1 # http-ban
2 
3 Hey! It's just a simple script I'm testing as I don't want a huge HTTP
4 filter solution. It targets httpd(4) log format and pfctl(8).
5 
6 It's messy and harsh to read. Sorry about this. Written it a while ago
7 and yet updating it a bit, removing unused code.
8 
9 Feel free to try it and share enhancements/ideas around!
10 
11 For me it has been quite effective.
12 
13 # Environment Variables
14 
15 - `HTTPBAN_WHITELIST`: List of whitelisted IP's
16 - `HTTPBAN_LIMIT_500`: Number of hits in the 500's HTTP return code range
17 - `HTTPBAN_LIMIT_400`: Number of hits in the 400's HTTP return code range
18 - `HTTPBAN_LIMIT_300`: Number of hits in the 300's HTTP return code range
19 
20 # Installation
21 
22 1. Create an user
23 
24 	# useradd -u 404 -s /sbin/nologin -d /var/empty _httpban
25 
26 2. Install the script
27 
28 	# install -m 755 -o root -g bin http-ban.sh /usr/local/bin/http-ban
29 
30 3. Give the required permissions in /etc/doas.conf
31 
32 	# cat /etc/doas.conf
33 	permit nopass _httpban cmd /bin/cat args /var/www/logs/access.log
34 	permit nopass _httpban cmd /usr/bin/zcat args /var/www/logs/access.log.*gz
35 	permit nopass _httpban cmd /sbin/pfctl args -t httpban -T show
36 	permit nopass _httpban cmd /sbin/pfctl args -t httpban -T add -f-
37 	permit nopass _httpban cmd /sbin/pfctl args -t httpban -T delete -f-
38 
39 4. Create a <httpban> table in /etc/pf.conf
40 
41 	# cat /etc/pf.conf
42 	table <httpban> persist
43 	block in quick on egress from <httpban>
44 
45 3. Run it as _httpban (here every 5 minutes)
46 
47 	# crontab -eu _httpban
48     HTTPBAN_WHITELIST='127.0.0.1 67.225.146.248'
49     HTTPBAN_500=20
50     HTTPBAN_400=15
51     HTTPBAN_300=10
52 	*/5 * * * * -s http-ban
53 
54 WORK branch: bug fix and testing phase