yo/reaction
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

documentation

Browse Source
This commit is contained in:
ppom 2023-09-03 13:26:27 +02:00
parent 799ba88823
commit fdaf215c2c
3 changed files with 15 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
README.md
View File

@ -13,13 +13,15 @@ and takes action, such as banning ips.
i was using fail2ban since quite a long time, but i was a bit frustrated by it's cpu consumption i was using fail2ban since quite a long time, but i was a bit frustrated by it's cpu consumption
and all its heavy default configuration. and all its heavy default configuration.
in my view, a security-oriented program should be simple to configure (`sudo` is a very bad exemple!) in my view, a security-oriented program should be simple to configure (`sudo` is a very bad example!)
and an always-running daemon should be implemented in a fast language. and an always-running daemon should be implemented in a fast language.
## configuration ## configuration
this configuration file is all that should be needed to prevent bruteforce attacks on an ssh server. this configuration file is all that should be needed to prevent bruteforce attacks on an ssh server.
see [reaction.service](./config/reaction.service) and [reaction.yml](./config/reaction.yml) for the fully explained examples.
`/etc/reaction.yml` `/etc/reaction.yml`
```yaml ```yaml
definitions: definitions:
@ -67,7 +69,6 @@ StateDirectory=reaction
RuntimeDirectory=reaction RuntimeDirectory=reaction
WorkingDirectory=/var/lib/reaction WorkingDirectory=/var/lib/reaction
``` ```
See [reaction.service](./config/reaction.service) and [reaction.yml](./config/reaction.yml) for the fully commented examples.
### database ### database
@ -78,16 +79,9 @@ if you don't know where to start it, `/var/lib/reaction` should be a sane choice
the socket allowing communication between the cli and server will be created at `/run/reaction/reaction.socket`. the socket allowing communication between the cli and server will be created at `/run/reaction/reaction.socket`.
### terminology
- **streams** are commands. they're run and their ouptut is captured. *example:* `tail -f /var/log/nginx/access.log`
- **filters** belong to a **stream**. they run actions when they match **regexes**.
- **regexes** are regexes. *example:* `login failed from user .* from ip <ip>`
- **patterns** are also regexes. they're inserted inside **regexes**. example: `ip: ([0-9]{,3}.)[0-9]{,3}`
- **actions** are commands. example: `["echo" "matched <ip>"]`
### compilation ### compilation
you'll need the go toolchain.
```shell ```shell
$ go build . $ go build .
``` ```

16
app/reaction.yml
View File

@ -15,7 +15,9 @@ patterns:
- 127.0.0.1 - 127.0.0.1
- ::1 - ::1
# streams are command that are run # streams are commands
# they're run and their ouptut is captured
# *example:* `tail -f /var/log/nginx/access.log`
# their output will be used by one or more filters # their output will be used by one or more filters
streams: streams:
# streams have a user-defined name # streams have a user-defined name
@ -23,13 +25,14 @@ streams:
# note that if the command is not in environment's `PATH` # note that if the command is not in environment's `PATH`
# its full path must be given. # its full path must be given.
cmd: [ "journalctl" "-fu" "sshd.service" ] cmd: [ "journalctl" "-fu" "sshd.service" ]
# filters are a set of regexes on a stream # filters run actions when they match regexes on a stream
# when a regex matches, it will trigger the filter's actions
filters: filters:
# filters have a user-defined name # filters have a user-defined name
failedlogin: failedlogin:
# reaction regex syntax is defined here: https://github.com/google/re2/wiki/Syntax # reaction's regex syntax is defined here: https://github.com/google/re2/wiki/Syntax
regex: regex:
# <ip> is predefined in the patterns section
# ip's regex is inserted in the following regex
- authentication failure;.*rhost=<ip> - authentication failure;.*rhost=<ip>
# if retry and retry-period are defined, # if retry and retry-period are defined,
# the actions will only take place if a same pattern is # the actions will only take place if a same pattern is
@ -37,6 +40,7 @@ streams:
retry: 3 retry: 3
# format is defined here: https://pkg.go.dev/time#ParseDuration # format is defined here: https://pkg.go.dev/time#ParseDuration
retry-period: 6h retry-period: 6h
# actions are run by the filter when regexes are matched
actions: actions:
# actions have a user-defined name # actions have a user-defined name
ban: ban:
@ -44,11 +48,11 @@ streams:
cmd: *iptablesban cmd: *iptablesban
unban: unban:
cmd: *iptablesunban cmd: *iptablesunban
# if after is defined, the action will not take place immediately, but after a specified duration. # if after is defined, the action will not take place immediately, but after a specified duration
# same format as retry-period # same format as retry-period
after: 48h after: 48h
# let's say reaction is quitting. does it run all those pending commands which had an `after` duration set? # let's say reaction is quitting. does it run all those pending commands which had an `after` duration set?
# if you want reaction to run those pending commands before exiting, you can set this: # if you want reaction to run those pending commands before exiting, you can set this:
# onexit: true onexit: true
# (defaults to false) # (defaults to false)
# here it is not useful because we will flush the chain containing the bans anyway (see ./reaction.service) # here it is not useful because we will flush the chain containing the bans anyway (see ./reaction.service)

2
config/reaction.yml
View File

@ -1 +1 @@
app/reaction.yml ../app/reaction.yml