2025-10-02 10:10:34 +02:00
|
|
|
apt install ./reaction_2.2.0-1_amd64.deb
|
|
|
|
|
apt install iptables
|
|
|
|
|
systemctl enable reaction@reaction.jsonnet
|
|
|
|
|
systemctl start reaction@reaction.jsonnet
|
|
|
|
|
|
2025-10-31 18:10:15 +01:00
|
|
|
iptables -L reaction -n -v
|
2025-10-02 10:10:34 +02:00
|
|
|
|
|
|
|
|
reaction show
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
local banFor(time) = {
|
|
|
|
|
ban: {
|
|
|
|
|
cmd: ['iptables', '-w', '-A', 'reaction', '-s', '<ip>', '-j', 'DROP'],
|
|
|
|
|
},
|
|
|
|
|
unban: {
|
|
|
|
|
cmd: ['iptables', '-w', '-D', 'reaction', '-s', '<ip>', '-j', 'DROP'],
|
|
|
|
|
after: time,
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
patterns: {
|
|
|
|
|
ip: {
|
|
|
|
|
type: 'ipv4',
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
start: [
|
|
|
|
|
['iptables', '-N', 'reaction'],
|
|
|
|
|
['iptables', '-I', 'INPUT', '-p', 'all', '-j', 'reaction'],
|
|
|
|
|
['iptables', '-I', 'FORWARD', '-p', 'all', '-j', 'reaction'],
|
|
|
|
|
],
|
|
|
|
|
stop: [
|
|
|
|
|
['iptables', '-D', 'INPUT', '-p', 'all', '-j', 'reaction'],
|
|
|
|
|
['iptables', '-D', 'FORWARD', '-p', 'all', '-j', 'reaction'],
|
|
|
|
|
['iptables', '-F', 'reaction'],
|
|
|
|
|
['iptables', '-X', 'reaction'],
|
|
|
|
|
],
|
|
|
|
|
streams: {
|
|
|
|
|
ssh: {
|
|
|
|
|
cmd: ['journalctl', '-fu', 'ssh.service'],
|
|
|
|
|
filters: {
|
|
|
|
|
failedlogin: {
|
|
|
|
|
regex: [
|
|
|
|
|
@'authentication failure;.*rhost=<ip>',
|
|
|
|
|
@'Failed password for .* from <ip>',
|
|
|
|
|
@'banner exchange: Connection from <ip> port [0-9]*: invalid format',
|
|
|
|
|
@'Invalid user .* from <ip>',
|
|
|
|
|
],
|
|
|
|
|
retry: 3,
|
|
|
|
|
retryperiod: '6h',
|
|
|
|
|
actions: banFor('96h'),
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
```
|
2025-10-31 18:10:15 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
iptables -I INPUT -s 216.73.216.0/22 -j DROP
|
