/var/lib/reaction
|
WorkingDirectory=/var/lib/reaction
|
||||||
```
|
```
|
||||||
See [reaction.service](./config/reaction.service) and [reaction.yml](./config/reaction.yml) for the fully commented examples.
|
|
||||||
|
|
||||||
### database
|
### database
|
||||||
|
|
||||||
@ -78,16 +79,9 @@ if you don't know where to start it, `/var/lib/reaction` should be a sane choice
|
|||||||
|
|
||||||
the socket allowing communication between the cli and server will be created at `/run/reaction/reaction.socket`.
|
the socket allowing communication between the cli and server will be created at `/run/reaction/reaction.socket`.
|
||||||
|
|
||||||
### terminology
|
|
||||||
|
|
||||||
- **streams** are commands. they're run and their ouptut is captured. *example:* `tail -f /var/log/nginx/access.log`
|
|
||||||
- **filters** belong to a **stream**. they run actions when they match **regexes**.
|
|
||||||
- **regexes** are regexes. *example:* `login failed from user .* from ip <ip>`
|
|
||||||
- **patterns** are also regexes. they're inserted inside **regexes**. example: `ip: ([0-9]{,3}.)[0-9]{,3}`
|
|
||||||
- **actions** are commands. example: `["echo" "matched <ip>"]`
|
|
||||||
|
|
||||||
### compilation
|
### compilation
|
||||||
|
|
||||||
|
you'll need the go toolchain.
|
||||||
```shell
|
```shell
|
||||||
$ go build .
|
$ go build .
|
||||||
```
|
```
|
||||||
|
@ -15,7 +15,9 @@ patterns:
|
|||||||
- 127.0.0.1
|
- 127.0.0.1
|
||||||
- ::1
|
- ::1
|
||||||
|
|
||||||
# streams are command that are run
|
# streams are commands
|
||||||
|
# they're run and their ouptut is captured
|
||||||
|
# *example:* `tail -f /var/log/nginx/access.log`
|
||||||
# their output will be used by one or more filters
|
# their output will be used by one or more filters
|
||||||
streams:
|
streams:
|
||||||
# streams have a user-defined name
|
# streams have a user-defined name
|
||||||
@ -23,13 +25,14 @@ streams:
|
|||||||
# note that if the command is not in environment's `PATH`
|
# note that if the command is not in environment's `PATH`
|
||||||
# its full path must be given.
|
# its full path must be given.
|
||||||
cmd: [ "journalctl" "-fu" "sshd.service" ]
|
cmd: [ "journalctl" "-fu" "sshd.service" ]
|
||||||
# filters are a set of regexes on a stream
|
# filters run actions when they match regexes on a stream
|
||||||
# when a regex matches, it will trigger the filter's actions
|
|
||||||
filters:
|
filters:
|
||||||
# filters have a user-defined name
|
# filters have a user-defined name
|
||||||
failedlogin:
|
failedlogin:
|
||||||
# reaction regex syntax is defined here: https://github.com/google/re2/wiki/Syntax
|
# reaction's regex syntax is defined here: https://github.com/google/re2/wiki/Syntax
|
||||||
regex:
|
regex:
|
||||||
|
# <ip> is predefined in the patterns section
|
||||||
|
# ip's regex is inserted in the following regex
|
||||||
- authentication failure;.*rhost=<ip>
|
- authentication failure;.*rhost=<ip>
|
||||||
# if retry and retry-period are defined,
|
# if retry and retry-period are defined,
|
||||||
# the actions will only take place if a same pattern is
|
# the actions will only take place if a same pattern is
|
||||||
@ -37,6 +40,7 @@ streams:
|
|||||||
retry: 3
|
retry: 3
|
||||||
# format is defined here: https://pkg.go.dev/time#ParseDuration
|
# format is defined here: https://pkg.go.dev/time#ParseDuration
|
||||||
retry-period: 6h
|
retry-period: 6h
|
||||||
|
# actions are run by the filter when regexes are matched
|
||||||
actions:
|
actions:
|
||||||
# actions have a user-defined name
|
# actions have a user-defined name
|
||||||
ban:
|
ban:
|
||||||
@ -44,11 +48,11 @@ streams:
|
|||||||
cmd: *iptablesban
|
cmd: *iptablesban
|
||||||
unban:
|
unban:
|
||||||
cmd: *iptablesunban
|
cmd: *iptablesunban
|
||||||
# if after is defined, the action will not take place immediately, but after a specified duration.
|
# if after is defined, the action will not take place immediately, but after a specified duration
|
||||||
# same format as retry-period
|
# same format as retry-period
|
||||||
after: 48h
|
after: 48h
|
||||||
# let's say reaction is quitting. does it run all those pending commands which had an `after` duration set?
|
# let's say reaction is quitting. does it run all those pending commands which had an `after` duration set?
|
||||||
# if you want reaction to run those pending commands before exiting, you can set this:
|
# if you want reaction to run those pending commands before exiting, you can set this:
|
||||||
# onexit: true
|
onexit: true
|
||||||
# (defaults to false)
|
# (defaults to false)
|
||||||
# here it is not useful because we will flush the chain containing the bans anyway (see ./reaction.service)
|
# here it is not useful because we will flush the chain containing the bans anyway (see ./reaction.service)
|
||||||
|
@ -1 +1 @@
|
|||||||
app/reaction.yml
|
../app/reaction.yml
|
Loading…
Reference in New Issue
Block a user