# http-ban
A simple script I'm testing as I don't want a huge HTTP filter solution.
It targets httpd(4) log format and pfctl(8).
Feel free to try it and share enhancements/ideas around! For me it has
been quite effective.
# Environment variables
- `HTTPBAN_WHITELIST`: List of whitelisted IP's
- `HTTPBAN_LIMIT_500`: Number of hits in the 500's HTTP return code range
- `HTTPBAN_LIMIT_400`: Number of hits in the 400's HTTP return code range
- `HTTPBAN_LIMIT_300`: Number of hits in the 300's HTTP return code range
# Installation
1. Create an user
# useradd -u 404 -s /sbin/nologin -d /var/empty _httpban
2. Install the script
# install -m 755 -o root -g bin http-ban.sh /usr/local/bin/http-ban
3. Give the required permissions in /etc/doas.conf
# cat /etc/doas.conf
permit nopass _httpban cmd /bin/cat args /var/www/logs/access.log
permit nopass _httpban cmd /usr/bin/zcat args /var/www/logs/access.log.*gz
permit nopass _httpban cmd /sbin/pfctl args -t httpban -T show
permit nopass _httpban cmd /sbin/pfctl args -t httpban -T add -f-
permit nopass _httpban cmd /sbin/pfctl args -t httpban -T delete -f-
4. Create a <httpban> table in /etc/pf.conf
# cat /etc/pf.conf
table <httpban> persist
block drop in quick on egress from <httpban>
3. Run it as _httpban (here every 5 minutes)
# crontab -eu _httpban
HTTPBAN_WHITELIST='127.0.0.1 67.225.146.248'
HTTPBAN_500=20
HTTPBAN_400=15
HTTPBAN_300=10
*/5 * * * * -s http-ban
# TODO
- Testing with IPv6 addresses, if the field position is the same, it
should work without modifications.
