# http-ban
Hey! It's just a simple script I'm testing as I don't want a huge HTTP
filter solution. It targets httpd(4) log format and pfctl(8).
It's messy and harsh to read. Sorry about this. Written it a while ago
and yet updating it a bit, removing unused code.
Feel free to try it and share enhancements/ideas around!
For me it has been quite effective.
# Installation
1. Create a user
# useradd -u 404 -s /sbin/nologin -d /var/empty _httpban
2. Install the script
# install -m 755 -o root -g bin http-ban.sh /usr/local/bin/http-ban
3. Give the required permissions in /etc/doas.conf
# cat /etc/doas.conf
permit nopass _httpban cmd /bin/cat args /var/www/logs/access.log
permit nopass _httpban cmd /usr/bin/zcat args /var/www/logs/access.log.*gz
permit nopass _httpban cmd /sbin/pfctl args -t players -T show
permit nopass _httpban cmd /sbin/pfctl args -t players -T add -f-
permit nopass _httpban cmd /sbin/pfctl args -t players -T delete -f-
4. Create a <players> table in /etc/pf.conf
# cat /etc/pf.conf
table <players> persist
block in quick on egress from <players>
3. Run it as _httpban (here every 5 minutes)
# crontab -eu _httpban
*/5 * * * * -s http-ban
# TODO
- [ ] parametrize the table name, as <players> is not really a good name
- [ ] remove unused filter functions
- [ ] make it more pleasant to read / give the impression I'm mentally saner
