mirror of
https://github.com/jrbrtsn/ban2fail
synced 2024-06-16 11:58:01 +00:00
fix README.md
This commit is contained in:
parent
a433b972c5
commit
f7aa9b178a
83
README.md
83
README.md
@ -14,24 +14,28 @@ minute on my rather modest Linode virtual server to have a chance of stopping
|
|||||||
them. I hope you find this code useful.
|
them. I hope you find this code useful.
|
||||||
|
|
||||||
##Configuration
|
##Configuration
|
||||||
|
|
||||||
*ban2fail* works from a configuration file found at
|
*ban2fail* works from a configuration file found at
|
||||||
"/etc/ban2fail/ban2fail.cfg". The overarching premise is that if any REGEX
|
"/etc/ban2fail/ban2fail.cfg". The overarching premise is that if any REGEX
|
||||||
appearing in a LOGTYPE clause matches a line in an associated log file, then by
|
appearing in a LOGTYPE clause matches a line in an associated log file, then by
|
||||||
default that IP will be blocked.
|
default that IP will be blocked.
|
||||||
|
|
||||||
>LOGTYPE auth {
|
|
||||||
> DIR= /var/log
|
`
|
||||||
> PREFIX= auth.log
|
LOGTYPE auth {
|
||||||
>
|
DIR= /var/log
|
||||||
> REGEX= imapd.*Login failed.*\[([0-9.]+)\]$
|
PREFIX= auth.log
|
||||||
>
|
|
||||||
> REGEX= sshd.*Failed password.*from ([0-9.]+) port [0-9]+ ssh2$
|
REGEX= imapd.*Login failed.*\[([0-9.]+)\]$
|
||||||
>
|
|
||||||
> REGEX= Unable to negotiate with ([0-9.]+) port
|
REGEX= sshd.*Failed password.*from ([0-9.]+) port [0-9]+ ssh2$
|
||||||
>
|
|
||||||
> REGEX= in\.qpopper.*authentication failure.*tty=([0-9.]+)
|
REGEX= Unable to negotiate with ([0-9.]+) port
|
||||||
>
|
|
||||||
>}
|
REGEX= in\.qpopper.*authentication failure.*tty=([0-9.]+)
|
||||||
|
}
|
||||||
|
`
|
||||||
|
|
||||||
|
|
||||||
Syntax in the config file is pretty much the same as the nftables syntax. All
|
Syntax in the config file is pretty much the same as the nftables syntax. All
|
||||||
keywords must be in upper case. Any values in the key-\>value pairs have
|
keywords must be in upper case. Any values in the key-\>value pairs have
|
||||||
@ -43,31 +47,34 @@ clause. This clause allows you specify how many offenses are tolerated before an
|
|||||||
IP is blocked. Offenses will naturally disappear as old logfiles are deleted by
|
IP is blocked. Offenses will naturally disappear as old logfiles are deleted by
|
||||||
*logrotate*.
|
*logrotate*.
|
||||||
|
|
||||||
># Take it easy on home boys
|
`
|
||||||
>MAX_OFFENSES 5 {
|
# Take it easy on home boys
|
||||||
> COUNTRY= US
|
MAX_OFFENSES 5 {
|
||||||
>}
|
COUNTRY= US
|
||||||
>
|
}
|
||||||
># GeoIP doesn't know the location of every IP address
|
|
||||||
>MAX_OFFENSES 3 {
|
# GeoIP doesn't know the location of every IP address
|
||||||
> COUNTRY= unknown
|
MAX_OFFENSES 3 {
|
||||||
>}
|
COUNTRY= unknown
|
||||||
>
|
}
|
||||||
># This is your whitelist: -1 means no limit.
