The Banisher watches in real time your systemd journal and bans, via ipset and iptables, hosts who match on yours rules.
Currently hosts (IP) are banished for 1 hour (configurable in config.yml).
The Banisher keeps states of banished IPs in a key-value store (badger)
WARNING The Banisher works only with logs handled by systemd journal and is currently only available for Linux 64.
- Download the lastest binary from the releases section.
- Set the exec flag (
chmod +x banisher). - Create a YAML file named
config.ymlin the same directory than The Banisher binary to define the configuration. - Start The Banisher (
./banisher).
- Download the lastest debian package from the releases section.
- Modify the /etc/banisher.yml file to define the configuration according to your needs
- Restart The Banisher (
systemctl restart banisher).
Here is a sample:
# defaut banishment duration in seconds
defaultBanishmentDuration: 3600
# whitelisted IP
whitelist:
- 178.22.51.92
- 142.93.11.10
# rules
rules:
- name: dovecot
match: .*imap-login:.*auth failed,.*
IPpos: 0
- name: ssh
match: Failed password.*ssh2
IPpos: 0
Where:
-
defaultBanishmentDuration: is the period in second, during which an IP will be banned, if it matches a rule.
-
whitelist: a list of IPs that must not be banned
-
rules :your Banisher rules.
A rule has three poperties:
- name: is the name of the rule (whaoo amazing!)
- match: is a regular expression. If a log line matches this regex, The Banisher will ban IP address found in this line.
- IPpos: as some log line may have multiple IP, this property will indicate which IP to ban. Warning: index start at 0, so if you want to ban the first IP found (left to right) IPpos must be 0.
And... that it.
Here is some samples of rules:
A failed auth attempt, appears in log with this line:
Failed password for invalid user mrpresidentmanu from XXX.XXX.XXX.XXX port 47092 ssh2
Here is the corresponding rule:
- name: ssh
match: Failed password.*ssh2
IPpos: 0Log line for Dovecot authentification failure looks like:
imap-login: Disconnected (auth failed, 1 attempts in 3 secs): user=<[email protected]>, method=PLAIN, rip=XXX.XXX.XXX.XXX, lip=YYY.YYY.YYY.YYY, TLS: Disconnected, session=<n48ImrmGRP6xth/K>
Here is the corresponding rule:
- name: dovecot-imap
match: .*imap-login:.*auth failed,.*
IPpos: 0Yes i know, it seems to too easy to be real.
Of course you can have multiple rules in your config file, you just have to not forget the - prepending the name property for each rule.
For example if you want those two rules, your config file will be:
- name: ssh
match: Failed password.*ssh2
IPpos: 0
- name: dovecot-imap
match: .*imap-login:.*auth failed,.*
IPpos: 0An iptables rules will be automaticaly removed after defaultBanishmentDuration (defined in your config file).
If you made a mistake, just:
- stop The Banisher
- remove badger files, the db.bdg folder.
- flush iptables INPUT chain
iptables -F INPUT - add your own iptables rules (if needed)
- Task is used for compilation with a Docker image to handle glibc version issue to keep The Banisher compatible with debian buster and bullseye (debian 10 and 11).
- To compile without the Docker image, the libsystemd0 library is needed (for debian like:
sudo apt install libsystemd-dev). - The Banisher is dynamically linked with the glibc.
- Compile The Banisher without Docker image :
task build - Generate the docker image to compile The Banisher :
task generate-docker-image - Compile The Banisher with Docker image :
task build-with-docker - Generate debian package :
task package
The binaries will be in the "dist" folder.