Fast2ban

This is simple fail2ban-like replacement written in Rust.

Usage:

./fast2ban # reads default config.toml from current directory
./fast2ban <config.toml location>

Emits list of suspicious IPs to stdout, one per line, some information to stderr:

Using config file config.toml
Config: Config {
    log_file: "nginx.log",
    log_regex: "^(?P<ip>\\d+\\.\\d+\\.\\d+\\.\\d+) - [^ ]+ \\[(?P<DT>[^\\]]+)\\]",
    requests: 30,
    period: 30,
    date_format: "%d/%B/%Y:%H:%M:%S %z",
}
elapsed 398 ms, 100000 lines parsed, 0 datetime errors, 251256.28140703516 lines/s, banned = 565/3498

Configuration

Example config.toml:

# log file to parse. Pass '-' to use stdin
log_file = 'nginx.log'

# regexp for parsing log file. Must contain groups <ip> and <DT>, other groups are ignored for now
log_regex = '^(?P<ip>\d+\.\d+\.\d+\.\d+) - [^ ]+ \[(?P<DT>[^\]]+)\] "(\w+) (?P<addr>[^ ]*) HTTP/[\d.]+" (?P<code>\d+) \d+ "[^"]+" "[^"]+" "(?P<UA>[^"]+)'

# maximum number of requests for specific IP for specific time period
requests = 30

# time period in seconds
period = 30

# date format (see https://docs.rs/chrono/0.4.19/chrono/format/strftime/index.html for syntax).
# Note that timezone is required (because of using https://docs.rs/chrono/0.4.19/chrono/struct.DateTime.html#method.parse_from_str method)
date_format = '%d/%B/%Y:%H:%M:%S %z'

Using IPset to efficiently ban IPs

IPset is a fast and efficient way to ban IPs (compared to banning them one by one via separate iptables rules).

Create IPset file:

ipset create banner hash:ip

Create iptables rule for banning IPs:

iptables -I INPUT -p tcp -m multiport --dports 80,443 -m set --match-set banner src -j DROP

Run something like this periodically:

# get last queries
tail -n 500000 /var/log/nginx/access.log | grep '/ HTTP/' > nginx.log
# create suspicious IPs list
./fast2ban > ips.txt
# create restore file for IPset
cat ips.txt xargs -n1 echo add banner > ipset-restore.txt
# add IPs to IPset 
ipset restore -exist < ipset-restore.txt

# or in single line:
tail -n 500000 /var/log/nginx/access.log | grep '/ HTTP/' > nginx.log && ./fast2ban | xargs -n1 echo add banner | ipset restore -exist

# or if using log_file = '-' to read from stdin:
tail -n 500000 /var/log/nginx/access.log | grep '/ HTTP/' | ./fast2ban | xargs -n1 echo add banner | ipset restore -exist

You might also like...

Tools to feature more lenient Polonius-based borrow-checker patterns in stable Rust

Though this be madness, yet there is method in 't. More context Hamlet: For yourself, sir, shall grow old as I am – if, like a crab, you could go back

52 Dec 26, 2022

A Matrix bot which can generate "This Week in X" like blog posts

hebbot A Matrix bot which can help to generate periodic / recurrent summary blog posts (also known as "This Week in X"). The bot was inspired by twim-

43 Dec 17, 2022

A conky-like system monitor made for the sole purpose of teaching myself rust-lang.

Pomky A conky-like system monitor made for the sole purpose of teaching myself rust-lang. It is not as configurable, modular, or feature packed as con

3 Nov 17, 2022

Like wc, but unicode-aware, and with per-line mode

34 May 24, 2022

A cargo plugin for showing a tree-like overview of a crate's modules.

cargo-modules Synopsis A cargo plugin for showing an overview of a crate's modules. Motivation With time, as your Rust projects grow bigger and bigger

445 Jan 3, 2023

Rust bindings to the dos-like framework

dos-like for Rust This project provides access to Mattias Gustavsson's dos-like framework, so as to write DOS-like applications in Rust. How to use

9 Aug 25, 2022

Embeddable tree-walk interpreter for a "mostly lazy" Lisp-like scripting language.

ceceio Embeddable tree-walk interpreter for a "mostly lazy" Lisp-like scripting language. Just a work-in-progress testbed for now. Sample usage us

7 Aug 18, 2022

A Rust-like Hardware Description Language transpiled to Verilog

Introduction This projects attempts to create a Rust-like hardware description language. Note that this has nothing to do with Rust itself, it just ha