security/reaction.md

# Reaction

Reaction est un service qui scan les sorties des fichiers et effectue des actions quand un certain usage est détecté.


```shell
apt install ./reaction_2.2.1-1_amd64.deb
systemctl enable --now reaction@reaction.jsonnet
```

```shell
reaction show
```

```
local bots = [
  "ChatGPT-User",
  "DuckAssistBot",
  "Meta-ExternalFetcher",
  "AI2Bot",
  "Applebot-Extended",
  "Bytespider",
  "CCBot",
  "ClaudeBot",
  "Diffbot",
  "FacebookBot",
  "Google-Extended",
  "GPTBot",
  "Kangaroo Bot",
  "Meta-ExternalAgent",
  "omgili",
  "Timpibot",
  "Webzio-Extended",
  "Amazonbot",
  "Applebot",
  "OAI-SearchBot",
  "PerplexityBot",
  "YouBot",
  "Yandexbot",
  "Baiduspider"
];

local banFor(time) = {
  ban: {
    cmd: ['nft', 'add element inet reaction banned_ips { <ip> }'],
  },
  unban: {
    cmd: ['nft', 'delete element inet reaction banned_ips { <ip> }'],
    after: time,
  },
};

{
  patterns: {
    ip: {
      type: 'ipv4',
    },
  },

  start: [
    ['nft', |||
    table inet reaction {
      set whitelist_ips {
        type ipv4_addr
        flags interval
        elements = { 192.168.137.0/24 }
      }

      set banned_ips {
        type ipv4_addr
        flags interval
        auto-merge
      }

      chain input {
        type filter hook input priority 0
        ip saddr @whitelist_ips accept
        ip saddr @banned_ips drop
      }
    }
||| ],
  ],

  stop: [
    ['nft', 'delete table inet reaction'],
  ],

  streams: {
    ssh: {
      cmd: ['journalctl', '-fu', 'ssh.service'],
      filters: {
        failedlogin: {
          regex: [
            @'authentication failure;.*rhost=<ip>',
            @'Failed password for .* from <ip>',
            @'Connection from <ip> port [0-9]*: invalid format',
            @'Invalid user .* from <ip>',
            @'Timeout before authentication for <ip>',
          ],
          retry: 3,
          retryperiod: '6h',
          actions: banFor('96h'),
        },
      },
    },

    apache: {
      cmd: ['tail', '-n0', '-f', '/var/log/nginx/access.log'],
      filters: {
        aiBots: {
          regex: [
            // User-Agent is the last field
            // Bot's name can be anywhere in the User-Agent
            // (hence the leading and trailing [^"]*
            @'^<ip> .* "[^"]*(%s)[^"]*"$' % std.join('|', bots)
          ],
          actions: banFor('30d'),
        },
      },
    }
  },
}
```

```shell
nft list ruleset inet
```
Prestashop 2025-11-21 18:08:11 +01:00			`# Reaction`

Wordpress 2025-12-02 12:03:33 +01:00			`Reaction est un service qui scan les sorties des fichiers et effectue des actions quand un certain usage est détecté.`
Prestashop 2025-11-21 18:08:11 +01:00

			```shell
			`apt install ./reaction_2.2.1-1_amd64.deb`
			`systemctl enable --now reaction@reaction.jsonnet`
			```

			```shell
			`reaction show`
			```

			```
Wordpress 2025-12-02 12:03:33 +01:00			`local bots = [`
			`"ChatGPT-User",`
			`"DuckAssistBot",`
			`"Meta-ExternalFetcher",`
			`"AI2Bot",`
			`"Applebot-Extended",`
			`"Bytespider",`
			`"CCBot",`
			`"ClaudeBot",`
			`"Diffbot",`
			`"FacebookBot",`
			`"Google-Extended",`
			`"GPTBot",`
			`"Kangaroo Bot",`
			`"Meta-ExternalAgent",`
			`"omgili",`
			`"Timpibot",`
			`"Webzio-Extended",`
			`"Amazonbot",`
			`"Applebot",`
			`"OAI-SearchBot",`
			`"PerplexityBot",`
			`"YouBot",`
			`"Yandexbot",`
			`"Baiduspider"`
			`];`

Prestashop 2025-11-21 18:08:11 +01:00			`local banFor(time) = {`
			`ban: {`
Wordpress 2025-12-02 12:03:33 +01:00			`cmd: ['nft', 'add element inet reaction banned_ips { <ip> }'],`
Prestashop 2025-11-21 18:08:11 +01:00			`},`
			`unban: {`
Wordpress 2025-12-02 12:03:33 +01:00			`cmd: ['nft', 'delete element inet reaction banned_ips { <ip> }'],`
Prestashop 2025-11-21 18:08:11 +01:00			`after: time,`
			`},`
			`};`

			`{`
			`patterns: {`
			`ip: {`
			`type: 'ipv4',`
			`},`
			`},`

			`start: [`
Wordpress 2025-12-02 12:03:33 +01:00			`['nft', \|\|\|`
			`table inet reaction {`
			`set whitelist_ips {`
			`type ipv4_addr`
			`flags interval`
			`elements = { 192.168.137.0/24 }`
			`}`
Prestashop 2025-11-21 18:08:11 +01:00
Wordpress 2025-12-02 12:03:33 +01:00			`set banned_ips {`
			`type ipv4_addr`
			`flags interval`
			`auto-merge`
			`}`
Prestashop 2025-11-21 18:08:11 +01:00
Wordpress 2025-12-02 12:03:33 +01:00			`chain input {`
			`type filter hook input priority 0`
			`ip saddr @whitelist_ips accept`
			`ip saddr @banned_ips drop`
			`}`
			`}`
			`\|\|\| ],`
Prestashop 2025-11-21 18:08:11 +01:00			`],`

			`stop: [`
Wordpress 2025-12-02 12:03:33 +01:00			`['nft', 'delete table inet reaction'],`
Prestashop 2025-11-21 18:08:11 +01:00			`],`

			`streams: {`
			`ssh: {`
			`cmd: ['journalctl', '-fu', 'ssh.service'],`
			`filters: {`
			`failedlogin: {`
			`regex: [`
			`@'authentication failure;.*rhost=<ip>',`
			`@'Failed password for .* from <ip>',`
Wordpress 2025-12-02 12:03:33 +01:00			`@'Connection from <ip> port [0-9]*: invalid format',`
Prestashop 2025-11-21 18:08:11 +01:00			`@'Invalid user .* from <ip>',`
Wordpress 2025-12-02 12:03:33 +01:00			`@'Timeout before authentication for <ip>',`
Prestashop 2025-11-21 18:08:11 +01:00			`],`
			`retry: 3,`
			`retryperiod: '6h',`
			`actions: banFor('96h'),`
			`},`
			`},`
Wordpress 2025-12-02 12:03:33 +01:00			`},`

			`apache: {`
			`cmd: ['tail', '-n0', '-f', '/var/log/nginx/access.log'],`
			`filters: {`
			`aiBots: {`
			`regex: [`
			`// User-Agent is the last field`
			`// Bot's name can be anywhere in the User-Agent`
			`// (hence the leading and trailing [^"]*`
			`@'^<ip> .* "[^"](%s)[^"]"$' % std.join('\|', bots)`
			`],`
			`actions: banFor('30d'),`
			`},`
			`},`
Prestashop 2025-11-21 18:08:11 +01:00			`}`
			`},`
			`}`
			```
Reaction 2025-12-02 08:17:55 +01:00
			```shell
			`nft list ruleset inet`
			```