Blame

Date:
Message:
Todolist done, now testing
Actions:
History | Blob | Raw File
 1 d2c27298 2024-01-30 xs # http-ban

 2 d2c27298 2024-01-30 xs 

 3 d2c27298 2024-01-30 xs Hey! It's just a simple script I'm testing as I don't want a huge HTTP

 4 d2c27298 2024-01-30 xs filter solution. It targets httpd(4) log format and pfctl(8).

 5 d2c27298 2024-01-30 xs 

 6 d2c27298 2024-01-30 xs It's messy and harsh to read. Sorry about this. Written it a while ago

 7 d2c27298 2024-01-30 xs and yet updating it a bit, removing unused code.

 8 d2c27298 2024-01-30 xs 

 9 d2c27298 2024-01-30 xs Feel free to try it and share enhancements/ideas around!

10 d2c27298 2024-01-30 xs 

11 d2c27298 2024-01-30 xs For me it has been quite effective.

12 d2c27298 2024-01-30 xs 

13 88f3e13d 2024-01-30 xs # Environment Variables

14 88f3e13d 2024-01-30 xs 

15 88f3e13d 2024-01-30 xs - `HTTPBAN_WHITELIST`: List of whitelisted IP's

16 88f3e13d 2024-01-30 xs - `HTTPBAN_LIMIT_500`: Number of hits in the 500's HTTP return code range

17 88f3e13d 2024-01-30 xs - `HTTPBAN_LIMIT_400`: Number of hits in the 400's HTTP return code range

18 88f3e13d 2024-01-30 xs - `HTTPBAN_LIMIT_300`: Number of hits in the 300's HTTP return code range

19 88f3e13d 2024-01-30 xs 

20 d2c27298 2024-01-30 xs # Installation

21 d2c27298 2024-01-30 xs 

22 ec44cb77 2024-01-30 xs 1. Create an user

23 d2c27298 2024-01-30 xs 

24 d2c27298 2024-01-30 xs 	# useradd -u 404 -s /sbin/nologin -d /var/empty _httpban

25 d2c27298 2024-01-30 xs 

26 d2c27298 2024-01-30 xs 2. Install the script

27 d2c27298 2024-01-30 xs 

28 d2c27298 2024-01-30 xs 	# install -m 755 -o root -g bin http-ban.sh /usr/local/bin/http-ban

29 d2c27298 2024-01-30 xs 

30 d2c27298 2024-01-30 xs 3. Give the required permissions in /etc/doas.conf

31 d2c27298 2024-01-30 xs 

32 d2c27298 2024-01-30 xs 	# cat /etc/doas.conf

33 d2c27298 2024-01-30 xs 	permit nopass _httpban cmd /bin/cat args /var/www/logs/access.log

34 d2c27298 2024-01-30 xs 	permit nopass _httpban cmd /usr/bin/zcat args /var/www/logs/access.log.*gz

35 88f3e13d 2024-01-30 xs 	permit nopass _httpban cmd /sbin/pfctl args -t httpban -T show

36 88f3e13d 2024-01-30 xs 	permit nopass _httpban cmd /sbin/pfctl args -t httpban -T add -f-

37 88f3e13d 2024-01-30 xs 	permit nopass _httpban cmd /sbin/pfctl args -t httpban -T delete -f-

38 d2c27298 2024-01-30 xs 

39 88f3e13d 2024-01-30 xs 4. Create a <httpban> table in /etc/pf.conf

40 d2c27298 2024-01-30 xs 

41 d2c27298 2024-01-30 xs 	# cat /etc/pf.conf

42 88f3e13d 2024-01-30 xs 	table <httpban> persist

43 88f3e13d 2024-01-30 xs 	block in quick on egress from <httpban>

44 d2c27298 2024-01-30 xs 

45 d2c27298 2024-01-30 xs 3. Run it as _httpban (here every 5 minutes)

46 d2c27298 2024-01-30 xs 

47 d2c27298 2024-01-30 xs 	# crontab -eu _httpban

48 88f3e13d 2024-01-30 xs     HTTPBAN_WHITELIST='127.0.0.1 67.225.146.248'

49 88f3e13d 2024-01-30 xs     HTTPBAN_500=20

50 88f3e13d 2024-01-30 xs     HTTPBAN_400=15

51 88f3e13d 2024-01-30 xs     HTTPBAN_300=10

52 d2c27298 2024-01-30 xs 	*/5 * * * * -s http-ban

53 d2c27298 2024-01-30 xs 

54 88f3e13d 2024-01-30 xs WORK branch: bug fix and testing phase