The Banisher watches in real time your systemd journal and bans, via ipset and iptables, hosts who match on yours rules.
Currently hosts (IP) are banished for 1 hour (configurable in config.yml).
The Banisher keeps states of banished IPs in a key-value store (badger)
WARNING The Banisher works only with logs handled by systemd journal and is currently only available for Linux 64.
- Download the lastest binary in tar.gz from the releases section.
- Extract the binary (
tar xzf banisher_*.tar.gz). - Set the exec flag (
chmod +x banisher). - Create a YAML file named
config.ymlin the same directory than The Banisher binary to define the configuration. - Start The Banisher (
./banisher).
- Download the lastest debian package from the releases section.
- Install the package.
- Modify the /etc/banisher.yml file to define the configuration according to your needs.
- Restart The Banisher (
systemctl restart banisher).
Here is a sample:
# defaut banishment duration in seconds
defaultBanishmentDuration: 3600
# whitelisted IP
whitelist:
- 178.22.51.92
- 142.93.11.10
# rules
rules:
- name: dovecot
match: .*imap-login:.*auth failed,.*
IPpos: 0
- name: ssh
match: Failed password.*ssh2
IPpos: 0
Where:
-
defaultBanishmentDuration: is the period in second, during which an IP will be banned, if it matches a rule.
-
whitelist: a list of IPs that must not be banned
-
rules :your Banisher rules.
A rule has three poperties:
- name: is the name of the rule (whaoo amazing!)
- match: is a regular expression. If a log line matches this regex, The Banisher will ban IP address found in this line.
- IPpos: as some log line may have multiple IP, this property will indicate which IP to ban. Warning: index start at 0, so if you want to ban the first IP found (left to right) IPpos must be 0.
And... that it.
Here is some samples of rules:
A failed auth attempt, appears in log with this line:
Failed password for invalid user mrpresidentmanu from XXX.XXX.XXX.XXX port 47092 ssh2
Here is the corresponding rule:
- name: ssh
match: Failed password.*ssh2
IPpos: 0Log line for Dovecot authentification failure looks like:
imap-login: Disconnected (auth failed, 1 attempts in 3 secs): user=<tobe@rnotto.be>, method=PLAIN, rip=XXX.XXX.XXX.XXX, lip=YYY.YYY.YYY.YYY, TLS: Disconnected, session=<n48ImrmGRP6xth/K>
Here is the corresponding rule:
- name: dovecot-imap
match: .*imap-login:.*auth failed,.*
IPpos: 0Yes i know, it seems to too easy to be real.
Of course you can have multiple rules in your config file, you just have to not forget the - prepending the name property for each rule.
For example if you want those two rules, your config file will be:
- name: ssh
match: Failed password.*ssh2
IPpos: 0
- name: dovecot-imap
match: .*imap-login:.*auth failed,.*
IPpos: 0To list the IPs blocked by The Banisher : ipset list banisher
An IP will be automaticaly removed from the ipset after defaultBanishmentDuration (defined in your config file). All IP are removed from the ipset when the application is closed.
If you made a mistake, just:
- Stop The Banisher
- Remove badger files (the db.bdg folder if you do not use the debian package)
If The Banisher crashed and the filter rules have not been deleted, just :
- Remove badger files (the db.bdg folder if you do not use the debian package)
- Remove iptable rule :
iptables -D INPUT -m set --match-set banisher src -j DROP - Destroy ipset :
ipset destroy banisher
- Task is used for compilation.
- A Docker image is used to handle glibc version issue to keep The Banisher compatible with debian buster and bullseye (debian 10 and 11).
- To compile without the Docker image, the libsystemd0 library is needed (for debian like:
sudo apt install libsystemd-dev). - The Banisher is dynamically linked with the glibc.
- Compile The Banisher without Docker image :
task build - Generate the docker image to compile The Banisher :
task generate-docker-image - Compile The Banisher with Docker image :
task build-with-docker - Generate debian package :
task package
The binaries will be in the "dist" folder.