Skip to content

History / BotScan

Revisions

  • docs(wiki): R2c truth pass — align WK-1..10 to shipped v1.218.7 behavior Wiki-only truth pass against code (fleet-live v1.218.7, nft schema 1.84.0). Human-guide style; links down to the repo /docs/operator contracts rather than duplicating them. No product-repo, register, or scope content changed. - WK-1 loopback-before-invalid (v1.217.0): Firewall-Anchor-Architecture + Architecture-Overview now show loopback accept BEFORE the ct-state-invalid drop. - WK-2: added the missing `nftban search` entry to CLI-Commands-Reference (RFC5737 examples; links to BAN_FORENSICS.md). - WK-3: refreshed stale version stamps to "Last verified: v1.218.7" across ~14 pages (frozen-authority versions kept, "Last verified" appended); Project-Statistics relabelled as a v1.203.0 snapshot. - WK-4 Suricata: rewrote the command surface to the 7 shipped Go subcommands (status/filters/daemon/ enable/disable/set-threshold/set-action); the profile-*/scan*/rules-*/sid-*/custom-*/recommend*/ stats-daemon commands are documented as removed-in-v1.92; filter table corrected to the real filters.conf set (ssh/http/mail/dns/scan/exploit/ddos/malware/botnet enabled; ftp/rdp/mysql/ postgresql disabled) — removed fabricated wp_login/wp_xmlrpc/joomla/drupal/phpmyadmin/smb/ldap/voip filters; Gbps sizing framed as guidance not benchmarks; opt-in EVE-ingestion intro. - WK-5 Security-Architecture: replaced the insecure prefix-match polkit example with the shipped explicit-unit-allowlist rule; corrected 3-group→two-group model and retired the nftban-panel / 30-nftban-panel.rules tier (retired v1.137). - WK-6 DDoS: kept the correct shipped limits (HTTP/HTTPS=200, mail=30, SSH=15 — NOT 150); clarified base counters are schema-owned/always-on (not the DDoS module) and the penalty ladder is the shell maintenance timer (daemon only proxies the write). - WK-7 GeoBan: disclosed the real default (enabled by default, allow-all policy → enabled-but-IDLE, blocks nothing until countries are configured) in Configuration-Reference + Blacklist pages. - WK-8 metrics: kept the code-true `:9580` loopback-by-default wording; fixed a stale /metrics ACL citation (daemon_http.go:99-105); removed the retired GUI-dashboard node (no product surface named, two code-true consumers: Prometheus textfile + JSON cache). - WK-9 SLSA: corrected the stale repo slug nftban-v1.0-dev → itcmsgr/nftban (12 sites); scoped SLSA wording to nftban-core. - WK-10 hygiene: scrubbed a real admin port (55000) and real routable example IPs (45.66.x) to neutral / RFC5737 values. - R2b explainers: added an "Operator contracts (in the repo /docs)" section to Security-Operations-Guide linking the four /docs/operator pages. WK-6/WK-8 corrected premises honored (no 150; loopback code-true). No RBL-blocking / cluster / live-GUI / unframed-benchmark claims; no register/scope/COMPLETED bodies pasted; leak-free (55000/45.66/nftban-v1.0-dev = 0). 22 pages.

    @itcmsgr itcmsgr committed Jul 8, 2026
  • docs(wiki): place endpoint-flood inside BotScan module page (v1.190.1) Fix taxonomy: endpoint-flood is a BotScan detector feature, not a module. - Add BotScan.md module page (access-log scanner: 404-flood, exploit/webshell/ scanner patterns, badbot/aibot, verified-crawler FCrDNS, endpoint-flood). Code-true units/knobs; enforcement via batch-signal -> daemon -> nft ban set; timer cadence (not realtime); ownership boundaries vs BotGuard (burst/concurrency) and LoginMon (credential-failure). - Sidebar: replace standalone 'BotScan: Endpoint-Flood' entry with 'BotScan (Web Access-Log)' module entry. - BotGuard.md: short boundary note cross-linking to BotScan for endpoint-volume floods (no full endpoint-flood docs copied in). - Remove standalone BotScan-Endpoint-Flood-Protection.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

    @itcmsgr itcmsgr committed Jun 15, 2026