2.0 KiB
2.0 KiB
Reaction
Reaction est un service qui scan les sorties des fichiers et effectue des actions dand un usage est détecté.
apt install ./reaction_2.2.1-1_amd64.deb
systemctl enable --now reaction@reaction.jsonnet
reaction show
local banFor(time) = {
ban: {
cmd: ['nft', 'add', 'element', 'inet', 'reaction', 'banned_ips', '{ <ip> }'],
},
unban: {
cmd: ['nft', 'delete', 'element', 'inet', 'reaction', 'banned_ips', '{ <ip> }'],
after: time,
},
};
{
patterns: {
ip: {
type: 'ipv4',
},
},
start: [
// Table
['nft', 'add', 'table', 'inet', 'reaction'],
// Set pour IP bannies
[
'nft', 'add', 'set', 'inet', 'reaction', 'banned_ips',
'{', 'type', 'ipv4_addr', ';', 'flags', 'interval', ';', '}'
],
// Chaîne INPUT
[
'nft', 'add', 'chain', 'inet', 'reaction', 'input_filter',
'{', 'type', 'filter', 'hook', 'input', 'priority', '0', ';', '}'
],
// Chaîne FORWARD
[
'nft', 'add', 'chain', 'inet', 'reaction', 'forward_filter',
'{', 'type', 'filter', 'hook', 'forward', 'priority', '0', ';', '}'
],
// Règles d'utilisation du set
[
'nft', 'add', 'rule', 'inet', 'reaction', 'input_filter',
'ip', 'saddr', '@banned_ips', 'drop'
],
[
'nft', 'add', 'rule', 'inet', 'reaction', 'forward_filter',
'ip', 'saddr', '@banned_ips', 'drop'
],
],
stop: [
// Une seule commande supprime tout proprement
['nft', 'delete', 'table', 'inet', 'reaction'],
],
streams: {
ssh: {
cmd: ['journalctl', '-fu', 'ssh.service'],
filters: {
failedlogin: {
regex: [
@'authentication failure;.*rhost=<ip>',
@'Failed password for .* from <ip>',
@'banner exchange: Connection from <ip> port [0-9]*: invalid format',
@'Invalid user .* from <ip>',
],
retry: 3,
retryperiod: '6h',
actions: banFor('96h'),
},
},
}
},
}
nft list ruleset inet