☯︎ heizelnut


OpenBSD alternative to fail2ban

I surfed the web for vaild alternatives to fail2ban on the puffy, but all I've got is this amazing article by Vincent Delft and this half-working script vilain by prx. From the ashes of vilain, I built my own solution (which is nothing near the power of fail2ban, but it gets the job done for my usecase).

botjam is a quick python script to watch log files and match regular expressions for suspicious bot requests.

It works by constantly watching the access time of the files described in /etc/botjam.json. Upon a change, it starts matching the log with some regular expressions and uses capture groups to get the IP address of the suspicious client. It then saves these IP addresses in a pf table.

/etc/botjam.json

{
    "/var/www/logs/access.log": [
        "([\\S]+) - - \\[.*\\] .*\\.aspx.*",
        "([\\S]+) - - \\[.*\\] .*\\.php.*",
        "([\\S]+) - - \\[.*\\] .*chmod|wget.*",
        "([\\S]+) - - \\[.*\\] .*aws.*",
        "([\\S]+) - - \\[.*\\] .*credentials.*",
        "([\\S]+) - - \\[.*\\] .*env.*"
    ]
}

I've used json for the sake of development speed, but in the future I'd like a simpler file format, along with automatic bot rules updates upon config file change.

The code resides here, and it is MIT licensed.

reply via email→