From 3cce8ac9630e5715cb3150254ea9187e359d4cce Mon Sep 17 00:00:00 2001 From: Jez Caudle Date: Thu, 1 Feb 2024 11:58:54 +0000 Subject: [PATCH] More md changes --- README.md | 127 +++++++++++++++++++++++++++--------------------------- 1 file changed, 64 insertions(+), 63 deletions(-) diff --git a/README.md b/README.md index c67cc2d..4a28449 100644 --- a/README.md +++ b/README.md @@ -13,79 +13,80 @@ Copyright (c) Jez Caudle 2024 onwards with the same license as above. # Fresh Installation Guide -1. Create a new user (we'll call ours "_pfbadhost"): -The user should be created with a default shell of "nologin", home folder +Create a new user (we'll call ours "_pfbadhost"). The user should be created with a default shell of "nologin", home folder set to /var/empty/ with no password specified (disables password logins) -# useradd -s /sbin/nologin -d /var/empty _pfbadhost +``` +useradd -s /sbin/nologin -d /var/empty _pfbadhost +``` -2) Download script: - $ ftp https://geoghegan.ca/pub/pf-badhost/0.5/pf-badhost.sh +2. Download script from https://git.sr.ht/~jezcaudle/pfbadhost-fork/tree/main/item/pf-badhost.sh -3) Install script with appropriate permissions: - # install -m 755 -o root -g bin pf-badhost.sh /usr/local/bin/pf-badhost +3. Install script with appropriate permissions +``` +install -m 755 -o root -g bin pf-badhost.sh /usr/local/bin/pf-badhost +``` +4. Create required files: +``` +install -m 640 -o _pfbadhost -g wheel /dev/null /etc/pf-badhost.txt +install -d -m 755 -o root -g wheel /var/log/pf-badhost +install -m 640 -o _pfbadhost -g wheel /dev/null /var/log/pf-badhost/pf-badhost.log +install -m 640 -o _pfbadhost -g wheel /dev/null /var/log/pf-badhost/pf-badhost.log.0.gz +``` +5. OPTIONAL: Install RipGrep and mawk for greatly improved performance. Note: RipGrep is not available on all CPU architectures, use 'ggrep' if affected. +``` +pkg_add ripgrep mawk +``` -4) Create required files: - # install -m 640 -o _pfbadhost -g wheel /dev/null /etc/pf-badhost.txt - # install -d -m 755 -o root -g wheel /var/log/pf-badhost - # install -m 640 -o _pfbadhost -g wheel /dev/null /var/log/pf-badhost/pf-badhost.log - # install -m 640 -o _pfbadhost -g wheel /dev/null /var/log/pf-badhost/pf-badhost.log.0.gz +6. Give user "_pfbadhost" strict doas permission for the exact commands the script needs run as superuser. NOTE: Unlike "sudo", _ALL_ users must be explicitly granted permission to use doas, even the root user. -5) OPTIONAL: Install RipGrep and mawk for greatly improved performance: - Note: RipGrep is not available on all CPU architectures, use 'ggrep' if affected. - # pkg_add ripgrep mawk +``` +cat /etc/doas.conf +... +permit root +permit nopass _pfbadhost cmd /sbin/pfctl args -nf /etc/pf.conf +permit nopass _pfbadhost cmd /sbin/pfctl args -t pfbadhost -T replace -f /etc/pf-badhost.txt +# Optional rule for authlog scanning +permit nopass _pfbadhost cmd /usr/bin/zcat args -f /var/log/authlog /var/log/authlog.0.gz +... +``` -6) Give user "_pfbadhost" strict doas permission for the exact commands the - script needs run as superuser. NOTE: Unlike "sudo", _ALL_ users must be - explicitly granted permission to use doas, even the root user. - - $ cat /etc/doas.conf - ... - permit root - permit nopass _pfbadhost cmd /sbin/pfctl args -nf /etc/pf.conf - permit nopass _pfbadhost cmd /sbin/pfctl args -t pfbadhost -T replace -f /etc/pf-badhost.txt - # Optional rule for authlog scanning - permit nopass _pfbadhost cmd /usr/bin/zcat args -f /var/log/authlog /var/log/authlog.0.gz - ... +7. Add the following lines to your pf.conf (Putting it higher-up/earlier in the ruleset is recommended): +``` +... +table persist file "/etc/pf-badhost.txt" +block in quick on egress from +block out quick on egress to +... +``` -7) Add the following lines to your pf.conf: - (Putting it higher-up/earlier in the ruleset is recommended) - ... - table persist file "/etc/pf-badhost.txt" - block in quick on egress from - block out quick on egress to - ... +8. To enable additional features such as IPv6, Subnet Aggregation, Geo-Blocking, Bogon Filtering or Authlog Scanning open "/usr/local/bin/pf-badhost" with your text editor of choice and find the "User Configuration Area" near the top of the file where you can enable features by setting their value to "1". -8) To enable additional features such as IPv6, Subnet Aggregation, Geo-Blocking, - Bogon Filtering or Authlog Scanning open "/usr/local/bin/pf-badhost" with - your text editor of choice and find the "User Configuration Area" near the top - of the file where you can enable features by setting their value to "1" - --- - Most options can also be configured via command line flags. See man page for more details. - --- - See the "Notes" section below for more info on installing optional utilities. +Most options can also be configured via command line flags. See man page for more details. -9) Run pfbadhost as user "_pfbadhost" using the "-O openbsd" argument: - # doas -u _pfbadhost pf-badhost -O openbsd +See the "Notes" section below for more info on installing optional utilities. -10) Reload your pf rule set: - # pfctl -f /etc/pf.conf +9. Run pfbadhost as user "_pfbadhost" using the "-O openbsd" argument: +``` +doas -u _pfbadhost pf-badhost +``` -11) For good measure, we'll run pf-badhost once more: - # doas -u _pfbadhost pf-badhost -O openbsd - -12) Edit _pfbadhost users crontab to run pf-badhost every night: - # crontab -u _pfbadhost -e - ... - ~ 0~1 * * * -s pf-badhost -O openbsd - ... +10. Reload your pf rule set: +``` +pfctl -f /etc/pf.conf +``` -Note: - If you're running an OpenBSD release older than 6.7 you'll have to use a workaround: - ... - @daily sleep $(echo $((RANDOM\%7200+1))) ; pf-badhost -O openbsd - ... - Please see the crontab(5) man page for further info +11. For good measure, we'll run pf-badhost once more: +``` +doas -u _pfbadhost pf-badhost +``` +12. Edit _pfbadhost users crontab to run pf-badhost every night: +``` +crontab -u _pfbadhost -e +... +~ 0~1 * * * -s pf-badhost -O openbsd +... +``` Yay! pf-badhost is now installed! @@ -99,9 +100,9 @@ To receive notification of new pf-badhost releases and updates please send an em to 'announce@geoghegan.ca' with a subject line and body of "subscribe pf-badhost" -################################################################### -# Post Install Notes: -################################################################### + +## Post Install Notes: + X) To add custom rules or enable features, or add alternate blocklists, See the "User Configuration Area" located at the top of the script.