# Reaction

Reaction est un service qui scan les sorties des fichiers et effectue des actions  dand un usage est détecté.


```shell
apt install ./reaction_2.2.1-1_amd64.deb
systemctl enable --now reaction@reaction.jsonnet
```

```shell
reaction show
```

```
local banFor(time) = {
  ban: {
    cmd: ['nft', 'add', 'element', 'inet', 'reaction', 'banned_ips', '{ <ip> }'],
  },
  unban: {
    cmd: ['nft', 'delete', 'element', 'inet', 'reaction', 'banned_ips', '{ <ip> }'],
    after: time,
  },
};

{
  patterns: {
    ip: {
      type: 'ipv4',
    },
  },

  start: [
    // Table
    ['nft', 'add', 'table', 'inet', 'reaction'],

    // Set pour IP bannies
    [
      'nft', 'add', 'set', 'inet', 'reaction', 'banned_ips',
      '{', 'type', 'ipv4_addr', ';', 'flags', 'interval', ';', '}'
    ],

    // Chaîne INPUT
    [
      'nft', 'add', 'chain', 'inet', 'reaction', 'input_filter',
      '{', 'type', 'filter', 'hook', 'input', 'priority', '0', ';', '}'
    ],

    // Chaîne FORWARD
    [
      'nft', 'add', 'chain', 'inet', 'reaction', 'forward_filter',
      '{', 'type', 'filter', 'hook', 'forward', 'priority', '0', ';', '}'
    ],

    // Règles d'utilisation du set
    [
      'nft', 'add', 'rule', 'inet', 'reaction', 'input_filter',
      'ip', 'saddr', '@banned_ips', 'drop'
    ],
    [
      'nft', 'add', 'rule', 'inet', 'reaction', 'forward_filter',
      'ip', 'saddr', '@banned_ips', 'drop'
    ],
  ],

  stop: [
    // Une seule commande supprime tout proprement
    ['nft', 'delete', 'table', 'inet', 'reaction'],
  ],

  streams: {
    ssh: {
      cmd: ['journalctl', '-fu', 'ssh.service'],
      filters: {
        failedlogin: {
          regex: [
            @'authentication failure;.*rhost=<ip>',
            @'Failed password for .* from <ip>',
            @'banner exchange: Connection from <ip> port [0-9]*: invalid format',
            @'Invalid user .* from <ip>',
          ],
          retry: 3,
          retryperiod: '6h',
          actions: banFor('96h'),
        },
      },
    }
  },
}
```