diff --git a/protection.md b/protection.md new file mode 100644 index 0000000..3897a13 --- /dev/null +++ b/protection.md @@ -0,0 +1,7 @@ +# Protection + +fail2ban + +reaction + +crowdsec diff --git a/reaction.md b/reaction.md new file mode 100644 index 0000000..993f1dc --- /dev/null +++ b/reaction.md @@ -0,0 +1,58 @@ +apt install ./reaction_2.2.0-1_amd64.deb +apt install iptables +systemctl enable reaction@reaction.jsonnet +systemctl start reaction@reaction.jsonnet + +iptables -L reaction + +reaction show + + +```json +local banFor(time) = { + ban: { + cmd: ['iptables', '-w', '-A', 'reaction', '-s', '', '-j', 'DROP'], + }, + unban: { + cmd: ['iptables', '-w', '-D', 'reaction', '-s', '', '-j', 'DROP'], + after: time, + }, +}; + +{ + patterns: { + ip: { + type: 'ipv4', + }, + }, + start: [ + ['iptables', '-N', 'reaction'], + ['iptables', '-I', 'INPUT', '-p', 'all', '-j', 'reaction'], + ['iptables', '-I', 'FORWARD', '-p', 'all', '-j', 'reaction'], + ], + stop: [ + ['iptables', '-D', 'INPUT', '-p', 'all', '-j', 'reaction'], + ['iptables', '-D', 'FORWARD', '-p', 'all', '-j', 'reaction'], + ['iptables', '-F', 'reaction'], + ['iptables', '-X', 'reaction'], + ], + streams: { + ssh: { + cmd: ['journalctl', '-fu', 'ssh.service'], + filters: { + failedlogin: { + regex: [ + @'authentication failure;.*rhost=', + @'Failed password for .* from ', + @'banner exchange: Connection from port [0-9]*: invalid format', + @'Invalid user .* from ', + ], + retry: 3, + retryperiod: '6h', + actions: banFor('96h'), + }, + }, + }, + }, +} +``` diff --git a/ssh.md b/ssh.md index 4647f63..f41ea44 100644 --- a/ssh.md +++ b/ssh.md @@ -42,8 +42,3 @@ nano .ssh/authorized_keys ``` chmod 600 .ssh/authorized_keys ``` - -apt install ./reaction_2.2.0-1_amd64.deb -apt install iptables -systemctl enable reaction@reaction.jsonnet -systemctl start reaction@reaction.jsonnet