--- # definitions are just a place to put chunks of conf you want to reuse in another place # using YAML anchors `&name` and pointers `*name` # definitions are not readed by reaction definitions: - &iptablesban [ 'ip46tables', '-w', '-A', 'reaction', '-s', '', '-j', 'DROP' ] - &iptablesunban [ 'ip46tables', '-w', '-D', 'reaction', '-s', '', '-j', 'DROP' ] # ip46tables is a minimal C program (only POSIX dependencies) present as a subdirectory. # it permits to handle both ipv4/iptables and ipv6/ip6tables commands # if set to a positive number → max number of concurrent actions # if set to a negative number → no limit # if not specified or set to 0 → defaults to the number of CPUs on the system concurrency: 0 # patterns are substitued in regexes. # when a filter performs an action, it replaces the found pattern patterns: ip: # reaction regex syntax is defined here: https://github.com/google/re2/wiki/Syntax # simple version: regex: '(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3})|(?:[0-9a-fA-F:]{2,90})' regex: '(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}|(?:(?:[0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,7}:|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(?::[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:(?:(?::[0-9a-fA-F]{1,4}){1,6})|:(?:(?::[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(?::[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(?:ffff(?::0{1,4}){0,1}:){0,1}(?:(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])|(?:[0-9a-fA-F]{1,4}:){1,4}:(?:(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9]))' ignore: - 127.0.0.1 - ::1 # Those commands will be executed in order at start, before everything else start: - [ 'ip46tables', '-w', '-N', 'reaction' ] - [ 'ip46tables', '-w', '-I', 'INPUT', '-p', 'all', '-j', 'reaction' ] # Those commands will be executed in order at stop, after everything else stop: - [ 'ip46tables', '-w,', '-D', 'INPUT', '-p', 'all', '-j', 'reaction' ] - [ 'ip46tables', '-w', '-F', 'reaction' ] - [ 'ip46tables', '-w', '-X', 'reaction' ] # streams are commands # they are run and their ouptut is captured # *example:* `tail -f /var/log/nginx/access.log` # their output will be used by one or more filters streams: # streams have a user-defined name ssh: # note that if the command is not in environment's `PATH` # its full path must be given. cmd: [ 'journalctl', '-n0', '-fu', 'sshd.service' ] # filters run actions when they match regexes on a stream filters: # filters have a user-defined name failedlogin: # reaction's regex syntax is defined here: https://github.com/google/re2/wiki/Syntax regex: # is predefined in the patterns section # ip's regex is inserted in the following regex - 'authentication failure;.*rhost=' - 'Failed password for .* from ' - 'Connection (reset|closed) by (authenticating|invalid) user .* ' # if retry and retryperiod are defined, # the actions will only take place if a same pattern is # found `retry` times in a `retryperiod` interval retry: 3 # format is defined here: https://pkg.go.dev/time#ParseDuration retryperiod: 6h # actions are run by the filter when regexes are matched actions: # actions have a user-defined name ban: # YAML substitutes *reference by the value anchored at &reference cmd: *iptablesban unban: cmd: *iptablesunban # if after is defined, the action will not take place immediately, but after a specified duration # same format as retryperiod after: 48h # let's say reaction is quitting. does it run all those pending commands which had an `after` duration set? # if you want reaction to run those pending commands before exiting, you can set this: # onexit: true # (defaults to false) # here it is not useful because we will flush and delete the chain containing the bans anyway # (with the stop commands) # persistence # tldr; when an `after` action is set in a filter, such filter acts as a 'jail', # which is persisted after reboots. # # when a filter is triggered, there are 2 flows: # # if none of its actions have an `after` directive set: # no action will be replayed. # # else (if at least one action has an `after` directive set): # if reaction stops while `after` actions are pending: # and reaction starts again while those actions would still be pending: # reaction executes the past actions (actions without after or with then+after < now) # and plans the execution of future actions (actions with then+after > now)