reaction/rust/example.json

{
   "concurrency": 0,
   "patterns": {
      "ip": {
         "ignore": [
            "127.0.0.1",
            "::1"
         ],
         "regex": "(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}|(?:(?:[0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,7}:|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(?::[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:(?:(?::[0-9a-fA-F]{1,4}){1,6})|:(?:(?::[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(?::[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(?:ffff(?::0{1,4}){0,1}:){0,1}(?:(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])|(?:[0-9a-fA-F]{1,4}:){1,4}:(?:(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9]))"
      }
   },
   "start": [
      [
         "ip46tables",
         "-w",
         "-N",
         "reaction"
      ],
      [
         "ip46tables",
         "-w",
         "-I",
         "INPUT",
         "-p",
         "all",
         "-j",
         "reaction"
      ],
      [
         "ip46tables",
         "-w",
         "-I",
         "FORWARD",
         "-p",
         "all",
         "-j",
         "reaction"
      ]
   ],
   "stop": [
      [
         "ip46tables",
         "-w",
         "-D",
         "INPUT",
         "-p",
         "all",
         "-j",
         "reaction"
      ],
      [
         "ip46tables",
         "-w",
         "-D",
         "FORWARD",
         "-p",
         "all",
         "-j",
         "reaction"
      ],
      [
         "ip46tables",
         "-w",
         "-F",
         "reaction"
      ],
      [
         "ip46tables",
         "-w",
         "-X",
         "reaction"
      ]
   ],
   "streams": {
      "ssh": {
         "cmd": [
            "journalctl",
            "-n0",
            "-fu",
            "sshd.service"
         ],
         "filters": {
            "failedlogin": {
               "actions": {
                  "ban": {
                     "cmd": [
                        "ip46tables",
                        "-w",
                        "-A",
                        "reaction",
                        "-s",
                        "<ip>",
                        "-j",
                        "DROP"
                     ]
                  },
                  "unban": {
                     "after": "48h",
                     "cmd": [
                        "ip46tables",
                        "-w",
                        "-D",
                        "reaction",
                        "-s",
                        "<ip>",
                        "-j",
                        "DROP"
                     ]
                  }
               },
               "regex": [
                  "authentication failure;.*rhost=<ip>",
                  "Failed password for .* from <ip>",
                  "Connection (reset|closed) by (authenticating|invalid) user .* <ip>"
               ],
               "retry": 3,
               "retryperiod": "6h"
            }
         }
      }
   }
}