From d0a51f239ac007b8f788b0c86285f840a5712a37 Mon Sep 17 00:00:00 2001 From: Jez Caudle Date: Thu, 1 Feb 2024 12:00:35 +0000 Subject: [PATCH] More readme md --- README.md | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 4a28449..bb97e2f 100644 --- a/README.md +++ b/README.md @@ -19,25 +19,27 @@ set to /var/empty/ with no password specified (disables password logins) useradd -s /sbin/nologin -d /var/empty _pfbadhost ``` -2. Download script from https://git.sr.ht/~jezcaudle/pfbadhost-fork/tree/main/item/pf-badhost.sh +Download script from https://git.sr.ht/~jezcaudle/pfbadhost-fork/tree/main/item/pf-badhost.sh -3. Install script with appropriate permissions +Install script with appropriate permissions ``` install -m 755 -o root -g bin pf-badhost.sh /usr/local/bin/pf-badhost ``` -4. Create required files: + +Create required files: ``` install -m 640 -o _pfbadhost -g wheel /dev/null /etc/pf-badhost.txt install -d -m 755 -o root -g wheel /var/log/pf-badhost install -m 640 -o _pfbadhost -g wheel /dev/null /var/log/pf-badhost/pf-badhost.log install -m 640 -o _pfbadhost -g wheel /dev/null /var/log/pf-badhost/pf-badhost.log.0.gz ``` -5. OPTIONAL: Install RipGrep and mawk for greatly improved performance. Note: RipGrep is not available on all CPU architectures, use 'ggrep' if affected. + +OPTIONAL: Install RipGrep and mawk for greatly improved performance. Note: RipGrep is not available on all CPU architectures, use 'ggrep' if affected. ``` pkg_add ripgrep mawk ``` -6. Give user "_pfbadhost" strict doas permission for the exact commands the script needs run as superuser. NOTE: Unlike "sudo", _ALL_ users must be explicitly granted permission to use doas, even the root user. +Give user "_pfbadhost" strict doas permission for the exact commands the script needs run as superuser. NOTE: Unlike "sudo", _ALL_ users must be explicitly granted permission to use doas, even the root user. ``` cat /etc/doas.conf @@ -50,7 +52,7 @@ permit nopass _pfbadhost cmd /usr/bin/zcat args -f /var/log/authlog /var/log/aut ... ``` -7. Add the following lines to your pf.conf (Putting it higher-up/earlier in the ruleset is recommended): +Add the following lines to your pf.conf (Putting it higher-up/earlier in the ruleset is recommended): ``` ... table persist file "/etc/pf-badhost.txt" @@ -59,28 +61,28 @@ block out quick on egress to ... ``` -8. To enable additional features such as IPv6, Subnet Aggregation, Geo-Blocking, Bogon Filtering or Authlog Scanning open "/usr/local/bin/pf-badhost" with your text editor of choice and find the "User Configuration Area" near the top of the file where you can enable features by setting their value to "1". +To enable additional features such as IPv6, Subnet Aggregation, Geo-Blocking, Bogon Filtering or Authlog Scanning open "/usr/local/bin/pf-badhost" with your text editor of choice and find the "User Configuration Area" near the top of the file where you can enable features by setting their value to "1". Most options can also be configured via command line flags. See man page for more details. See the "Notes" section below for more info on installing optional utilities. -9. Run pfbadhost as user "_pfbadhost" using the "-O openbsd" argument: +Run pfbadhost as user "_pfbadhost" using the "-O openbsd" argument: ``` doas -u _pfbadhost pf-badhost ``` -10. Reload your pf rule set: +Reload your pf rule set: ``` pfctl -f /etc/pf.conf ``` -11. For good measure, we'll run pf-badhost once more: +For good measure, we'll run pf-badhost once more: ``` doas -u _pfbadhost pf-badhost ``` -12. Edit _pfbadhost users crontab to run pf-badhost every night: +Edit _pfbadhost users crontab to run pf-badhost every night: ``` crontab -u _pfbadhost -e ...