Fork of https://framagit.org/ppom/reaction/ to implement multi-pattern match in the same filter
Go to file
2023-04-11 11:03:50 +00:00
app First persistance work 2023-04-11 13:01:02 +02:00
go.mod First persistance work 2023-04-11 13:01:02 +02:00
go.sum First persistance work 2023-04-11 13:01:02 +02:00
LICENSE Add AGPL LICENSE 2023-04-11 11:03:50 +00:00
main.go rename package 2023-03-25 18:27:01 +01:00
reaction.service First persistance work 2023-04-11 13:01:02 +02:00
reaction.test.yml First persistance work 2023-04-11 13:01:02 +02:00
reaction.yml First persistance work 2023-04-11 13:01:02 +02:00
README.md First persistance work 2023-04-11 13:01:02 +02:00

reaction

🚧 this program has not been tested in production yet 🚧

a program that scans program outputs, such as logs, for repeated patterns, such as failed login attempts, and takes action, such as banning ips.

(adapted from fail2ban's presentation 😄)

rationale

i was using fail2ban since quite a long time, but i was a bit frustrated by it's cpu consumption and all its heavy default configuration.

in my view, a security-oriented program should be simple to configure (sudo is a very bad exemple!)

configuration

this configuration file is all that should be needed to prevent bruteforce attacks on an ssh server.

/etc/reaction.yml

definitions:
  - &iptablesban [ "iptables" "-w" "-I" "reaction" "1" "-s" "<ip>" "-j" "block" ]
  - &iptablesunban [ "iptables" "-w" "-D" "reaction" "1" "-s" "<ip>" "-j" "block" ]

patterns:
  ip: '(([0-9]{1,3}\.){3}[0-9]{1,3})|([0-9a-fA-F:]{2,90})'

streams:
  ssh:
    cmd: [ "journalctl" "-fu" "sshd.service" ]
    filters:
      failedlogin:
        regex:
          - authentication failure;.*rhost=<ip>
        retry: 3
        retry-period: 6h
        actions:
          ban:
            cmd: *iptablesban
          unban:
            cmd:  *iptablesunban
            after: 2d

/etc/systemd/system/reaction.service

[Unit]
WantedBy=multi-user.target

[Service]
ExecStart=/path/to/reaction -c /etc/reaction.yml

ExecStartPre=/path/to/iptables -w -N reaction
ExecStartPre=/path/to/iptables -w -A reaction -j ACCEPT
ExecStartPre=/path/to/iptables -w -I INPUT -p all -j reaction

ExecStopPost=/path/to/iptables -w -D INPUT -p all -j reaction
ExecStopPost=/path/to/iptables -w -F reaction
ExecStopPost=/path/to/iptables -w -X reaction

StateDirectory=reaction
WorkingDirectory=/var/lib/reaction

See reaction.service and reaction.yml for the fully commented examples.

documentation

configuration reference

cmd: note that if program is not in environment's PATH, the full path to the command should be given.

/etc/systemd/system/reaction.service (again, commented)

implicit configuration

the working directory of reaction will be used to create and read from the embedded lmdb database. if you don't know where to start it, /var/lib/reaction should be a sane choice.