Fork of https://framagit.org/ppom/reaction/ to implement multi-pattern match in the same filter
Go to file
ppom bd6288dae0 Do not allow for empty conf, stream, filter, regex or action.
This means the minimal valid configuration contains
one stream, with one filter, with one regex and one action.
2023-04-12 09:53:44 +02:00
app Do not allow for empty conf, stream, filter, regex or action. 2023-04-12 09:53:44 +02:00
go.mod First persistance work 2023-04-11 13:01:02 +02:00
go.sum First persistance work 2023-04-11 13:01:02 +02:00
LICENSE Add AGPL LICENSE 2023-04-11 11:03:50 +00:00
main.go rename package 2023-03-25 18:27:01 +01:00
reaction.service First persistance work 2023-04-11 13:01:02 +02:00
reaction.test.yml First persistance work 2023-04-11 13:01:02 +02:00
reaction.yml Update README 2023-04-11 13:15:38 +02:00
README.md Update README 2023-04-11 13:15:38 +02:00

reaction

🚧 this program has not been tested in production yet 🚧

a program that scans program outputs, such as logs, for repeated patterns, such as failed login attempts, and takes action, such as banning ips.

(adapted from fail2ban's presentation 😄)

rationale

i was using fail2ban since quite a long time, but i was a bit frustrated by it's cpu consumption and all its heavy default configuration.

in my view, a security-oriented program should be simple to configure (sudo is a very bad exemple!)

configuration

this configuration file is all that should be needed to prevent bruteforce attacks on an ssh server.

/etc/reaction.yml

definitions:
  - &iptablesban [ "iptables" "-w" "-I" "reaction" "1" "-s" "<ip>" "-j" "block" ]
  - &iptablesunban [ "iptables" "-w" "-D" "reaction" "1" "-s" "<ip>" "-j" "block" ]

patterns:
  ip: '(([0-9]{1,3}\.){3}[0-9]{1,3})|([0-9a-fA-F:]{2,90})'

streams:
  ssh:
    cmd: [ "journalctl" "-fu" "sshd.service" ]
    filters:
      failedlogin:
        regex:
          - authentication failure;.*rhost=<ip>
        retry: 3
        retry-period: 6h
        actions:
          ban:
            cmd: *iptablesban
          unban:
            cmd:  *iptablesunban
            after: 2d

/etc/systemd/system/reaction.service

[Unit]
WantedBy=multi-user.target

[Service]
ExecStart=/path/to/reaction -c /etc/reaction.yml

ExecStartPre=/path/to/iptables -w -N reaction
ExecStartPre=/path/to/iptables -w -A reaction -j ACCEPT
ExecStartPre=/path/to/iptables -w -I INPUT -p all -j reaction

ExecStopPost=/path/to/iptables -w -D INPUT -p all -j reaction
ExecStopPost=/path/to/iptables -w -F reaction
ExecStopPost=/path/to/iptables -w -X reaction

StateDirectory=reaction
WorkingDirectory=/var/lib/reaction

See reaction.service and reaction.yml for the fully commented examples.

database

the working directory of reaction will be used to create and read from the embedded lmdb database. if you don't know where to start it, /var/lib/reaction should be a sane choice.

compilation

$ go build .