|
|
||||||
>MAX_OFFENSES -1 {
|
# This is your whitelist: -1 means no limit.
|
||||||
>
|
MAX_OFFENSES -1 {
|
||||||
># me from home
|
|
||||||
> IP= 205.144.171.37
|
# me from home
|
||||||
>
|
IP= 205.144.171.37
|
||||||
># Some user
|
|
||||||
> IP= 173.236.196.36
|
# Some user
|
||||||
>}
|
IP= 173.236.196.36
|
||||||
|
}
|
||||||
|
`
|
||||||
|
|
||||||
If you recieve a complaint about an address unjustly getting blocked, place it
|
If you recieve a complaint about an address unjustly getting blocked, place it
|
||||||
in one of the MAX\_OFFENSES blocks, and the IP will be unblocked the next time
|
in one of the MAX\_OFFENSES blocks, and the IP will be unblocked the next time
|
||||||
*ban2fail* runs.
|
*ban2fail* runs.
|
||||||
|
|
||||||
##Working with *ban2fail*
|
##Working with *ban2fail*
|
||||||
|
|
||||||
There are two primary modes in which *ban2fail* is used:
|
There are two primary modes in which *ban2fail* is used:
|
||||||
|
|
||||||
* Production mode, where iptables rules are modified.
|
* Production mode, where iptables rules are modified.
|
||||||
@ -75,6 +82,7 @@ There are two primary modes in which *ban2fail* is used:
|
|||||||
* Testing mode, where modifications to blocking rules are indicated.
|
* Testing mode, where modifications to blocking rules are indicated.
|
||||||
|
|
||||||
###Production
|
###Production
|
||||||
|
|
||||||
In production mode it is expected that *ban2fail* is running from a cron job,
|
In production mode it is expected that *ban2fail* is running from a cron job,
|
||||||
and no output is printed unless addresses are (un)blocked. It is also possible
|
and no output is printed unless addresses are (un)blocked. It is also possible
|
||||||
to generate a listing of addresses, offense counts, and status with the -a
|
to generate a listing of addresses, offense counts, and status with the -a
|
||||||
@ -82,11 +90,12 @@ command flag. Likewise, a listing of countries and offense counts is available
|
|||||||
with the -c flag.
|
with the -c flag.
|
||||||
|
|
||||||
###Testing
|
###Testing
|
||||||
|
|
||||||
In test mode (-t flags) the presumption is that you are testing a modified
|
In test mode (-t flags) the presumption is that you are testing a modified
|
||||||
configuration which is not yet in place, and that you don't want to disturb the
|
configuration which is not yet in place, and that you don't want to disturb the
|
||||||
production setup. This is how you might do that:
|
production setup. This is how you might do that:
|
||||||
|
|
||||||
>ban2fail -t myNew.cfg -a
|
`ban2fail -t myNew.cfg -a`
|
||||||
|
|
||||||
No iptables rules will be modified. You will shown in the listing which
|
No iptables rules will be modified. You will shown in the listing which
|
||||||
addresses would be (un)blocked if *ban2fail* was running in production mode, and
|
addresses would be (un)blocked if *ban2fail* was running in production mode, and
|
||||||
@ -96,13 +105,15 @@ When you are happy with the new configuration, copy it into place, and the the
|
|||||||
iptable rule changes will be realized the next time *ban2fail* runs.
|
iptable rule changes will be realized the next time *ban2fail* runs.
|
||||||
|
|
||||||
##Building the Project
|
##Building the Project
|
||||||
|
|
||||||
I've tested *ban2fail* on Debian Buster, but it should compile on just about any
|
I've tested *ban2fail* on Debian Buster, but it should compile on just about any
|
||||||
modern Linux distro. It uses the GeoIP package to identify the country of origin
|
modern Linux distro. It uses the GeoIP package to identify the country of origin
|
||||||
for IP addresses. Build and install like so:
|
for IP addresses. Build and install like so:
|
||||||
|
|
||||||
>make release
|
`
|
||||||
>sudo make install
|
make release
|
||||||
|
sudo make install
|
||||||
|
`
|
||||||
The executable will be placed in "/usr/local/bin".
|
The executable will be placed in "/usr/local/bin".
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user