etc/debian

etc/debian_version

@@ -0,0 +1 @@
+13.1

etc/group

@@ -0,0 +1,57 @@
+root:x:0:
+daemon:x:1:
+bin:x:2:
+sys:x:3:
+adm:x:4:
+tty:x:5:
+disk:x:6:
+lp:x:7:
+mail:x:8:
+news:x:9:
+uucp:x:10:
+man:x:12:
+proxy:x:13:
+kmem:x:15:
+dialout:x:20:
+fax:x:21:
+voice:x:22:
+cdrom:x:24:
+floppy:x:25:
+tape:x:26:
+sudo:x:27:
+audio:x:29:
+dip:x:30:
+www-data:x:33:caddy
+backup:x:34:
+operator:x:37:
+list:x:38:
+irc:x:39:
+src:x:40:
+shadow:x:42:
+utmp:x:43:
+video:x:44:
+sasl:x:45:
+plugdev:x:46:
+staff:x:50:
+games:x:60:
+users:x:100:
+nogroup:x:65534:
+systemd-journal:x:999:
+systemd-network:x:998:
+crontab:x:997:
+input:x:996:
+sgx:x:995:
+clock:x:994:
+kvm:x:993:
+render:x:992:
+netdev:x:101:
+_ssh:x:102:
+sftp:x:990:eureka,neotech
+eureka:x:1000:
+neotech:x:1001:
+mysql:x:103:
+memcache:x:104:
+caddy:x:991:
+msmtp:x:105:
+prometheus:x:106:
+messagebus:x:989:

etc/host.conf

@@ -0,0 +1 @@
+multi on

etc/hostname

@@ -0,0 +1 @@
+debian13

etc/hosts

@@ -0,0 +1,7 @@
+127.0.0.1	localhost
+127.0.1.1	debian13.neotech.fr	debian13
+
+# The following lines are desirable for IPv6 capable hosts
+::1     localhost ip6-localhost ip6-loopback
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters

etc/hosts.allow

@@ -0,0 +1,10 @@
+# /etc/hosts.allow: list of hosts that are allowed to access the system.
+#                   See the manual pages hosts_access(5) and hosts_options(5).
+#
+# Example:    ALL: LOCAL @some_netgroup
+#             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
+#
+# If you're going to protect the portmapper use the name "rpcbind" for the
+# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
+#
+

etc/hosts.deny

@@ -0,0 +1,17 @@
+# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
+#                  See the manual pages hosts_access(5) and hosts_options(5).
+#
+# Example:    ALL: some.host.name, .some.domain
+#             ALL EXCEPT in.fingerd: other.host.name, .other.domain
+#
+# If you're going to protect the portmapper use the name "rpcbind" for the
+# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
+#
+# The PARANOID wildcard matches any host whose name does not match its
+# address.
+#
+# You may wish to enable this to ensure any programs that don't
+# validate looked up hostnames still leave understandable logs. In past
+# versions of Debian this has been the default.
+# ALL: PARANOID
+

etc/reaction.jsonnet

@@ -0,0 +1,59 @@
+local banFor(time) = {
+  ban: {
+    cmd: ['iptables', '-w', '-A', 'reaction', '-s', '<ip>', '-j', 'DROP'],
+  },
+  unban: {
+    cmd: ['iptables', '-w', '-D', 'reaction', '-s', '<ip>', '-j', 'DROP'],
+    after: time,
+  },
+};
+
+{
+  patterns: {
+    ip: {
+      type: 'ipv4',
+    },
+  },
+  start: [
+    ['iptables', '-N', 'reaction'],
+    ['iptables', '-I', 'INPUT', '-p', 'all', '-j', 'reaction'],
+    ['iptables', '-I', 'FORWARD', '-p', 'all', '-j', 'reaction'],
+  ],
+  stop: [
+    ['iptables', '-D', 'INPUT', '-p', 'all', '-j', 'reaction'],
+    ['iptables', '-D', 'FORWARD', '-p', 'all', '-j', 'reaction'],
+    ['iptables', '-F', 'reaction'],
+    ['iptables', '-X', 'reaction'],
+  ],
+  streams: {
+    ssh: {
+      cmd: ['journalctl', '-fu', 'ssh.service'],
+      filters: {
+        failedlogin: {
+          regex: [
+            @'authentication failure;.*rhost=<ip>',
+            @'Failed password for .* from <ip>',
+            @'banner exchange: Connection from <ip> port [0-9]*: invalid format',
+            @'Invalid user .* from <ip>',
+          ],
+          retry: 3,
+          retryperiod: '6h',
+          actions: banFor('96h'),
+        },
+      },
+    },
+    apache: {
+      cmd: ['tail', '-q', '-F', '-n0', '/var/log/apache2/wp6_eureka.access.log'],
+      filters: {
+        sniffer: {
+          regex: [
+            @'\[.*\] 404 <ip>'
+          ],
+          retry: 3,
+          retryperiod: '10s',
+          actions: banFor('1h'),
+        }
+      }
+    }
+  },
+}