jezcaudle/pfbadhost-fork
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

More md changes

Browse Source
This commit is contained in:
Jez Caudle 2024-02-01 11:58:54 +00:00
parent b7d28713c7
commit 3cce8ac963
1 changed files with 64 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

127
README.md
View File

@ -13,79 +13,80 @@ Copyright (c) Jez Caudle 2024 onwards with the same license as above.
# Fresh Installation Guide # Fresh Installation Guide
1. Create a new user (we'll call ours "_pfbadhost"): Create a new user (we'll call ours "_pfbadhost"). The user should be created with a default shell of "nologin", home folder
The user should be created with a default shell of "nologin", home folder
set to /var/empty/ with no password specified (disables password logins) set to /var/empty/ with no password specified (disables password logins)
# useradd -s /sbin/nologin -d /var/empty _pfbadhost ```
useradd -s /sbin/nologin -d /var/empty _pfbadhost
```
2) Download script: 2. Download script from https://git.sr.ht/~jezcaudle/pfbadhost-fork/tree/main/item/pf-badhost.sh
$ ftp https://geoghegan.ca/pub/pf-badhost/0.5/pf-badhost.sh
3) Install script with appropriate permissions: 3. Install script with appropriate permissions
# install -m 755 -o root -g bin pf-badhost.sh /usr/local/bin/pf-badhost ```
install -m 755 -o root -g bin pf-badhost.sh /usr/local/bin/pf-badhost
```
4. Create required files:
```
install -m 640 -o _pfbadhost -g wheel /dev/null /etc/pf-badhost.txt
install -d -m 755 -o root -g wheel /var/log/pf-badhost
install -m 640 -o _pfbadhost -g wheel /dev/null /var/log/pf-badhost/pf-badhost.log
install -m 640 -o _pfbadhost -g wheel /dev/null /var/log/pf-badhost/pf-badhost.log.0.gz
```
5. OPTIONAL: Install RipGrep and mawk for greatly improved performance. Note: RipGrep is not available on all CPU architectures, use 'ggrep' if affected.
```
pkg_add ripgrep mawk
```
4) Create required files: 6. Give user "_pfbadhost" strict doas permission for the exact commands the script needs run as superuser. NOTE: Unlike "sudo", _ALL_ users must be explicitly granted permission to use doas, even the root user.
# install -m 640 -o _pfbadhost -g wheel /dev/null /etc/pf-badhost.txt
# install -d -m 755 -o root -g wheel /var/log/pf-badhost
# install -m 640 -o _pfbadhost -g wheel /dev/null /var/log/pf-badhost/pf-badhost.log
# install -m 640 -o _pfbadhost -g wheel /dev/null /var/log/pf-badhost/pf-badhost.log.0.gz
5) OPTIONAL: Install RipGrep and mawk for greatly improved performance: ```
Note: RipGrep is not available on all CPU architectures, use 'ggrep' if affected. cat /etc/doas.conf
# pkg_add ripgrep mawk ...
permit root
permit nopass _pfbadhost cmd /sbin/pfctl args -nf /etc/pf.conf
permit nopass _pfbadhost cmd /sbin/pfctl args -t pfbadhost -T replace -f /etc/pf-badhost.txt
# Optional rule for authlog scanning
permit nopass _pfbadhost cmd /usr/bin/zcat args -f /var/log/authlog /var/log/authlog.0.gz
...
```
6) Give user "_pfbadhost" strict doas permission for the exact commands the 7. Add the following lines to your pf.conf (Putting it higher-up/earlier in the ruleset is recommended):
script needs run as superuser. NOTE: Unlike "sudo", _ALL_ users must be ```
explicitly granted permission to use doas, even the root user. ...
table <pfbadhost> persist file "/etc/pf-badhost.txt"
block in quick on egress from <pfbadhost>
block out quick on egress to <pfbadhost>
...
```
$ cat /etc/doas.conf 8. To enable additional features such as IPv6, Subnet Aggregation, Geo-Blocking, Bogon Filtering or Authlog Scanning open "/usr/local/bin/pf-badhost" with your text editor of choice and find the "User Configuration Area" near the top of the file where you can enable features by setting their value to "1".
...
permit root
permit nopass _pfbadhost cmd /sbin/pfctl args -nf /etc/pf.conf
permit nopass _pfbadhost cmd /sbin/pfctl args -t pfbadhost -T replace -f /etc/pf-badhost.txt
# Optional rule for authlog scanning
permit nopass _pfbadhost cmd /usr/bin/zcat args -f /var/log/authlog /var/log/authlog.0.gz
...
7) Add the following lines to your pf.conf: Most options can also be configured via command line flags. See man page for more details.
(Putting it higher-up/earlier in the ruleset is recommended)
...
table <pfbadhost> persist file "/etc/pf-badhost.txt"
block in quick on egress from <pfbadhost>
block out quick on egress to <pfbadhost>
...
8) To enable additional features such as IPv6, Subnet Aggregation, Geo-Blocking, See the "Notes" section below for more info on installing optional utilities.
Bogon Filtering or Authlog Scanning open "/usr/local/bin/pf-badhost" with
your text editor of choice and find the "User Configuration Area" near the top
of the file where you can enable features by setting their value to "1"
---
Most options can also be configured via command line flags. See man page for more details.
---
See the "Notes" section below for more info on installing optional utilities.
9) Run pfbadhost as user "_pfbadhost" using the "-O openbsd" argument: 9. Run pfbadhost as user "_pfbadhost" using the "-O openbsd" argument:
# doas -u _pfbadhost pf-badhost -O openbsd ```
doas -u _pfbadhost pf-badhost
```
10) Reload your pf rule set: 10. Reload your pf rule set:
# pfctl -f /etc/pf.conf ```
pfctl -f /etc/pf.conf
```
11) For good measure, we'll run pf-badhost once more: 11. For good measure, we'll run pf-badhost once more:
# doas -u _pfbadhost pf-badhost -O openbsd ```
doas -u _pfbadhost pf-badhost
12) Edit _pfbadhost users crontab to run pf-badhost every night: ```
# crontab -u _pfbadhost -e
...
~ 0~1 * * * -s pf-badhost -O openbsd
...
Note:
If you're running an OpenBSD release older than 6.7 you'll have to use a workaround:
...
@daily sleep $(echo $((RANDOM\%7200+1))) ; pf-badhost -O openbsd
...
Please see the crontab(5) man page for further info
12. Edit _pfbadhost users crontab to run pf-badhost every night:
```
crontab -u _pfbadhost -e
...
~ 0~1 * * * -s pf-badhost -O openbsd
...
```
Yay! pf-badhost is now installed! Yay! pf-badhost is now installed!
@ -99,9 +100,9 @@ To receive notification of new pf-badhost releases and updates please send an em
to 'announce@geoghegan.ca' with a subject line and body of "subscribe pf-badhost" to 'announce@geoghegan.ca' with a subject line and body of "subscribe pf-badhost"
###################################################################
# Post Install Notes: ## Post Install Notes:
###################################################################
X) To add custom rules or enable features, or add alternate blocklists, X) To add custom rules or enable features, or add alternate blocklists,
See the "User Configuration Area" located at the top of the script. See the "User Configuration Area" located at the top of the script.