jezcaudle/pfbadhost-fork
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

More md changes

Browse Source
This commit is contained in:
Jez Caudle 2024-02-01 11:58:54 +00:00
parent b7d28713c7
commit 3cce8ac963
1 changed files with 64 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

127
README.md
View File

@ -13,79 +13,80 @@ Copyright (c) Jez Caudle 2024 onwards with the same license as above.
# Fresh Installation Guide
1. Create a new user (we'll call ours "_pfbadhost"):
The user should be created with a default shell of "nologin", home folder
Create a new user (we'll call ours "_pfbadhost"). The user should be created with a default shell of "nologin", home folder
set to /var/empty/ with no password specified (disables password logins)
# useradd -s /sbin/nologin -d /var/empty _pfbadhost
```
useradd -s /sbin/nologin -d /var/empty _pfbadhost
```
2) Download script:
$ ftp https://geoghegan.ca/pub/pf-badhost/0.5/pf-badhost.sh
2. Download script from https://git.sr.ht/~jezcaudle/pfbadhost-fork/tree/main/item/pf-badhost.sh
3) Install script with appropriate permissions:
# install -m 755 -o root -g bin pf-badhost.sh /usr/local/bin/pf-badhost
3. Install script with appropriate permissions
```
install -m 755 -o root -g bin pf-badhost.sh /usr/local/bin/pf-badhost
```
4. Create required files:
```
install -m 640 -o _pfbadhost -g wheel /dev/null /etc/pf-badhost.txt
install -d -m 755 -o root -g wheel /var/log/pf-badhost
install -m 640 -o _pfbadhost -g wheel /dev/null /var/log/pf-badhost/pf-badhost.log
install -m 640 -o _pfbadhost -g wheel /dev/null /var/log/pf-badhost/pf-badhost.log.0.gz
```
5. OPTIONAL: Install RipGrep and mawk for greatly improved performance. Note: RipGrep is not available on all CPU architectures, use 'ggrep' if affected.
```
pkg_add ripgrep mawk
```
4) Create required files:
# install -m 640 -o _pfbadhost -g wheel /dev/null /etc/pf-badhost.txt
# install -d -m 755 -o root -g wheel /var/log/pf-badhost
# install -m 640 -o _pfbadhost -g wheel /dev/null /var/log/pf-badhost/pf-badhost.log
# install -m 640 -o _pfbadhost -g wheel /dev/null /var/log/pf-badhost/pf-badhost.log.0.gz
6. Give user "_pfbadhost" strict doas permission for the exact commands the script needs run as superuser. NOTE: Unlike "sudo", _ALL_ users must be explicitly granted permission to use doas, even the root user.
5) OPTIONAL: Install RipGrep and mawk for greatly improved performance:
Note: RipGrep is not available on all CPU architectures, use 'ggrep' if affected.
# pkg_add ripgrep mawk
```
cat /etc/doas.conf
...
permit root
permit nopass _pfbadhost cmd /sbin/pfctl args -nf /etc/pf.conf
permit nopass _pfbadhost cmd /sbin/pfctl args -t pfbadhost -T replace -f /etc/pf-badhost.txt
# Optional rule for authlog scanning
permit nopass _pfbadhost cmd /usr/bin/zcat args -f /var/log/authlog /var/log/authlog.0.gz
...
```
6) Give user "_pfbadhost" strict doas permission for the exact commands the
script needs run as superuser. NOTE: Unlike "sudo", _ALL_ users must be
explicitly granted permission to use doas, even the root user.
7. Add the following lines to your pf.conf (Putting it higher-up/earlier in the ruleset is recommended):
```
...
table <pfbadhost> persist file "/etc/pf-badhost.txt"
block in quick on egress from <pfbadhost>
block out quick on egress to <pfbadhost>
...
```
$ cat /etc/doas.conf
...
permit root
permit nopass _pfbadhost cmd /sbin/pfctl args -nf /etc/pf.conf
permit nopass _pfbadhost cmd /sbin/pfctl args -t pfbadhost -T replace -f /etc/pf-badhost.txt
# Optional rule for authlog scanning
permit nopass _pfbadhost cmd /usr/bin/zcat args -f /var/log/authlog /var/log/authlog.0.gz
...
8. To enable additional features such as IPv6, Subnet Aggregation, Geo-Blocking, Bogon Filtering or Authlog Scanning open "/usr/local/bin/pf-badhost" with your text editor of choice and find the "User Configuration Area" near the top of the file where you can enable features by setting their value to "1".
7) Add the following lines to your pf.conf:
(Putting it higher-up/earlier in the ruleset is recommended)
...
table <pfbadhost> persist file "/etc/pf-badhost.txt"
block in quick on egress from <pfbadhost>
block out quick on egress to <pfbadhost>
...
Most options can also be configured via command line flags. See man page for more details.
8) To enable additional features such as IPv6, Subnet Aggregation, Geo-Blocking,
Bogon Filtering or Authlog Scanning open "/usr/local/bin/pf-badhost" with
your text editor of choice and find the "User Configuration Area" near the top
of the file where you can enable features by setting their value to "1"
---
Most options can also be configured via command line flags. See man page for more details.
---
See the "Notes" section below for more info on installing optional utilities.
See the "Notes" section below for more info on installing optional utilities.
9) Run pfbadhost as user "_pfbadhost" using the "-O openbsd" argument:
# doas -u _pfbadhost pf-badhost -O openbsd
9. Run pfbadhost as user "_pfbadhost" using the "-O openbsd" argument:
```
doas -u _pfbadhost pf-badhost
```
10) Reload your pf rule set:
# pfctl -f /etc/pf.conf
10. Reload your pf rule set:
```
pfctl -f /etc/pf.conf
```
11) For good measure, we'll run pf-badhost once more:
# doas -u _pfbadhost pf-badhost -O openbsd
12) Edit _pfbadhost users crontab to run pf-badhost every night:
# crontab -u _pfbadhost -e
...
~ 0~1 * * * -s pf-badhost -O openbsd
...
Note:
If you're running an OpenBSD release older than 6.7 you'll have to use a workaround:
...
@daily sleep $(echo $((RANDOM\%7200+1))) ; pf-badhost -O openbsd
...
Please see the crontab(5) man page for further info
11. For good measure, we'll run pf-badhost once more:
```
doas -u _pfbadhost pf-badhost
```
12. Edit _pfbadhost users crontab to run pf-badhost every night:
```
crontab -u _pfbadhost -e
...
~ 0~1 * * * -s pf-badhost -O openbsd
...
```
Yay! pf-badhost is now installed!
@ -99,9 +100,9 @@ To receive notification of new pf-badhost releases and updates please send an em
to 'announce@geoghegan.ca' with a subject line and body of "subscribe pf-badhost"
###################################################################
# Post Install Notes:
###################################################################
## Post Install Notes:
X) To add custom rules or enable features, or add alternate blocklists,
See the "User Configuration Area" located at the top of the script.