mirror of
https://github.com/jrbrtsn/ban2fail
synced 2024-06-16 11:58:01 +00:00
Updated README
This commit is contained in:
parent
ecee28e685
commit
ac03054d22
51
README.md
51
README.md
@ -15,9 +15,9 @@ server to have a chance of stopping them. Here are the timing results for a
|
|||||||
typical scan on my server:
|
typical scan on my server:
|
||||||
|
|
||||||
```
|
```
|
||||||
real 0m0.269s
|
real 0m0.325s
|
||||||
user 0m0.108s
|
user 0m0.186s
|
||||||
sys 0m0.134s
|
sys 0m0.150s
|
||||||
```
|
```
|
||||||
|
|
||||||
Currently I am running *ban2fail* from a *systemd* service file which triggers
|
Currently I am running *ban2fail* from a *systemd* service file which triggers
|
||||||
@ -79,8 +79,9 @@ Syntax in the config file is pretty much the same as the nftables syntax. All
|
|||||||
keywords must be in upper case. Any values in the key=value pairs have
|
keywords must be in upper case. Any values in the key=value pairs have
|
||||||
whitespace stripped from the beginning and end of the line. Since there is
|
whitespace stripped from the beginning and end of the line. Since there is
|
||||||
little escaping of characters going on, regular expressions are mostly WYSIWYG.
|
little escaping of characters going on, regular expressions are mostly WYSIWYG.
|
||||||
If you have a hash symbol '#' in your pattern (which is the comment character
|
If you have a hash symbol '#' or a double quote '"' in your pattern (which are
|
||||||
for the config file parser), you will need to escape it like so:
|
special characters for the config file parser), you will need to escape
|
||||||
|
them like so:
|
||||||
|
|
||||||
```
|
```
|
||||||
# Nov 27 02:03:03 srv named[764]: client @0x7fe6a0053420 1.192.90.183#27388 (www.ipplus360.com): query (cache) 'www.ipplus360.com/A/IN' denied
|
# Nov 27 02:03:03 srv named[764]: client @0x7fe6a0053420 1.192.90.183#27388 (www.ipplus360.com): query (cache) 'www.ipplus360.com/A/IN' denied
|
||||||
@ -189,36 +190,35 @@ forward match) info *-a-*. In the list, DNS issues are presented like so:
