95 lines
2.0 KiB
Markdown
95 lines
2.0 KiB
Markdown
# Reaction
|
|
|
|
Reaction est un service qui scan les sorties des fichiers et effectue des actions dand un usage est détecté.
|
|
|
|
|
|
```shell
|
|
apt install ./reaction_2.2.1-1_amd64.deb
|
|
systemctl enable --now reaction@reaction.jsonnet
|
|
```
|
|
|
|
```shell
|
|
reaction show
|
|
```
|
|
|
|
```
|
|
local banFor(time) = {
|
|
ban: {
|
|
cmd: ['nft', 'add', 'element', 'inet', 'reaction', 'banned_ips', '{ <ip> }'],
|
|
},
|
|
unban: {
|
|
cmd: ['nft', 'delete', 'element', 'inet', 'reaction', 'banned_ips', '{ <ip> }'],
|
|
after: time,
|
|
},
|
|
};
|
|
|
|
{
|
|
patterns: {
|
|
ip: {
|
|
type: 'ipv4',
|
|
},
|
|
},
|
|
|
|
start: [
|
|
// Table
|
|
['nft', 'add', 'table', 'inet', 'reaction'],
|
|
|
|
// Set pour IP bannies
|
|
[
|
|
'nft', 'add', 'set', 'inet', 'reaction', 'banned_ips',
|
|
'{', 'type', 'ipv4_addr', ';', 'flags', 'interval', ';', '}'
|
|
],
|
|
|
|
// Chaîne INPUT
|
|
[
|
|
'nft', 'add', 'chain', 'inet', 'reaction', 'input_filter',
|
|
'{', 'type', 'filter', 'hook', 'input', 'priority', '0', ';', '}'
|
|
],
|
|
|
|
// Chaîne FORWARD
|
|
[
|
|
'nft', 'add', 'chain', 'inet', 'reaction', 'forward_filter',
|
|
'{', 'type', 'filter', 'hook', 'forward', 'priority', '0', ';', '}'
|
|
],
|
|
|
|
// Règles d'utilisation du set
|
|
[
|
|
'nft', 'add', 'rule', 'inet', 'reaction', 'input_filter',
|
|
'ip', 'saddr', '@banned_ips', 'drop'
|
|
],
|
|
[
|
|
'nft', 'add', 'rule', 'inet', 'reaction', 'forward_filter',
|
|
'ip', 'saddr', '@banned_ips', 'drop'
|
|
],
|
|
],
|
|
|
|
stop: [
|
|
// Une seule commande supprime tout proprement
|
|
['nft', 'delete', 'table', 'inet', 'reaction'],
|
|
],
|
|
|
|
streams: {
|
|
ssh: {
|
|
cmd: ['journalctl', '-fu', 'ssh.service'],
|
|
filters: {
|
|
failedlogin: {
|
|
regex: [
|
|
@'authentication failure;.*rhost=<ip>',
|
|
@'Failed password for .* from <ip>',
|
|
@'banner exchange: Connection from <ip> port [0-9]*: invalid format',
|
|
@'Invalid user .* from <ip>',
|
|
],
|
|
retry: 3,
|
|
retryperiod: '6h',
|
|
actions: banFor('96h'),
|
|
},
|
|
},
|
|
}
|
|
},
|
|
}
|
|
```
|
|
|
|
```shell
|
|
nft list ruleset inet
|
|
```
|