---
# TODO heavily comment this file
definitions:
  - &iptablesban [ "iptables" "-w" "-I" "reaction" "1" "-s" "<ip>" "-j" "block" ]
  - &iptablesunban [ "iptables" "-w" "-D" "reaction" "1" "-s" "<ip>" "-j" "block" ]

patterns:
  ip: '(([0-9]{1,3}\.){3}[0-9]{1,3})|([0-9a-fA-F:]{2,90})'

streams:
  ssh:
    # note that if the command is not in environment's `PATH`
    # its full path must be given.
    cmd: [ "journalctl" "-fu" "sshd.service" ]
    filters:
      failedlogin:
        regex:
          - authentication failure;.*rhost=<ip>
        retry: 3
        retry-period: 6h
        actions:
          ban:
            cmd: *iptablesban
          unban:
            cmd:  *iptablesunban
            after: 2d