atmos
/
ban2fail
mirror of https://github.com/jrbrtsn/ban2fail
1
1
Fork 0
Code Issues Releases Wiki Activity

Updated README

This commit is contained in:
john 2019-12-06 09:15:49 -05:00
parent ecee28e685
commit ac03054d22
1 changed files with 27 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
README.md
View File

@ -15,9 +15,9 @@ server to have a chance of stopping them. Here are the timing results for a
typical scan on my server: typical scan on my server:
``` ```
real 0m0.269s real 0m0.325s
user 0m0.108s user 0m0.186s
sys 0m0.134s sys 0m0.150s
``` ```
Currently I am running *ban2fail* from a *systemd* service file which triggers Currently I am running *ban2fail* from a *systemd* service file which triggers
@ -79,8 +79,9 @@ Syntax in the config file is pretty much the same as the nftables syntax. All
keywords must be in upper case. Any values in the key=value pairs have keywords must be in upper case. Any values in the key=value pairs have
whitespace stripped from the beginning and end of the line. Since there is whitespace stripped from the beginning and end of the line. Since there is
little escaping of characters going on, regular expressions are mostly WYSIWYG. little escaping of characters going on, regular expressions are mostly WYSIWYG.
If you have a hash symbol '#' in your pattern (which is the comment character If you have a hash symbol '#' or a double quote '"' in your pattern (which are
for the config file parser), you will need to escape it like so: special characters for the config file parser), you will need to escape
them like so:
``` ```
# Nov 27 02:03:03 srv named[764]: client @0x7fe6a0053420 1.192.90.183#27388 (www.ipplus360.com): query (cache) 'www.ipplus360.com/A/IN' denied # Nov 27 02:03:03 srv named[764]: client @0x7fe6a0053420 1.192.90.183#27388 (www.ipplus360.com): query (cache) 'www.ipplus360.com/A/IN' denied
@ -189,36 +190,35 @@ forward match) info *-a-*. In the list, DNS issues are presented like so:
``` ```
# DNS is good # DNS is good
0 Dec 04 11:04 185.31.204.22 1/0 offenses GB [BLK] mail.damianbasel.audise.com 0 Dec 06 08:31 1/0 offenses AR [BLK] 200.71.237.244 host244.200-71-237.telecom.net.ar
# Reverse lookup failed with DNS server # Reverse lookup failed with DNS server
0 Dec 05 14:14 120.230.127.69 1/0 offenses CN [BLK] SERVFAIL 0 Dec 05 19:43 1/0 offenses GB [BLK] 185.217.230.146 SERVFAIL
# Reverse lookup is a non-existent domain # Reverse lookup is a non-existent domain
0 Dec 05 13:14 103.95.9.208 1/0 offenses ID [BLK] NXDOMAIN 2 Dec 05 21:11 1/0 offenses US [BLK] 67.205.153.94 NXDOMAIN
# Forward lookup does not match reverse lookup # Forward lookup does not match reverse lookup
0 Dec 04 08:47 103.238.80.23 2/0 offenses VN [BLK] example.com ! 0 Dec 06 08:40 1/0 offenses LU [BLK] 92.38.132.54 ibocke43.monster !
# Forward DNS record does not exist # Forward DNS record does not exist
4 Dec 04 10:54 106.51.230.190 2/0 offenses IN [BLK] broadband.actcorp.in !! 0 Dec 06 08:37 1/0 offenses US [BLK] 63.81.90.135 63-81-90-135.nca.lanset.com !!
# DNS is inconclusive due to lack of response from a DNS server # DNS is inconclusive due to lack of response from a DNS server
0 Dec 04 04:13 87.120.246.53 1/0 offenses BG [BLK] client.playtime.bg ~ 0 Dec 05 22:04 1/0 offenses RU [BLK] 77.221.144.107 news5.burningcoalsa.com ~
``` ```
If you want to see the offending log lines for specific address(es), supply If you want to see the offending log lines for specific address(es), supply
them on the command line like so: them on the command line like so:
``` ```
user@srv:~$ ban2fail 208.187.162.100 ====== Report for 68.183.105.52 ======
====== Report for 208.187.162.100 ====== ------- /var/log/auth.log -------------
------- /var/log/exim4/mainlog ------------- Dec 5 17:50:47 srv sshd[22326]: Invalid user cron from 68.183.105.52 port 41874
2019-12-04 12:08:15 H=(mail.spika.stream) [208.187.162.100] F=<first.class.turmeric.cbd-mgregory=robertsonoptical.com@spika.stream> rejected RCPT <mgregory@robertsonoptical.com>: 208.187.162.100 is listed at zen.spamhaus.org (127.0.0.3: https://www.spamhaus.org/sbl/query/SBLCSS) Dec 5 17:50:48 srv sshd[22326]: Failed password for invalid user cron from 68.183.105.52 port 41874 ssh2
``` ```
### Testing ### Testing
In test mode (-t flag) the presumption is that you are testing a modified In test mode (-t flag) the presumption is that you are testing a modified
@ -246,7 +246,7 @@ about any modern Linux distro. It uses the following libraries:
+ *libz* to read compressed log files + *libz* to read compressed log files
+ *libpthread* for parallel DNS lookups (200 simulataneous) + *libpthread* for parallel DNS lookups (200 simultaneous)
+ *libdb* caching of offense location and size in log files + *libdb* caching of offense location and size in log files
@ -257,13 +257,16 @@ make release
make install make install
``` ```
The executable will be placed in "/usr/local/bin". The make *install* target calls *install.sh*, which does a bunch of stuff
including setting up and enabling a systemd service, so you might want have a
look before pulling the trigger.
In order to run *ban2fail* as a systemd service which actively monitors log *ban2fail.service* points to *ban2fail.sh*, which can be tested from the command line for debugging. Remember to make sure the service is disabled:
files, put the service file *ban2fail.service* in place as well as placing ```
*ban2fail.sh* in '/usr/local/share/ban2fail/'. systemctl stop ban2fail
```
*ban2fail.sh* can also be tested from the command line. The user must belong to In order to run *ban2fail* as non-root user, the user must belong to group
group 'adm' in order to run iptables, which is accomplished via setuid() at the 'adm'. This is so in order to run iptables, which is accomplished via setuid(0)
appropriate time. at the appropriate time.