{"id":46678806,"url":"https://github.com/greenpdx/crmonban","last_synced_at":"2026-03-08T23:36:00.355Z","repository":{"id":327874604,"uuid":"1110088090","full_name":"greenpdx/crmonban","owner":"greenpdx","description":"A security program uses nftables for monitoring, not logs so it can catch problems faster.","archived":false,"fork":false,"pushed_at":"2026-01-01T11:46:54.000Z","size":2741,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-01-04T03:35:51.022Z","etag":null,"topics":["audit","fail2ban","machine-learning","nftables","rust","security","siem"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/greenpdx.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":"support/firewall-viz/Cargo.toml","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-04T17:38:49.000Z","updated_at":"2026-01-01T11:46:58.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/greenpdx/crmonban","commit_stats":null,"previous_names":["greenpdx/crmonban"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/greenpdx/crmonban","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/greenpdx%2Fcrmonban","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/greenpdx%2Fcrmonban/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/greenpdx%2Fcrmonban/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/greenpdx%2Fcrmonban/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/greenpdx","download_url":"https://codeload.github.com/greenpdx/crmonban/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/greenpdx%2Fcrmonban/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30277090,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-08T20:45:49.896Z","status":"ssl_error","status_checked_at":"2026-03-08T20:45:49.525Z","response_time":56,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["audit","fail2ban","machine-learning","nftables","rust","security","siem"],"created_at":"2026-03-08T23:35:55.946Z","updated_at":"2026-03-08T23:36:00.343Z","avatar_url":"https://github.com/greenpdx.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# CR Monban\n\n![TUX Monban](data/TUX_Monban.png)\n\nnftables-based intrusion prevention system with attacker intelligence gathering.\n\nA modern alternative to fail2ban/crowdsec that uses nftables directly and gathers comprehensive information about attackers.\n\n## Features\n\n- **nftables Integration** - Uses nftables sets for O(1) IP blocking (no iptables)\n- **Log Monitoring** - Real-time monitoring of auth.log, nginx, apache, postfix, dovecot\n- **Attacker Intelligence** - Automatically gathers:\n  - GeoIP location (country, city, coordinates)\n  - WHOIS data (organization, registrar, abuse contact)\n  - Reverse DNS\n  - ASN \u0026 ISP information\n  - Shodan data (optional, requires API key)\n  - AbuseIPDB threat score (optional, requires API key)\n- **SQLite Database** - Persistent storage for bans, events, intel, whitelist\n- **CLI Interface** - Full command-line management\n- **Daemon Mode** - Background monitoring with auto-banning\n- **Whitelist Support** - Protect trusted IPs from being banned\n- **D-Bus Interface** - External control and event notifications for integration with other applications\n- **Zone Support** - Zone-aware banning with trust levels and implicit whitelists\n- **eBPF Fast-Path** - Optional eBPF integration for sub-microsecond IP blocking\n- **Shared Whitelist** - Multiple whitelist sources (database, zones, files, networks)\n- **SIEM Export** - CEF, LEEF, Syslog (RFC 5424), and JSON formats\n\n## Installation\n\n### Build from source\n\n```bash\n# Clone the repository\ngit clone https://github.com/greenpdx/crmonban.git\ncd crmonban\n\n# Build\ncargo build --release\n\n# Install (optional)\nsudo cp target/release/crmonban /usr/local/bin/\n\n# Install D-Bus policy file\nsudo cp dbus/org.crmonban.Daemon.conf /usr/share/dbus-1/system.d/\nsudo systemctl reload dbus\n```\n\n### Dependencies\n\n- Rust 2024 edition\n- nftables (nft command must be available)\n- Linux kernel with nftables support\n- D-Bus (for D-Bus interface support)\n\n## Quick Start\n\n```bash\n# Generate default configuration\nsudo mkdir -p /etc/crmonban\ncrmonban gen-config -o /etc/crmonban/config.toml\n\n# Create database directory\nsudo mkdir -p /var/lib/crmonban\n\n# Initialize nftables table and sets\nsudo crmonban init\n\n# Start the daemon in foreground (for testing)\nsudo crmonban start -f\n\n# Or start as background daemon\nsudo crmonban start\n```\n\n## CLI Commands\n\n```\ncrmonban start [-f]              Start monitoring daemon (-f for foreground)\ncrmonban stop                    Stop the daemon\ncrmonban status                  Show daemon status\n\ncrmonban ban \u003cip\u003e [-d secs]      Ban an IP address (-d duration, 0=permanent)\ncrmonban unban \u003cip\u003e              Unban an IP address\ncrmonban list [-f format]        List active bans (table/json/simple)\n\ncrmonban intel \u003cip\u003e [-r] [-j]    Gather intel on IP (-r refresh, -j json)\n\ncrmonban whitelist add \u003cip\u003e      Add IP to whitelist\ncrmonban whitelist rm \u003cip\u003e       Remove IP from whitelist\ncrmonban whitelist list          List whitelisted IPs\n\ncrmonban logs [-l limit]         Show recent activity logs\ncrmonban stats                   Show attack statistics\n\ncrmonban init                    Initialize nftables configuration\ncrmonban flush --yes             Flush all bans (dangerous!)\ncrmonban gen-config [-o path]    Generate default configuration\n```\n\n## Configuration\n\nConfiguration file: `/etc/crmonban/config.toml`\n\n### General Settings\n\n```toml\n[general]\ndb_path = \"/var/lib/crmonban/crmonban.db\"\npid_file = \"/var/run/crmonban.pid\"\nlog_level = \"info\"              # trace, debug, info, warn, error\nauto_intel = true               # Gather intel automatically on ban\ndefault_ban_duration = 3600     # Default ban duration in seconds\n```\n\n### nftables Settings\n\n```toml\n[nftables]\ntable_name = \"crmonban\"\nchain_name = \"input\"\nset_v4 = \"blocked_v4\"\nset_v6 = \"blocked_v6\"\npriority = -100                 # Chain priority (lower = earlier)\n```\n\n### Intelligence Settings\n\n```toml\n[intel]\ngeoip_enabled = true\nrdns_enabled = true\nwhois_enabled = true\ntimeout_secs = 10\n\n# Optional API keys for enhanced intelligence\n# shodan_api_key = \"your-key\"\n# abuseipdb_api_key = \"your-key\"\n```\n\n### Service Monitoring\n\n```toml\n[services.ssh]\nenabled = true\nlog_path = \"/var/log/auth.log\"\nmax_failures = 5                # Failures before ban\nfind_time = 600                 # Time window (seconds)\nban_time = 3600                 # Ban duration (seconds)\n\n[[services.ssh.patterns]]\nname = \"failed_password\"\nregex = 'Failed password for .* from (?P\u003cip\u003e\\d+\\.\\d+\\.\\d+\\.\\d+)'\nevent_type = \"failed_auth\"\n\n[[services.ssh.patterns]]\nname = \"invalid_user\"\nregex = 'Invalid user .* from (?P\u003cip\u003e\\d+\\.\\d+\\.\\d+\\.\\d+)'\nevent_type = \"invalid_user\"\n```\n\n### Available Services\n\n- **ssh** - SSH authentication failures (enabled by default)\n- **nginx** - Rate limiting violations\n- **apache** - Authentication failures\n- **postfix** - SMTP authentication failures\n- **dovecot** - IMAP/POP3 authentication failures\n\n### D-Bus Settings\n\n```toml\n[dbus]\nenabled = true          # Enable D-Bus interface\nsystem_bus = true       # Use system bus (recommended for daemon)\n```\n\n## D-Bus Interface\n\ncrmonban exposes a D-Bus interface for external applications to control the daemon and receive events.