security/reaction.md

# Reaction

Reaction est un service qui scan les sorties des fichiers et effectue des actions  dand un usage est détecté.


```shell
apt install ./reaction_2.2.1-1_amd64.deb
systemctl enable --now reaction@reaction.jsonnet
```

```shell
reaction show
```

```
local banFor(time) = {
  ban: {
    cmd: ['nft', 'add', 'element', 'inet', 'reaction', 'banned_ips', '{ <ip> }'],
  },
  unban: {
    cmd: ['nft', 'delete', 'element', 'inet', 'reaction', 'banned_ips', '{ <ip> }'],
    after: time,
  },
};

{
  patterns: {
    ip: {
      type: 'ipv4',
    },
  },

  start: [
    // Table
    ['nft', 'add', 'table', 'inet', 'reaction'],

    // Set pour IP bannies
    [
      'nft', 'add', 'set', 'inet', 'reaction', 'banned_ips',
      '{', 'type', 'ipv4_addr', ';', 'flags', 'interval', ';', '}'
    ],

    // Chaîne INPUT
    [
      'nft', 'add', 'chain', 'inet', 'reaction', 'input_filter',
      '{', 'type', 'filter', 'hook', 'input', 'priority', '0', ';', '}'
    ],

    // Chaîne FORWARD
    [
      'nft', 'add', 'chain', 'inet', 'reaction', 'forward_filter',
      '{', 'type', 'filter', 'hook', 'forward', 'priority', '0', ';', '}'
    ],

    // Règles d'utilisation du set
    [
      'nft', 'add', 'rule', 'inet', 'reaction', 'input_filter',
      'ip', 'saddr', '@banned_ips', 'drop'
    ],
    [
      'nft', 'add', 'rule', 'inet', 'reaction', 'forward_filter',
      'ip', 'saddr', '@banned_ips', 'drop'
    ],
  ],

  stop: [
    // Une seule commande supprime tout proprement
    ['nft', 'delete', 'table', 'inet', 'reaction'],
  ],

  streams: {
    ssh: {
      cmd: ['journalctl', '-fu', 'ssh.service'],
      filters: {
        failedlogin: {
          regex: [
            @'authentication failure;.*rhost=<ip>',
            @'Failed password for .* from <ip>',
            @'banner exchange: Connection from <ip> port [0-9]*: invalid format',
            @'Invalid user .* from <ip>',
          ],
          retry: 3,
          retryperiod: '6h',
          actions: banFor('96h'),
        },
      },
    }
  },
}
```

```shell
nft list ruleset inet
```
Prestashop 2025-11-21 18:08:11 +01:00			`# Reaction`

			`Reaction est un service qui scan les sorties des fichiers et effectue des actions dand un usage est détecté.`


			```shell
			`apt install ./reaction_2.2.1-1_amd64.deb`
			`systemctl enable --now reaction@reaction.jsonnet`
			```

			```shell
			`reaction show`
			```

			```
			`local banFor(time) = {`
			`ban: {`
			`cmd: ['nft', 'add', 'element', 'inet', 'reaction', 'banned_ips', '{ <ip> }'],`
			`},`
			`unban: {`
			`cmd: ['nft', 'delete', 'element', 'inet', 'reaction', 'banned_ips', '{ <ip> }'],`
			`after: time,`
			`},`
			`};`

			`{`
			`patterns: {`
			`ip: {`
			`type: 'ipv4',`
			`},`
			`},`

			`start: [`
			`// Table`
			`['nft', 'add', 'table', 'inet', 'reaction'],`

			`// Set pour IP bannies`
			`[`
			`'nft', 'add', 'set', 'inet', 'reaction', 'banned_ips',`
			`'{', 'type', 'ipv4_addr', ';', 'flags', 'interval', ';', '}'`
			`],`

			`// Chaîne INPUT`
			`[`
			`'nft', 'add', 'chain', 'inet', 'reaction', 'input_filter',`
			`'{', 'type', 'filter', 'hook', 'input', 'priority', '0', ';', '}'`
			`],`

			`// Chaîne FORWARD`
			`[`
			`'nft', 'add', 'chain', 'inet', 'reaction', 'forward_filter',`
			`'{', 'type', 'filter', 'hook', 'forward', 'priority', '0', ';', '}'`
			`],`

			`// Règles d'utilisation du set`
			`[`
			`'nft', 'add', 'rule', 'inet', 'reaction', 'input_filter',`
			`'ip', 'saddr', '@banned_ips', 'drop'`
			`],`
			`[`
			`'nft', 'add', 'rule', 'inet', 'reaction', 'forward_filter',`
			`'ip', 'saddr', '@banned_ips', 'drop'`
			`],`
			`],`

			`stop: [`
			`// Une seule commande supprime tout proprement`
			`['nft', 'delete', 'table', 'inet', 'reaction'],`
			`],`

			`streams: {`
			`ssh: {`
			`cmd: ['journalctl', '-fu', 'ssh.service'],`
			`filters: {`
			`failedlogin: {`
			`regex: [`
			`@'authentication failure;.*rhost=<ip>',`
			`@'Failed password for .* from <ip>',`
			`@'banner exchange: Connection from <ip> port [0-9]*: invalid format',`
			`@'Invalid user .* from <ip>',`
			`],`
			`retry: 3,`
			`retryperiod: '6h',`
			`actions: banFor('96h'),`
			`},`
			`},`
			`}`
			`},`
			`}`
			```
Reaction 2025-12-02 08:17:55 +01:00
			```shell
			`nft list ruleset inet`
			```