Blame

Date:
Message:
Updating README.md
Actions:
History | Blob | Raw File
 1 d2c27298 2024-01-30 xs # http-ban

 2 d2c27298 2024-01-30 xs 

 3 c27e7ff8 2024-01-31 xs A simple script I'm testing as I don't want a huge HTTP filter solution.

 4 c27e7ff8 2024-01-31 xs It targets httpd(4) log format and pfctl(8).

 5 d2c27298 2024-01-30 xs 

 6 c27e7ff8 2024-01-31 xs Feel free to try it and share enhancements/ideas around! For me it has

 7 c27e7ff8 2024-01-31 xs been quite effective.

 8 d2c27298 2024-01-30 xs 

 9 c27e7ff8 2024-01-31 xs # Environment variables

10 d2c27298 2024-01-30 xs 

11 88f3e13d 2024-01-30 xs - `HTTPBAN_WHITELIST`: List of whitelisted IP's

12 88f3e13d 2024-01-30 xs - `HTTPBAN_LIMIT_500`: Number of hits in the 500's HTTP return code range

13 88f3e13d 2024-01-30 xs - `HTTPBAN_LIMIT_400`: Number of hits in the 400's HTTP return code range

14 88f3e13d 2024-01-30 xs - `HTTPBAN_LIMIT_300`: Number of hits in the 300's HTTP return code range

15 88f3e13d 2024-01-30 xs 

16 d2c27298 2024-01-30 xs # Installation

17 d2c27298 2024-01-30 xs 

18 ec44cb77 2024-01-30 xs 1. Create an user

19 d2c27298 2024-01-30 xs 

20 c27e7ff8 2024-01-31 xs     # useradd -u 404 -s /sbin/nologin -d /var/empty _httpban

21 d2c27298 2024-01-30 xs 

22 d2c27298 2024-01-30 xs 2. Install the script

23 d2c27298 2024-01-30 xs 

24 c27e7ff8 2024-01-31 xs     # install -m 755 -o root -g bin http-ban.sh /usr/local/bin/http-ban

25 d2c27298 2024-01-30 xs 

26 d2c27298 2024-01-30 xs 3. Give the required permissions in /etc/doas.conf

27 d2c27298 2024-01-30 xs 

28 c27e7ff8 2024-01-31 xs     # cat /etc/doas.conf

29 c27e7ff8 2024-01-31 xs     permit nopass _httpban cmd /bin/cat args /var/www/logs/access.log

30 c27e7ff8 2024-01-31 xs     permit nopass _httpban cmd /usr/bin/zcat args /var/www/logs/access.log.*gz

31 c27e7ff8 2024-01-31 xs     permit nopass _httpban cmd /sbin/pfctl args -t httpban -T show

32 c27e7ff8 2024-01-31 xs     permit nopass _httpban cmd /sbin/pfctl args -t httpban -T add -f-

33 c27e7ff8 2024-01-31 xs     permit nopass _httpban cmd /sbin/pfctl args -t httpban -T delete -f-

34 d2c27298 2024-01-30 xs 

35 88f3e13d 2024-01-30 xs 4. Create a <httpban> table in /etc/pf.conf

36 d2c27298 2024-01-30 xs 

37 c27e7ff8 2024-01-31 xs     # cat /etc/pf.conf

38 c27e7ff8 2024-01-31 xs     table <httpban> persist

39 c27e7ff8 2024-01-31 xs     block drop in quick on egress from <httpban>

40 d2c27298 2024-01-30 xs 

41 d2c27298 2024-01-30 xs 3. Run it as _httpban (here every 5 minutes)

42 d2c27298 2024-01-30 xs 

43 c27e7ff8 2024-01-31 xs     # crontab -eu _httpban

44 88f3e13d 2024-01-30 xs     HTTPBAN_WHITELIST='127.0.0.1 67.225.146.248'

45 88f3e13d 2024-01-30 xs     HTTPBAN_500=20

46 88f3e13d 2024-01-30 xs     HTTPBAN_400=15

47 88f3e13d 2024-01-30 xs     HTTPBAN_300=10

48 c27e7ff8 2024-01-31 xs     */5 * * * * -s http-ban

49 d2c27298 2024-01-30 xs 

50 c27e7ff8 2024-01-31 xs # TODO

51 c27e7ff8 2024-01-31 xs 

52 c27e7ff8 2024-01-31 xs - Testing with IPv6 addresses, if the field position is the same, it

53 c27e7ff8 2024-01-31 xs   should work without modifications.