Protection

2025-10-02 10:10:34 +02:00
parent f89eb6dca6
commit 9bc574689f
3 changed files with 65 additions and 5 deletions
--- a/reaction.md
+++ b/reaction.md
@@ -0,0 +1,58 @@
+apt install ./reaction_2.2.0-1_amd64.deb
+apt install iptables
+systemctl enable reaction@reaction.jsonnet
+systemctl start reaction@reaction.jsonnet
+
+iptables -L reaction
+
+reaction show
+
+
+```json
+local banFor(time) = {
+  ban: {
+    cmd: ['iptables', '-w', '-A', 'reaction', '-s', '<ip>', '-j', 'DROP'],
+  },
+  unban: {
+    cmd: ['iptables', '-w', '-D', 'reaction', '-s', '<ip>', '-j', 'DROP'],
+    after: time,
+  },
+};
+
+{
+  patterns: {
+    ip: {
+      type: 'ipv4',
+    },
+  },
+  start: [
+    ['iptables', '-N', 'reaction'],
+    ['iptables', '-I', 'INPUT', '-p', 'all', '-j', 'reaction'],
+    ['iptables', '-I', 'FORWARD', '-p', 'all', '-j', 'reaction'],
+  ],
+  stop: [
+    ['iptables', '-D', 'INPUT', '-p', 'all', '-j', 'reaction'],
+    ['iptables', '-D', 'FORWARD', '-p', 'all', '-j', 'reaction'],
+    ['iptables', '-F', 'reaction'],
+    ['iptables', '-X', 'reaction'],
+  ],
+  streams: {
+    ssh: {
+      cmd: ['journalctl', '-fu', 'ssh.service'],
+      filters: {
+        failedlogin: {
+          regex: [
+            @'authentication failure;.*rhost=<ip>',
+            @'Failed password for .* from <ip>',
+            @'banner exchange: Connection from <ip> port [0-9]*: invalid format',
+            @'Invalid user .* from <ip>',
+          ],
+          retry: 3,
+          retryperiod: '6h',
+          actions: banFor('96h'),
+        },
+      },
+    },
+  },
+}
+```