mirror of https://github.com/jrbrtsn/ban2fail
fix README.md
This commit is contained in:
parent
a433b972c5
commit
f7aa9b178a
83
README.md
83
README.md
|
@ -14,24 +14,28 @@ minute on my rather modest Linode virtual server to have a chance of stopping
|
|||
them. I hope you find this code useful.
|
||||
|
||||
##Configuration
|
||||
|
||||
*ban2fail* works from a configuration file found at
|
||||
"/etc/ban2fail/ban2fail.cfg". The overarching premise is that if any REGEX
|
||||
appearing in a LOGTYPE clause matches a line in an associated log file, then by
|
||||
default that IP will be blocked.
|
||||
|
||||
>LOGTYPE auth {
|
||||
> DIR= /var/log
|
||||
> PREFIX= auth.log
|
||||
>
|
||||
> REGEX= imapd.*Login failed.*\[([0-9.]+)\]$
|
||||
>
|
||||
> REGEX= sshd.*Failed password.*from ([0-9.]+) port [0-9]+ ssh2$
|
||||
>
|
||||
> REGEX= Unable to negotiate with ([0-9.]+) port
|
||||
>
|
||||
> REGEX= in\.qpopper.*authentication failure.*tty=([0-9.]+)
|
||||
>
|
||||
>}
|
||||
|
||||
`
|
||||
LOGTYPE auth {
|
||||
DIR= /var/log
|
||||
PREFIX= auth.log
|
||||
|
||||
REGEX= imapd.*Login failed.*\[([0-9.]+)\]$
|
||||
|
||||
REGEX= sshd.*Failed password.*from ([0-9.]+) port [0-9]+ ssh2$
|
||||
|
||||
REGEX= Unable to negotiate with ([0-9.]+) port
|
||||
|
||||
REGEX= in\.qpopper.*authentication failure.*tty=([0-9.]+)
|
||||
}
|
||||
`
|
||||
|
||||
|
||||
Syntax in the config file is pretty much the same as the nftables syntax. All
|
||||
keywords must be in upper case. Any values in the key-\>value pairs have
|
||||
|
@ -43,31 +47,34 @@ clause. This clause allows you specify how many offenses are tolerated before an
|
|||
IP is blocked. Offenses will naturally disappear as old logfiles are deleted by
|
||||
*logrotate*.
|
||||
|
||||
># Take it easy on home boys
|
||||
>MAX_OFFENSES 5 {
|
||||
> COUNTRY= US
|
||||
>}
|
||||
>
|
||||
># GeoIP doesn't know the location of every IP address
|
||||
>MAX_OFFENSES 3 {
|
||||
> COUNTRY= unknown
|
||||
>}
|
||||
>
|
||||
># This is your whitelist: -1 means no limit.
|
||||
>MAX_OFFENSES -1 {
|
||||
>
|
||||
># me from home
|
||||
> IP= 205.144.171.37
|
||||
>
|
||||
># Some user
|
||||
> IP= 173.236.196.36
|
||||
>}
|
||||
`
|
||||
# Take it easy on home boys
|
||||
MAX_OFFENSES 5 {
|
||||
COUNTRY= US
|
||||
}
|
||||
|
||||
# GeoIP doesn't know the location of every IP address
|
||||
MAX_OFFENSES 3 {
|
||||
COUNTRY= unknown
|
||||
}
|
||||
|
||||
# This is your whitelist: -1 means no limit.
|
||||
MAX_OFFENSES -1 {
|
||||
|
||||
# me from home
|
||||
IP= 205.144.171.37
|
||||
|
||||
# Some user
|
||||
IP= 173.236.196.36
|
||||
}
|
||||
`
|
||||
|
||||
If you recieve a complaint about an address unjustly getting blocked, place it
|
||||
in one of the MAX\_OFFENSES blocks, and the IP will be unblocked the next time
|
||||
*ban2fail* runs.
|
||||
|
||||
##Working with *ban2fail*
|
||||
|
||||
There are two primary modes in which *ban2fail* is used:
|
||||
|
||||
* Production mode, where iptables rules are modified.
|
||||
|
@ -75,6 +82,7 @@ There are two primary modes in which *ban2fail* is used:
|
|||
* Testing mode, where modifications to blocking rules are indicated.
|
||||
|
||||
###Production
|
||||
|
||||
In production mode it is expected that *ban2fail* is running from a cron job,
|
||||
and no output is printed unless addresses are (un)blocked. It is also possible
|
||||
to generate a listing of addresses, offense counts, and status with the -a
|
||||
|
@ -82,11 +90,12 @@ command flag. Likewise, a listing of countries and offense counts is available
|
|||
with the -c flag.
|
||||
|
||||
###Testing
|
||||
|
||||
In test mode (-t flags) the presumption is that you are testing a modified
|
||||
configuration which is not yet in place, and that you don't want to disturb the
|
||||
production setup. This is how you might do that:
|
||||
|
||||
>ban2fail -t myNew.cfg -a
|
||||
`ban2fail -t myNew.cfg -a`
|
||||
|
||||
No iptables rules will be modified. You will shown in the listing which
|
||||
addresses would be (un)blocked if *ban2fail* was running in production mode, and
|
||||
|
@ -96,13 +105,15 @@ When you are happy with the new configuration, copy it into place, and the the
|
|||
iptable rule changes will be realized the next time *ban2fail* runs.
|
||||
|
||||
##Building the Project
|
||||
|
||||
I've tested *ban2fail* on Debian Buster, but it should compile on just about any
|
||||
modern Linux distro. It uses the GeoIP package to identify the country of origin
|
||||
for IP addresses. Build and install like so:
|
||||
|
||||
>make release
|
||||
>sudo make install
|
||||
|
||||
`
|
||||
make release
|
||||
sudo make install
|
||||
`
|
||||
The executable will be placed in "/usr/local/bin".
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue