Skip to content

Latest commit

 

History

History
164 lines (106 loc) · 4.77 KB

README.md

File metadata and controls

164 lines (106 loc) · 4.77 KB

The Banisher

The Banisher watches in real time your systemd journal and bans, via ipset and iptables, hosts who match on yours rules.

Currently hosts (IP) are banished for 1 hour (configurable in config.yml).

The Banisher keeps states of banished IPs in a key-value store (badger)

Getting started

WARNING The Banisher works only with logs handled by systemd journal and is currently only available for Linux 64.

Installing

Without debian package

  1. Download the lastest binary in tar.gz from the releases section.
  2. Extract the binary (tar xzf banisher_*.tar.gz).
  3. Set the exec flag (chmod +x banisher).
  4. Create a YAML file named config.yml in the same directory than The Banisher binary to define the configuration.
  5. Start The Banisher (./banisher).

With the debian package

  1. Download the lastest debian package from the releases section.
  2. Install the package.
  3. Modify the /etc/banisher.yml file to define the configuration according to your needs.
  4. Restart The Banisher (systemctl restart banisher).

Config

Here is a sample:

# defaut banishment duration in seconds
defaultBanishmentDuration: 3600

# whitelisted IP
whitelist:
  - 178.22.51.92
  - 142.93.11.10

# rules
rules:
  - name: dovecot
    match: .*imap-login:.*auth failed,.*
    IPpos: 0

  - name: ssh
    match: Failed password.*ssh2
    IPpos: 0

Where:

  • defaultBanishmentDuration: is the period in second, during which an IP will be banned, if it matches a rule.

  • whitelist: a list of IPs that must not be banned

  • rules :your Banisher rules.

A rule has three poperties:

  • name: is the name of the rule (whaoo amazing!)
  • match: is a regular expression. If a log line matches this regex, The Banisher will ban IP address found in this line.
  • IPpos: as some log line may have multiple IP, this property will indicate which IP to ban. Warning: index start at 0, so if you want to ban the first IP found (left to right) IPpos must be 0.

And... that it.

Here is some samples of rules:

SSH

A failed auth attempt, appears in log with this line:

Failed password for invalid user mrpresidentmanu from XXX.XXX.XXX.XXX port 47092 ssh2

Here is the corresponding rule:

- name: ssh
  match: Failed password.*ssh2
  IPpos: 0
Dovecot IMAP

Log line for Dovecot authentification failure looks like:

imap-login: Disconnected (auth failed, 1 attempts in 3 secs): user=<[email protected]>, method=PLAIN, rip=XXX.XXX.XXX.XXX, lip=YYY.YYY.YYY.YYY, TLS: Disconnected, session=<n48ImrmGRP6xth/K>

Here is the corresponding rule:

- name: dovecot-imap
  match: .*imap-login:.*auth failed,.*
  IPpos: 0

Yes i know, it seems to too easy to be real.

Multiple rules ?

Of course you can have multiple rules in your config file, you just have to not forget the - prepending the name property for each rule.

For example if you want those two rules, your config file will be:

- name: ssh
  match: Failed password.*ssh2
  IPpos: 0

- name: dovecot-imap
  match: .*imap-login:.*auth failed,.*
  IPpos: 0

List blocked IPs

To list the IPs blocked by The Banisher : ipset list banisher

And what can i do if something goes wrong ?

An IP will be automaticaly removed from the ipset after defaultBanishmentDuration (defined in your config file). All IP are removed from the ipset when the application is closed.

If you made a mistake, just:

  • Stop The Banisher
  • Remove badger files (the db.bdg folder if you do not use the debian package)

If The Banisher crashed and the filter rules have not been deleted, just :

  • Remove badger files (the db.bdg folder if you do not use the debian package)
  • Remove iptable rule : iptables -D INPUT -m set --match-set banisher src -j DROP
  • Destroy ipset : ipset destroy banisher

Build

Prerequisite

  • Task is used for compilation.
  • A Docker image is used to handle glibc version issue to keep The Banisher compatible with debian buster and bullseye (debian 10 and 11).
  • To compile without the Docker image, the libsystemd0 library is needed (for debian like: sudo apt install libsystemd-dev).
  • The Banisher is dynamically linked with the glibc.

Build commands

  • Compile The Banisher without Docker image : task build
  • Generate the docker image to compile The Banisher : task generate-docker-image
  • Compile The Banisher with Docker image : task build-with-docker
  • Generate debian package : task package

The binaries will be in the "dist" folder.