Skip to content
The Banisher watches your systemd journal and bans, with no delay, abusers.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
dist
etc update doc Apr 17, 2019
.gitignore
LICENCE
README.md
Taskfile.yml
banisher.go
config.go
main.go
parser.go
re.go
rule.go

README.md

The Banisher

The Banisher watches in real time your systemd journal and bans, via iptables, hosts who match on yours rules.

Currently hosts (IP) are banished for 3 hours.

The Banisher keeps states of banished IPs in a key-value store (badger)

Getting started

WARNING The Banisher works only with logs handled by systemd journal and is currently only available for Linux 64.

Installing

Just download the lastest binary from the releases section.

Config

In the same directory than The Banisher binary, create a YAML file named config.yml.

Here is a sample:

# defaut banishment duration in seconds
defaultBanishmentDuration: 3600

# whitelisted IP
whitelist:
  - 178.22.51.92
  - 142.93.11.10

# rules
rules:
  - name: dovecot
    match: .*imap-login:.*auth failed,.*
    IPpos: 0

  - name: ssh
    match: Failed password.*ssh2
    IPpos: 0

Where:

  • defaultBanishmentDuration: is the period in second, during which an IP will be banned, if it matches a rule.

  • whitelist: a list of IPs that must not be banned

  • rules :your Banisher rules.

A rule has three poperties:

  • name: is the name of the rule (whaoo amazing!)
  • match: is a regular expression. If a log line matches this regex, The Banisher will ban IP address found in this line.
  • IPpos: as some log line may have multiple IP, this property will indicate which IP to ban. Warning: index start at 0, so if you want to ban the first IP found (left to right) IPpos must be 0.

And... that it.

Here is some samples of rules:

SSH

A failed auth attempt, appears in log with this line:

Failed password for invalid user mrpresidentmanu from XXX.XXX.XXX.XXX port 47092 ssh2

Here is the corresponding rule:

- name: ssh
  match: Failed password.*ssh2
  IPpos: 0
Dovecot IMAP

Log line for Dovecot authentification failure looks like:

imap-login: Disconnected (auth failed, 1 attempts in 3 secs): user=<tobe@rnotto.be>, method=PLAIN, rip=XXX.XXX.XXX.XXX, lip=YYY.YYY.YYY.YYY, TLS: Disconnected, session=<n48ImrmGRP6xth/K>

Here is the corresponding rule:

- name: dovecot-imap
  match: .*imap-login:.*auth failed,.*
  IPpos: 0

Yes i know, it seems to too easy to be real.

Multiple rules ?

Of course you can have multiple rules in your rules.ym, you just have to not forget the - prepending the name property for each rule.

For example if you want those two rules, your rules.yml will be:

- name: ssh
  match: Failed password.*ssh2
  IPpos: 0

- name: dovecot-imap
  match: .*imap-login:.*auth failed,.*
  IPpos: 0

Launch

You have downloaded the Banisher binary ?
You have set the exec flag (chmod +x banisher) ?
You have set up your rules ?

Let's go !

Just run:

./banisher
2019/04/17 16:19:12 dovecot: 183.82.32.153 banned
2019/04/17 16:19:12 ssh: 104.236.246.16 banned
2019/04/17 16:19:13 dovecot: 178.150.194.243 banned
2019/04/17 16:19:15 ssh: 51.77.213.181 banned
2019/04/17 16:19:20 ssh: 193.169.39.254 banned
2019/04/17 16:19:20 ssh: 82.200.65.218 banned
2019/04/17 16:19:21 ssh: 178.128.84.246 banned
2019/04/17 16:19:21 ssh: 190.145.55.89 banned
2019/04/17 16:19:21 ssh: 211.21.154.4 banned

Of course you can configure systemd to handle The Banisher binary (doc is coming)

And what can i do if something goes wrong !!!

An iptables rules will be automaticaly removed after 3 hours.

If you made a mistake, just:

  • stop The Banisher
  • remove badger files, the db.bdg folder.
  • flush iptables ìptables -F
  • add your own iptables rules (if needed)
You can’t perform that action at this time.