OpenBSD alternative to fail2ban
I surfed the web for vaild alternatives to fail2ban on the puffy, but all I've got is this amazing article by Vincent Delft and this half-working script vilain by prx. From the ashes of vilain, I built my own solution (which is nothing near the power of fail2ban, but it gets the job done for my usecase).
botjam is a quick python script to watch log files and match regular expressions for suspicious bot requests.
It works by constantly watching the access time of the
files described in /etc/botjam.json. Upon a change, it starts
matching the log with some regular expressions and uses capture groups to
get the IP address of the suspicious client. It then saves these IP
addresses in a pf table.
/etc/botjam.json
{
"/var/www/logs/access.log": [
"([\\S]+) - - \\[.*\\] .*\\.aspx.*",
"([\\S]+) - - \\[.*\\] .*\\.php.*",
"([\\S]+) - - \\[.*\\] .*chmod|wget.*",
"([\\S]+) - - \\[.*\\] .*aws.*",
"([\\S]+) - - \\[.*\\] .*credentials.*",
"([\\S]+) - - \\[.*\\] .*env.*"
]
}
I've used json for the sake of development speed, but in the future I'd like a simpler file format, along with automatic bot rules updates upon config file change.
The code resides here, and it is MIT licensed.
reply via email→