\n\n**Service**: `org.crmonban.Daemon`\n**Object Path**: `/org/crmonban/Daemon`\n\n### Methods\n\n| Method | Parameters | Returns | Description |\n|--------|------------|---------|-------------|\n| `Status` | - | `StatusInfo` | Get daemon status |\n| `Ban` | `ip: String, duration_secs: u32, reason: String` | `bool` | Ban an IP address |\n| `Unban` | `ip: String` | `bool` | Unban an IP address |\n| `GetBans` | - | `Array\u003cBanInfo\u003e` | List active bans |\n| `IsBanned` | `ip: String` | `bool` | Check if IP is banned |\n\n### Properties\n\n| Property | Type | Description |\n|----------|------|-------------|\n| `Running` | `bool` | Always true if reachable |\n| `ActiveBanCount` | `u64` | Number of active bans |\n| `UptimeSeconds` | `u64` | Daemon uptime in seconds |\n| `EventsProcessed` | `u64` | Total events processed |\n\n### Signals\n\n| Signal | Parameters | Description |\n|--------|------------|-------------|\n| `BanAdded` | `ip, reason, source, duration_secs` | Emitted when an IP is banned |\n| `BanRemoved` | `ip, reason` | Emitted when an IP is unbanned |\n| `AttackDetected` | `ip, service, event_type` | Emitted on each detected attack |\n| `DaemonStarted` | - | Emitted when daemon starts |\n| `DaemonStopping` | - | Emitted when daemon is stopping |\n\n### Example: Monitor Events with dbus-monitor\n\n```bash\ndbus-monitor --system \"interface='org.crmonban.Daemon'\"\n```\n\n### Example: Query Status with busctl\n\n```bash\nbusctl call org.crmonban.Daemon /org/crmonban/Daemon org.crmonban.Daemon Status\n```\n\n## Advanced Configuration\n\n### Zone Configuration\n\n```toml\n[zones]\nenabled = true\nconfig_file = \"/etc/crmonban/zones.yaml\"\nwhitelist_threshold = 80                      # Trust level for implicit whitelist\n\n[[zones.zones]]\nname = \"internal\"\ntrust_level = 80\nnetworks = [\"10.0.0.0/8\", \"192.168.0.0/16\"]\nimplicit_whitelist = true\n\n[[zones.zones]]\nname = \"external\"\ntrust_level = 0\nnetworks = [\"0.0.0.0/0\"]\n```\n\n### SIEM Export\n\n```toml\n[siem]\nenabled = true\nformat = \"cef\"  # cef, leef, syslog, json\n\n[[siem.targets]]\ntype = \"file\"\npath = \"/var/log/crmonban/siem.log\"\n\n[[siem.targets]]\ntype = \"syslog\"\nsocket = \"/dev/log\"\n\n[[siem.targets]]\ntype = \"webhook\"\nurl = \"https://siem.example.com/api/events\"\nheaders = [[\"Authorization\", \"Bearer token\"]]\n```\n\n### eBPF Fast-Path Blocking\n\n```toml\n[ebpf]\nenabled = true\nmethod = \"mapfile\"        # mapfile, disabled (dbus requires crrouter feature)\nsync_interval_secs = 60   # Sync with nftables\nmax_entries = 10000\n\n# For mapfile method:\n[ebpf.method]\npath = \"/sys/fs/bpf/crmonban_blacklist\"\n```\n\n### Shared Whitelist\n\n```toml\n[whitelist]\nenabled = true\ncache_ttl_secs = 300\n\n[[whitelist.sources]]\ntype = \"database\"         # Local crmonban whitelist\n\n[[whitelist.sources]]\ntype = \"zones\"            # Zone-based implicit whitelist\n\n[[whitelist.sources]]\ntype = \"networks\"\nnetworks = [\"10.0.0.0/8\", \"172.16.0.0/12\"]\n\n[[whitelist.sources]]\ntype = \"file\"\npath = \"/etc/crmonban/whitelist.txt\"\nwatch = true\n\n[[whitelist.sources]]\ntype = \"daemon\"     # Query external daemon via D-Bus (requires crrouter feature)\n```\n\n### External Daemon Integration\n\nEnable the crmonban plugin in the external firewall daemon:\n\n```bash\n# Build with crmonban support\ncargo build --features crmonban\n\n# The plugin provides these JSON-RPC methods:\n# crmonban.status - Get crmonban daemon status\n# crmonban.bans   - List active bans\n# crmonban.ban    - Ban an IP\n# crmonban.unban  - Unban an IP\n# crmonban.sync   - Sync bans to eBPF\n```\n\n## nftables Structure\n\ncrmonban creates the following nftables structure:\n\n```\ntable inet crmonban {\n    set blocked_v4 {\n        type ipv4_addr\n        flags timeout\n    }\n\n    set blocked_v6 {\n        type ipv6_addr\n        flags timeout\n    }\n\n    chain input {\n        type filter hook input priority -100; policy accept;\n        ip saddr @blocked_v4 drop\n        ip6 saddr @blocked_v6 drop\n    }\n}\n```\n\n## Systemd Service\n\nCreate `/etc/systemd/system/crmonban.service`:\n\n```ini\n[Unit]\nDescription=crmonban intrusion prevention system\nAfter=network.target\n\n[Service]\nType=forking\nPIDFile=/var/run/crmonban.pid\nExecStart=/usr/local/bin/crmonban start\nExecStop=/usr/local/bin/crmonban stop\nExecReload=/bin/kill -HUP $MAINPID\nRestart=on-failure\n\n[Install]\nWantedBy=multi-user.target\n```\n\nEnable and start:\n\n```bash\nsudo systemctl enable crmonban\nsudo systemctl start crmonban\n```\n\n## Examples\n\n### Manual ban with 24-hour duration\n\n```bash\nsudo crmonban ban 192.168.1.100 -d 86400 -r \"Port scanning\"\n```\n\n### Gather intelligence on an IP\n\n```bash\ncrmonban intel 8.8.8.8\n```\n\nOutput:\n```\nIP: 8.8.8.8\nGathered: 2024-01-15 10:30:00 UTC\n\n--- Location ---\nCountry: United States (US)\nCity: Mountain View, California\nCoordinates: 37.4056, -122.0775\nTimezone: America/Los_Angeles\n\n--- Network ---\nASN: AS15169 (Google LLC)\nISP: Google LLC\nReverse DNS: dns.google\n\n--- Flags ---\n⚠ Hosting/Datacenter\n```\n\n### View attack statistics\n\n```bash\ncrmonban stats\n```\n\n### Whitelist a trusted server\n\n```bash\nsudo crmonban whitelist add 10.0.0.1 -c \"Internal monitoring server\"\n```\n\n## Architecture\n\n```\n┌─────────────────────────────────────────────────────────────┐\n│                        crmonban                              │\n├─────────────────────────────────────────────────────────────┤\n│  CLI Interface                                               │\n│  ├── ban/unban/list                                         │\n│  ├── whitelist management                                   │\n│  ├── intel gathering                                        │\n│  └── statistics                                             │\n├─────────────────────────────────────────────────────────────┤\n│  Daemon                                                      │\n│  ├── Log Monitor (watches files, matches patterns)          │\n│  ├── Event Processor (counts failures, triggers bans)       │\n│  ├── Intel Gatherer (GeoIP, WHOIS, rDNS)                   │\n│  └── Cleanup Task (removes expired bans)                    │\n├─────────────────────────────────────────────────────────────┤\n│  Firewall (nftables)              │  Database (SQLite)      │\n│  ├── Table: crmonban              │  ├── bans               │\n│  ├── Sets: blocked_v4/v6          │  ├── events             │\n│  └── Chain: input                 │  ├── intel              │\n│                                   │  ├── whitelist          │\n│                                   │  └── activity_log       │\n└─────────────────────────────────────────────────────────────┘\n```\n\n## License\n\nLGPL 2\n\n## Contributing\n\nContributions welcome! Please open issues or pull requests on GitHub.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgreenpdx%2Fcrmonban","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgreenpdx%2Fcrmonban","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgreenpdx%2Fcrmonban/lists"}