diff --git a/.gitignore b/.gitignore index f9afe5a..b2a2c95 100644 --- a/.gitignore +++ b/.gitignore @@ -11,4 +11,8 @@ dist/banisher # Database -dist/db.bdg \ No newline at end of file +dist/db.bdg + +# Packages +dist/packages +dist/*.deb \ No newline at end of file diff --git a/README.md b/README.md index 16a6752..98b5a84 100644 --- a/README.md +++ b/README.md @@ -20,9 +20,16 @@ __WARNING The Banisher works only with logs handled by systemd journal and is cu Just download the lastest binary from the [releases section](https://github.com/toorop/banisher/releases). ### Config - + +#### Without debian package + In the same directory than The Banisher binary, create a [YAML](https://en.wikipedia.org/wiki/YAML) file named `config.yml`. +#### With the debian package + +Modify the /etc/banisher.yml file according to your needs + + Here is a sample: ```yaml diff --git a/Taskfile.yml b/Taskfile.yml index b94b719..3410ab0 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -1,10 +1,41 @@ version: '2' +vars: + GIT_VERSION: + sh: git describe --tags --always | sed 's/v//g' + tasks: + build: cmds: - - go build -o dist/banisher + - go build -ldflags "-w -s -X main.appVersion={{.GIT_VERSION}}" -o dist/banisher + run: deps: [build] cmds: - - dist/banisher \ No newline at end of file + - dist/banisher + + package: + deps: [build] + vars: + PACKAGE_BUILD_DATE: + sh: date +%s + cmds: + - mkdir -p dist/packages/debian/DEBIAN + - cp debian/postinst dist/packages/debian/DEBIAN/. + - cp debian/prerm dist/packages/debian/DEBIAN/. + - cp debian/control dist/packages/debian/DEBIAN/. + - sed -i 's/#version#/{{.GIT_VERSION}}-{{.PACKAGE_BUILD_DATE}}/g' dist/packages/debian/DEBIAN/control + - mkdir -p dist/packages/debian/lib/systemd/system + - cp debian/banisher.service dist/packages/debian/lib/systemd/system/. + - mkdir -p dist/packages/debian/usr/sbin + - cp dist/banisher dist/packages/debian/usr/sbin/. + - mkdir -p dist/packages/debian/etc + - cp dist/config.yml dist/packages/debian/etc/banisher.yml + - dpkg-deb --build dist/packages/debian dist/banisher_{{.GIT_VERSION}}-{{.PACKAGE_BUILD_DATE}}_amd64.deb + + clean: + cmds: + - rm dist/*.deb + - rm dist/packages -R + - rm dist/banisher diff --git a/debian/banisher.service b/debian/banisher.service new file mode 100644 index 0000000..5b48fe8 --- /dev/null +++ b/debian/banisher.service @@ -0,0 +1,13 @@ +[Unit] +Description=The Banisher daemon +After=network.target auditd.service + +[Service] +ExecStartPre=/usr/bin/install -m 755 -o root -g root -d /var/lib/banisher +ExecStart=/usr/sbin/banisher -conf=/etc/banisher.yml -db=/var/lib/banisher/db.bdg -systemd +KillMode=process +Restart=on-failure +StandardOutput=syslog + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..3a701fb --- /dev/null +++ b/debian/control @@ -0,0 +1,8 @@ +Package: banisher +Version: #version# +Section: net +Priority: optional +Architecture: amd64 +Essential: no +Maintainer: Olivier LARRIGAUDIERE +Description: Watches your systemd journal and bans, with no delay, abusers. diff --git a/debian/postinst b/debian/postinst new file mode 100755 index 0000000..5ec3b71 --- /dev/null +++ b/debian/postinst @@ -0,0 +1,28 @@ +#!/bin/sh +set -e + +. /usr/share/debconf/confmodule +db_version 2.0 + +action="$1" +oldversion="$2" + +umask 022 + + +if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then + if [ -d /run/systemd/system ]; then + systemctl --system daemon-reload >/dev/null || true + if ! systemctl is-enabled banisher.service >/dev/null + then + systemctl enable banisher.service >/dev/null || true + systemctl start banisher.service >/dev/null || true + else + systemctl restart banisher.service >/dev/null || true + fi + fi +fi + +db_stop + +exit 0 diff --git a/debian/prerm b/debian/prerm new file mode 100755 index 0000000..4b8d012 --- /dev/null +++ b/debian/prerm @@ -0,0 +1,8 @@ +#!/bin/sh +set -e + +if [ -d /run/systemd/system ]; then + deb-systemd-invoke stop banisher.service >/dev/null +fi + +exit 0 diff --git a/dist/config.yml b/dist/config.yml index dfee165..3e756e4 100644 --- a/dist/config.yml +++ b/dist/config.yml @@ -3,22 +3,10 @@ defaultBanishmentDuration: 3600 # whitelisted IP whitelist: - - 163.172.180.201 +# - 1.2.3.4 # rules rules: - - name: tmail-timeout - match: .*msg="smtpd.*-client timeout.* - IPpos: 0 - - - name: tmail-auth-404 - match: .*msg="smtpd.*err:record not found" - IPpos: 0 - - - name: tmail-auth-empty - match: err:login or passwd is empty - IPpos: 0 - - name: dovecot match: .*imap-login:.*auth failed,.* IPpos: 0 diff --git a/main.go b/main.go index c07d551..46f34e8 100644 --- a/main.go +++ b/main.go @@ -14,6 +14,7 @@ import ( var banisher *Banisher var home string var config Config +var appVersion string // main func main() { @@ -28,13 +29,23 @@ func main() { // load parameters configFile := flag.String("conf", fmt.Sprintf("%s/config.yml", home), "configuration file") databaseFile := flag.String("db", fmt.Sprintf("%s/db.bdg", home), "database file") + systemd := flag.Bool("systemd", false, "started by systemd") flag.Parse() + // remove timestamp on log + if *systemd { + log.SetFlags(log.Flags() &^ (log.Ldate | log.Ltime)) + } + + // notify start of application with version + log.Printf("Starting The Banisher v%s", appVersion) + // load config config, err = loadConfig(*configFile) if err != nil { log.Fatalf("failed to load config: %v", err) } + // init banisher banisher, err = NewBanisher(*databaseFile) if err != nil {