# http-ban

Hey! It's just a simple script I'm testing as I don't want a huge HTTP
filter solution. It targets httpd(4) log format and pfctl(8).

It's messy and harsh to read. Sorry about this. Written it a while ago
and yet updating it a bit, removing unused code.

Feel free to try it and share enhancements/ideas around!

For me it has been quite effective.

# Environment Variables

- `HTTPBAN_WHITELIST`: List of whitelisted IP's
- `HTTPBAN_LIMIT_500`: Number of hits in the 500's HTTP return code range
- `HTTPBAN_LIMIT_400`: Number of hits in the 400's HTTP return code range
- `HTTPBAN_LIMIT_300`: Number of hits in the 300's HTTP return code range

# Installation

1. Create an user

	# useradd -u 404 -s /sbin/nologin -d /var/empty _httpban

2. Install the script

	# install -m 755 -o root -g bin http-ban.sh /usr/local/bin/http-ban

3. Give the required permissions in /etc/doas.conf

	# cat /etc/doas.conf
	permit nopass _httpban cmd /bin/cat args /var/www/logs/access.log
	permit nopass _httpban cmd /usr/bin/zcat args /var/www/logs/access.log.*gz
	permit nopass _httpban cmd /sbin/pfctl args -t httpban -T show
	permit nopass _httpban cmd /sbin/pfctl args -t httpban -T add -f-
	permit nopass _httpban cmd /sbin/pfctl args -t httpban -T delete -f-

4. Create a <httpban> table in /etc/pf.conf

	# cat /etc/pf.conf
	table <httpban> persist
	block in quick on egress from <httpban>

3. Run it as _httpban (here every 5 minutes)

	# crontab -eu _httpban
    HTTPBAN_WHITELIST='127.0.0.1 67.225.146.248'
    HTTPBAN_500=20
    HTTPBAN_400=15
    HTTPBAN_300=10
	*/5 * * * * -s http-ban

WORK branch: bug fix and testing phase