The Banisher watches in real time your systemd journal and bans, via iptables, hosts who match on yours rules.
Currently hosts (IP) are banished for 3 hours.
The Banisher keeps states of banished IPs in a key-value store (badger)
WARNING The Banisher works only with logs handled by systemd journal and is currently only available for Linux 64.
Just download the lastest binary from the releases section.
In the same directory than The Banisher binary, create a YAML file named
Here is a sample:
# defaut banishment duration in seconds defaultBanishmentDuration: 3600 # whitelisted IP whitelist: - 22.214.171.124 - 126.96.36.199 # rules rules: - name: dovecot match: .*imap-login:.*auth failed,.* IPpos: 0 - name: ssh match: Failed password.*ssh2 IPpos: 0
defaultBanishmentDuration: is the period in second, during which an IP will be banned, if it matches a rule.
whitelist: a list of IPs that must not be banned
rules :your Banisher rules.
A rule has three poperties:
- name: is the name of the rule (whaoo amazing!)
- match: is a regular expression. If a log line matches this regex, The Banisher will ban IP address found in this line.
- IPpos: as some log line may have multiple IP, this property will indicate which IP to ban. Warning: index start at 0, so if you want to ban the first IP found (left to right) IPpos must be 0.
And... that it.
Here is some samples of rules:
A failed auth attempt, appears in log with this line:
Failed password for invalid user mrpresidentmanu from XXX.XXX.XXX.XXX port 47092 ssh2
Here is the corresponding rule:
- name: ssh match: Failed password.*ssh2 IPpos: 0
Log line for Dovecot authentification failure looks like:
imap-login: Disconnected (auth failed, 1 attempts in 3 secs): user=<email@example.com>, method=PLAIN, rip=XXX.XXX.XXX.XXX, lip=YYY.YYY.YYY.YYY, TLS: Disconnected, session=<n48ImrmGRP6xth/K>
Here is the corresponding rule:
- name: dovecot-imap match: .*imap-login:.*auth failed,.* IPpos: 0
Yes i know, it seems to too easy to be real.
Multiple rules ?
Of course you can have multiple rules in your rules.ym, you just have to not forget the
- prepending the
name property for each rule.
For example if you want those two rules, your
rules.yml will be:
- name: ssh match: Failed password.*ssh2 IPpos: 0 - name: dovecot-imap match: .*imap-login:.*auth failed,.* IPpos: 0
You have downloaded the Banisher binary ?
You have set the exec flag (
chmod +x banisher) ?
You have set up your rules ?
Let's go !
./banisher 2019/04/17 16:19:12 dovecot: 188.8.131.52 banned 2019/04/17 16:19:12 ssh: 184.108.40.206 banned 2019/04/17 16:19:13 dovecot: 220.127.116.11 banned 2019/04/17 16:19:15 ssh: 18.104.22.168 banned 2019/04/17 16:19:20 ssh: 22.214.171.124 banned 2019/04/17 16:19:20 ssh: 126.96.36.199 banned 2019/04/17 16:19:21 ssh: 188.8.131.52 banned 2019/04/17 16:19:21 ssh: 184.108.40.206 banned 2019/04/17 16:19:21 ssh: 220.127.116.11 banned
Of course you can configure systemd to handle The Banisher binary (doc is coming)
And what can i do if something goes wrong !!!
An iptables rules will be automaticaly removed after 3 hours.
If you made a mistake, just:
- stop The Banisher
- remove badger files, the db.bdg folder.
- flush iptables
- add your own iptables rules (if needed)