{"id":13983939,"url":"https://github.com/toorop/banisher","last_synced_at":"2025-04-07T09:34:20.974Z","repository":{"id":64712253,"uuid":"180741683","full_name":"toorop/banisher","owner":"toorop","description":"The Banisher watches your systemd journal and bans, with no delay, abusers.","archived":false,"fork":false,"pushed_at":"2022-12-29T11:51:18.000Z","size":1765,"stargazers_count":32,"open_issues_count":2,"forks_count":9,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-08-09T05:10:03.501Z","etag":null,"topics":["antiddos","ddos-attacks","ddos-protection","easy-to-use","fail2ban","golang","ids","ips","lightweight","monitoring","realtime"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/toorop.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-04-11T07:48:43.000Z","updated_at":"2023-10-03T12:11:45.000Z","dependencies_parsed_at":"2022-12-14T22:15:03.549Z","dependency_job_id":null,"html_url":"https://github.com/toorop/banisher","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/toorop%2Fbanisher","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/toorop%2Fbanisher/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/toorop%2Fbanisher/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/toorop%2Fbanisher/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/toorop","download_url":"https://codeload.github.com/toorop/banisher/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223276848,"owners_count":17118422,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["antiddos","ddos-attacks","ddos-protection","easy-to-use","fail2ban","golang","ids","ips","lightweight","monitoring","realtime"],"created_at":"2024-08-09T05:02:01.676Z","updated_at":"2024-11-06T03:27:48.330Z","avatar_url":"https://github.com/toorop.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"# The Banisher\n\n\u003cp align=\"center\"\u003e\n  \u003cimg width=\"330\" height=\"330\" src=\"/etc/banisher.png\"\u003e\n\u003c/p\u003e\n\nThe Banisher watches in real time your systemd journal and bans, via ipset and iptables, hosts who match on yours rules.  \n\nCurrently hosts (IP) are banished for 1 hour (configurable in config.yml).\n\nThe Banisher keeps states of banished IPs in a key-value store ([badger](https://github.com/dgraph-io/badger))   \n\n\n## Getting started\n\n__WARNING The Banisher works only with logs handled by systemd journal and is currently only available for Linux 64.__\n\n### Installing\n\n#### Without debian package\n\n1. Download the lastest binary from the [releases section](https://github.com/olarriga/banisher/releases).\n2. Set the exec flag (`chmod +x banisher`).\n3. Create a [YAML](https://en.wikipedia.org/wiki/YAML) file named `config.yml` in the same directory than The Banisher binary to define the configuration.\n4. Start The Banisher (`./banisher`).\n \n#### With the debian package\n\n1. Download the lastest debian package from the [releases section](https://github.com/olarriga/banisher/releases).\n2. Modify the /etc/banisher.yml file to define the configuration according to your needs\n3. Restart The Banisher (`systemctl restart banisher`).\n\n### Config\n\nHere is a sample: \n\n```yaml\n# defaut banishment duration in seconds\ndefaultBanishmentDuration: 3600\n\n# whitelisted IP\nwhitelist:\n  - 178.22.51.92\n  - 142.93.11.10\n\n# rules\nrules:\n  - name: dovecot\n    match: .*imap-login:.*auth failed,.*\n    IPpos: 0\n\n  - name: ssh\n    match: Failed password.*ssh2\n    IPpos: 0\n\n```\n\nWhere:\n\n- __defaultBanishmentDuration__: is the period in second, during which an IP will be banned, if it matches a rule.\n\n- __whitelist__: a list of IPs that must not be banned\n\n- __rules__ :your Banisher rules.\n\nA rule has three poperties:\n- __name__: is the name of the rule (whaoo amazing!)\n- __match__: is a regular expression. If a log line matches this regex, The Banisher will ban IP address found in this line.\n- __IPpos__: as some log line may have multiple IP, this property will indicate which IP to ban. __Warning__: index start at 0, so if you want to ban the first IP found (left to right) IPpos must be 0.\n\nAnd... that it.\n\nHere is some samples of rules:\n\n##### SSH\n\nA failed auth attempt, appears in log with this line:\n\n```text\nFailed password for invalid user mrpresidentmanu from XXX.XXX.XXX.XXX port 47092 ssh2\n```\n\nHere is the corresponding rule:\n\n```yaml\n- name: ssh\n  match: Failed password.*ssh2\n  IPpos: 0\n```\n\n##### Dovecot IMAP\n\nLog line for [Dovecot](https://www.dovecot.org/) authentification failure looks like:\n\n```text\nimap-login: Disconnected (auth failed, 1 attempts in 3 secs): user=\u003ctobe@rnotto.be\u003e, method=PLAIN, rip=XXX.XXX.XXX.XXX, lip=YYY.YYY.YYY.YYY, TLS: Disconnected, session=\u003cn48ImrmGRP6xth/K\u003e\n``` \n\nHere is the corresponding rule:\n\n```yaml\n- name: dovecot-imap\n  match: .*imap-login:.*auth failed,.*\n  IPpos: 0\n```\n\nYes i know, it seems to too easy to be real.\n\n#### Multiple rules ?\n\nOf course you can have multiple rules in your config file, you just have to not forget the `-` prepending the `name` property for each rule.\n\nFor example if you want those two rules, your config file will be:\n\n```yaml\n- name: ssh\n  match: Failed password.*ssh2\n  IPpos: 0\n\n- name: dovecot-imap\n  match: .*imap-login:.*auth failed,.*\n  IPpos: 0\n```  \n\n## And what can i do if something goes wrong ?\n\nAn iptables rules will be automaticaly removed after defaultBanishmentDuration (defined in your config file).\n\nIf you made a mistake, just:\n\n- stop The Banisher\n- remove badger files, the db.bdg folder.\n- flush iptables INPUT chain `iptables -F INPUT`\n- add your own iptables rules (if needed)   \n\n## Build\n\n### Prerequisite\n\n- [Task](https://taskfile.dev/) is used for compilation with a Docker image to handle glibc version issue to keep The Banisher compatible with debian buster and bullseye (debian 10 and 11).\n- To compile without the Docker image, the libsystemd0 library is needed (for debian like: `sudo apt install libsystemd-dev`).\n- The Banisher is dynamically linked with the glibc.\n\n### Build commands\n\n- Compile The Banisher without Docker image : `task build`\n- Generate the docker image to compile The Banisher : `task generate-docker-image`\n- Compile The Banisher with Docker image : `task build-with-docker`\n- Generate debian package : `task package`\n\nThe binaries will be in the \"dist\" folder.\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftoorop%2Fbanisher","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftoorop%2Fbanisher","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftoorop%2Fbanisher/lists"}