|
|||||||
|
|
||||||
```
|
```
|
||||||
# DNS is good
|
# DNS is good
|
||||||
0 Dec 04 11:04 185.31.204.22 1/0 offenses GB [BLK] mail.damianbasel.audise.com
|
0 Dec 06 08:31 1/0 offenses AR [BLK] 200.71.237.244 host244.200-71-237.telecom.net.ar
|
||||||
|
|
||||||
# Reverse lookup failed with DNS server
|
# Reverse lookup failed with DNS server
|
||||||
0 Dec 05 14:14 120.230.127.69 1/0 offenses CN [BLK] SERVFAIL
|
0 Dec 05 19:43 1/0 offenses GB [BLK] 185.217.230.146 SERVFAIL
|
||||||
|
|
||||||
# Reverse lookup is a non-existent domain
|
# Reverse lookup is a non-existent domain
|
||||||
0 Dec 05 13:14 103.95.9.208 1/0 offenses ID [BLK] NXDOMAIN
|
2 Dec 05 21:11 1/0 offenses US [BLK] 67.205.153.94 NXDOMAIN
|
||||||
|
|
||||||
# Forward lookup does not match reverse lookup
|
# Forward lookup does not match reverse lookup
|
||||||
0 Dec 04 08:47 103.238.80.23 2/0 offenses VN [BLK] example.com !
|
0 Dec 06 08:40 1/0 offenses LU [BLK] 92.38.132.54 ibocke43.monster !
|
||||||
|
|
||||||
# Forward DNS record does not exist
|
# Forward DNS record does not exist
|
||||||
4 Dec 04 10:54 106.51.230.190 2/0 offenses IN [BLK] broadband.actcorp.in !!
|
0 Dec 06 08:37 1/0 offenses US [BLK] 63.81.90.135 63-81-90-135.nca.lanset.com !!
|
||||||
|
|
||||||
# DNS is inconclusive due to lack of response from a DNS server
|
# DNS is inconclusive due to lack of response from a DNS server
|
||||||
0 Dec 04 04:13 87.120.246.53 1/0 offenses BG [BLK] client.playtime.bg ~
|
0 Dec 05 22:04 1/0 offenses RU [BLK] 77.221.144.107 news5.burningcoalsa.com ~
|
||||||
```
|
```
|
||||||
|
|
||||||
If you want to see the offending log lines for specific address(es), supply
|
If you want to see the offending log lines for specific address(es), supply
|
||||||
them on the command line like so:
|
them on the command line like so:
|
||||||
|
|
||||||
```
|
```
|
||||||
user@srv:~$ ban2fail 208.187.162.100
|
====== Report for 68.183.105.52 ======
|
||||||
====== Report for 208.187.162.100 ======
|
------- /var/log/auth.log -------------
|
||||||
------- /var/log/exim4/mainlog -------------
|
Dec 5 17:50:47 srv sshd[22326]: Invalid user cron from 68.183.105.52 port 41874
|
||||||
2019-12-04 12:08:15 H=(mail.spika.stream) [208.187.162.100] F=<first.class.turmeric.cbd-mgregory=robertsonoptical.com@spika.stream> rejected RCPT <mgregory@robertsonoptical.com>: 208.187.162.100 is listed at zen.spamhaus.org (127.0.0.3: https://www.spamhaus.org/sbl/query/SBLCSS)
|
Dec 5 17:50:48 srv sshd[22326]: Failed password for invalid user cron from 68.183.105.52 port 41874 ssh2
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
### Testing
|
### Testing
|
||||||
|
|
||||||
In test mode (-t flag) the presumption is that you are testing a modified
|
In test mode (-t flag) the presumption is that you are testing a modified
|
||||||
@ -246,7 +246,7 @@ about any modern Linux distro. It uses the following libraries:
|
|||||||
|
|
||||||
+ *libz* to read compressed log files
|
+ *libz* to read compressed log files
|
||||||
|
|
||||||
+ *libpthread* for parallel DNS lookups (200 simulataneous)
|
+ *libpthread* for parallel DNS lookups (200 simultaneous)
|
||||||
|
|
||||||
+ *libdb* caching of offense location and size in log files
|
+ *libdb* caching of offense location and size in log files
|
||||||
|
|
||||||
@ -257,13 +257,16 @@ make release
|
|||||||
make install
|
make install
|
||||||
```
|
```
|
||||||
|
|
||||||
The executable will be placed in "/usr/local/bin".
|
The make *install* target calls *install.sh*, which does a bunch of stuff
|
||||||
|
including setting up and enabling a systemd service, so you might want have a
|
||||||
|
look before pulling the trigger.
|
||||||
|
|
||||||
In order to run *ban2fail* as a systemd service which actively monitors log
|
*ban2fail.service* points to *ban2fail.sh*, which can be tested from the command line for debugging. Remember to make sure the service is disabled:
|
||||||
files, put the service file *ban2fail.service* in place as well as placing
|
```
|
||||||
*ban2fail.sh* in '/usr/local/share/ban2fail/'.
|
systemctl stop ban2fail
|
||||||
|
```
|
||||||
|
|
||||||
*ban2fail.sh* can also be tested from the command line. The user must belong to
|
In order to run *ban2fail* as non-root user, the user must belong to group
|
||||||
group 'adm' in order to run iptables, which is accomplished via setuid() at the
|
'adm'. This is so in order to run iptables, which is accomplished via setuid(0)
|
||||||
appropriate time.
|
at the appropriate time.
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user