Browse Source

* update docs/configuration.md

master
Alex 'AdUser' Z 8 years ago
parent
commit
2074fc503f
  1. 4
      README.md
  2. 94
      docs/configuration.md

4
README.md

@ -12,8 +12,8 @@ Features:
Docs:
* docs/install.md -- generic installation instructions
* docs/configuration.md -- config file description and configuration notes
* [Installation](docs/install.md) -- generic installation instructions
* [Quickstart](docs/configuration.md) -- config file description and configuration notes
Similar software:

94
docs/configuration.md

@ -43,6 +43,8 @@ Example:
# search for backend named 'exec-ipset' and init it with string 'banned'
# So <ID> token will be replaced with 'banned' string
See *Teamwork* section for advanced samples.
Module-specific settings
========================
@ -74,6 +76,14 @@ portknock
Address is optional, eg "23" and "0.0.0.0:23" is the same.
For ipv6 address use square brackets like this: "[fe80::fe14:a87c]:23".
mcast
: Init string is name of group in multicast messages. Options are:
* group -- address of multicast group. Should be in net 239.255.0.0/16
* address -- bind address for socket (default: 0.0.0.0)
* port -- destination port for multicast messages (default: 3370, don't change unless you know what you doing)
* iface -- sets default interface for multicast messages (use system settings if not set)
Filter-modules
--------------
@ -105,3 +115,87 @@ exec
redis
: Init string is name of pubsub channel on redis server (will be prefixed with "f2b-")
Options almost the same as source/redis. 'ping' option - for keeping connection alive (see PING redis command)
mcast
: Init string is name of group in multicast messages. Options are:
* group -- address of multicast group. Should be in net 239.255.0.0/16
* port -- destination port for multicast messages (default: 3370, don't change unless you know what you doing)
* iface -- sets default interface for multicast messages (use system settings if not set)
Teamwork
========
This section shows sample configurations of distributed f2b installations.
In standalone install you have simple workflow:
* `jail/source` gets the data
* `jail/filter` decides is we need this data piece
* `jail/matches` decides should we ban this ip or not
* `jail/backend` directly bans/releases filtered IPs
Now let's change the workflow:
* "sensor" jail
* `jail:sensor/source` gets the data (same as above)
* `jail:sensor/filter` decides is we need this data piece (same as above)
* `jail:sensor/matches` decides should we ban this ip or not
* `jail:sensor/backend` sends filtered ip to some blackbox
* "actor" jail
* `jail:actor/source` gets the data from blackbox
* `jail:actor/filter` only checks is we get valid ip
* `jail:actor/matches` decides should we ban this ip or not
* `jail:actor/backend` bans/releases given IPs
For now supported `blackbox` types is `multicast group` and `redis database`.
Various jail types may be combined and omitted. Some possible variants:
[ HOST1 ] [ HOST2 ] [ HOST3 ]
jail:sensor1 --> [-------] <-- jail:sensor3
jail:sensor2 --> [ REDIS ] <-- jail:sensor4
jail:actor1 <-- [ DB ] --> jail:actor2
[ HOST1 ] [ HOST2 ]
jail:actor1 <-- [ MCAST ] --> jail:actor2
jail:empty --> [ GROUP ] <-- jail:sensor1
^-- user@f2bc
Now let's see real configs. This is modified sample from section `General notes`.
[source:redis]
server = 127.0.0.1
;
[backend:redis]
server = 127.0.0.1
;
[jail:sensor1]
enabled = yes
source = files:/var/log/messages
filter = preg:/etc/f2b/filters/ssh.preg
backend = redis:ssh
;
[jail:actor1]
enabled = yes
source = redis:ssh
filter = preg:/etc/f2b/filters/empty.preg
backend = exec-ipset:banned
Now, if "sensor1" detects some malicious activity it sends notify with redis PUBLISH command on channel f2b-banned-ssh.
You may see this messages with the following commands:
# at host1
$ redis-cli -h 127.0.0.1
127.0.0.1:6379> SUBSCRIBE f2b-banned-ssh # <- "ssh" here is taken from init string of sensor1/source
^C
$
$ redis-cli -h 127.0.0.1
127.0.0.1:6379> PUBLISH f2b-banned-ssh 1.2.3.4 # <- manually ban given ip
!!! Important note
This configuration for now is one-way street: it only distribute ban events, not release events.
This means, if you execute the last command above, this ip will be banned on all configured f2b instance as quick as possible.
But if you want to unban it, you'll need either wait for $bantime second(s) or manually release it at each configured f2b instance.
This may change in future.

Loading…
Cancel
Save