barbara

Reads logs and, if the traffic doesn't pass muster, updates the pf table to block it.

Barbara is the name of our Romainian White Border Collie. She doesn't trust you on your first meeting, it can months or even years before she feels secure enough to let you stroke her and even then she might try and bite you. She errs on the side of caution as does this Python3 script.

How it works

The idea is to block traffic before it gets to your servers. PF-Badhost does a good job at keeping baddies out, but is always a few hours out-of-date and it doesn't stop everything. What can get through appears in the logs - in my case, the relayd logs, before being redirected to the actual web servers.

The Python script reads each log entry and gets the domain name of the site request and looks to see if the request is trying to retrieve file types that are allowed for that website - if it is, the request passes; otherwise it is blocked.

So, for example, if you use a static site using only html and css and a php page is requested, that IP address will be blocked. Same for cgi-bin etc.

Fail to ban does this ...

It does and it is a massive code base that I could try to get working with relayd and that would leave a whole load of code that I don't require sitting on my firewall. This project is aimed soley at OpenBSD so doesn't need abstractions for different operating systems and different firewalls and their native rule sets. Less code means less errors and less to maintain.