jezcaudle/pfbadhost-fork
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

More readme md

Browse Source
This commit is contained in:
Jez Caudle 2024-02-01 12:00:35 +00:00
parent 3cce8ac963
commit d0a51f239a
1 changed files with 13 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
README.md
View File

@ -19,25 +19,27 @@ set to /var/empty/ with no password specified (disables password logins)
useradd -s /sbin/nologin -d /var/empty _pfbadhost
```
2. Download script from https://git.sr.ht/~jezcaudle/pfbadhost-fork/tree/main/item/pf-badhost.sh
Download script from https://git.sr.ht/~jezcaudle/pfbadhost-fork/tree/main/item/pf-badhost.sh
3. Install script with appropriate permissions
Install script with appropriate permissions
```
install -m 755 -o root -g bin pf-badhost.sh /usr/local/bin/pf-badhost
```
4. Create required files:
Create required files:
```
install -m 640 -o _pfbadhost -g wheel /dev/null /etc/pf-badhost.txt
install -d -m 755 -o root -g wheel /var/log/pf-badhost
install -m 640 -o _pfbadhost -g wheel /dev/null /var/log/pf-badhost/pf-badhost.log
install -m 640 -o _pfbadhost -g wheel /dev/null /var/log/pf-badhost/pf-badhost.log.0.gz
```
5. OPTIONAL: Install RipGrep and mawk for greatly improved performance. Note: RipGrep is not available on all CPU architectures, use 'ggrep' if affected.
OPTIONAL: Install RipGrep and mawk for greatly improved performance. Note: RipGrep is not available on all CPU architectures, use 'ggrep' if affected.
```
pkg_add ripgrep mawk
```
6. Give user "_pfbadhost" strict doas permission for the exact commands the script needs run as superuser. NOTE: Unlike "sudo", _ALL_ users must be explicitly granted permission to use doas, even the root user.
Give user "_pfbadhost" strict doas permission for the exact commands the script needs run as superuser. NOTE: Unlike "sudo", _ALL_ users must be explicitly granted permission to use doas, even the root user.
```
cat /etc/doas.conf
@ -50,7 +52,7 @@ permit nopass _pfbadhost cmd /usr/bin/zcat args -f /var/log/authlog /var/log/aut
...
```
7. Add the following lines to your pf.conf (Putting it higher-up/earlier in the ruleset is recommended):
Add the following lines to your pf.conf (Putting it higher-up/earlier in the ruleset is recommended):
```
...
table <pfbadhost> persist file "/etc/pf-badhost.txt"
@ -59,28 +61,28 @@ block out quick on egress to <pfbadhost>
...
```
8. To enable additional features such as IPv6, Subnet Aggregation, Geo-Blocking, Bogon Filtering or Authlog Scanning open "/usr/local/bin/pf-badhost" with your text editor of choice and find the "User Configuration Area" near the top of the file where you can enable features by setting their value to "1".
To enable additional features such as IPv6, Subnet Aggregation, Geo-Blocking, Bogon Filtering or Authlog Scanning open "/usr/local/bin/pf-badhost" with your text editor of choice and find the "User Configuration Area" near the top of the file where you can enable features by setting their value to "1".
Most options can also be configured via command line flags. See man page for more details.
See the "Notes" section below for more info on installing optional utilities.
9. Run pfbadhost as user "_pfbadhost" using the "-O openbsd" argument:
Run pfbadhost as user "_pfbadhost" using the "-O openbsd" argument:
```
doas -u _pfbadhost pf-badhost
```
10. Reload your pf rule set:
Reload your pf rule set:
```
pfctl -f /etc/pf.conf
```
11. For good measure, we'll run pf-badhost once more:
For good measure, we'll run pf-badhost once more:
```
doas -u _pfbadhost pf-badhost
```
12. Edit _pfbadhost users crontab to run pf-badhost every night:
Edit _pfbadhost users crontab to run pf-badhost every night:
```
crontab -u _pfbadhost -e
...