1 # http-ban
2 
3 A simple script I'm testing as I don't want a huge HTTP filter solution.
4 It targets httpd(4) log format and pfctl(8).
5 
6 Feel free to try it and share enhancements/ideas around! For me it has
7 been quite effective.
8 
9 # Environment variables
10 
11 - `HTTPBAN_WHITELIST`: List of whitelisted IP's
12 - `HTTPBAN_LIMIT_500`: Number of hits in the 500's HTTP return code range
13 - `HTTPBAN_LIMIT_400`: Number of hits in the 400's HTTP return code range
14 - `HTTPBAN_LIMIT_300`: Number of hits in the 300's HTTP return code range
15 
16 # Installation
17 
18 1. Create an user
19 
20     # useradd -u 404 -s /sbin/nologin -d /var/empty _httpban
21 
22 2. Install the script
23 
24     # install -m 755 -o root -g bin http-ban.sh /usr/local/bin/http-ban
25 
26 3. Give the required permissions in /etc/doas.conf
27 
28     # cat /etc/doas.conf
29     permit nopass _httpban cmd /bin/cat args /var/www/logs/access.log
30     permit nopass _httpban cmd /usr/bin/zcat args /var/www/logs/access.log.*gz
31     permit nopass _httpban cmd /sbin/pfctl args -t httpban -T show
32     permit nopass _httpban cmd /sbin/pfctl args -t httpban -T add -f-
33     permit nopass _httpban cmd /sbin/pfctl args -t httpban -T delete -f-
34 
35 4. Create a <httpban> table in /etc/pf.conf
36 
37     # cat /etc/pf.conf
38     table <httpban> persist
39     block drop in quick on egress from <httpban>
40 
41 3. Run it as _httpban (here every 5 minutes)
42 
43     # crontab -eu _httpban
44     HTTPBAN_WHITELIST='127.0.0.1 67.225.146.248'
45     HTTPBAN_500=20
46     HTTPBAN_400=15
47     HTTPBAN_300=10
48     */5 * * * * -s http-ban
49 
50 # TODO
51 
52 - Testing with IPv6 addresses, if the field position is the same, it
53   should work without modifications.