Differences

This shows you the differences between two versions of the page.

--- en:security:reaction [2024/08/07 22:21] – lonclegr
+++ en:security:reaction [2024/08/13 21:58] (current) – lonclegr
@@ Line 13: / Line 13: @@
 So I configured [[en:security:iptables|iptables]] on my server the most restrictive way I know from network perspective: only the two public IPs of my two ḧomes can access to SSH service. And it works fine. But by design, there is an issue about this choice I made. Indeed, my ISPs ((Internet Service Provider)) provide me dynamic IPs. It may change without notice but for the last 3 years it did not.
-I accepted the risk because of two thins:
+I accepted the risk because of two facts:
   - Since IPs don't change very often and I have two different ISP, the probability that both of them change at the same time is very low. So if one IP changes and I lose access to my server I can go the second home and update the configuration accordingly.
   - Worst case scenario, I can use the emergency console access from my server provider and update the configuration of [[en:security:iptables|iptables]].
@@ Line 23: / Line 23: @@
 I decided that I was going to use my last option: emergency console access to my server from the provider. But bad surprise again, my provider did not provide such a service.
-As a result, I lost access to my server for days. In the meantime, I was looking for a more robust design. That's how [[https://en.wikipedia.org/wiki/Fail2ban|fail2ban]] came back to my mind and even better I remembered that one person from the [[https://www.chatons.org/en|CHATONS]] was working on the perfect tool for me: [[https://blog.ppom.me/en-reaction/|reaction]].
+As a result, I lost access to my server for days. In the meantime, I was looking for a more robust design. That's how [[https://en.wikipedia.org/wiki/Fail2ban|fail2ban]] came back to my mind and even better I remembered that one person from the [[https://www.chatons.org/en|CHATONS]] [[https://picasoft.net|Picasoft]] was working on the perfect tool for me: [[https://blog.ppom.me/en-reaction/|reaction]].
 ===== New architecture =====
-In this new architecture, I introduced a new server "Bastion SSH Server" which will have only SSH server and [[https://blog.ppom.me/en-reaction/|reaction]].
+In this new architecture, I introduced a new server "Bastion SSH Server" which has only SSH server and [[https://blog.ppom.me/en-reaction/|reaction]].
-TODO: architecture
+{{ :en:security:architecture-one-server-access-with-bastion.png?direct&600 |Architecture with Bastion SSH server}}
 ===== Why not Fail2ban ? =====
@@ Line 41: / Line 39: @@
 And since a good drawing is always better than long speech, let me share with you this one made by [[https://ptilouk.net/|Gee]].
+{{ :en:security:bd-reaction-english.png?direct&600 |Reaction the new Fail2ban}}
+===== Feedback =====
+I am using this tool within this new architecture for weeks now and I am very satisfied.
+==== Usage ====
+The service is up for 2 weeks and 2 days and memory usage is very low.
+{{ :en:security:reaction-usage-for-2-weeks.png?direct&600 |Reaction systemctl status}}
+==== Ansible playbook ====
+Here is my playbook I use to setup it on my server. It is not perfect but if it can help you to test easily 8-)
+<code yaml>
+- name: install packages required to have logs
+  package:
+    name: "{{ item }}"
+    state: latest
+  with_items:
+    - iptables
+    - iptables-persistent
+    - logrotate
+    - rsyslog
+  become: True
+- name: stop reaction if running
+  service:
+    name: reaction.service
+    state: stopped
+  become: True
+  ignore_errors: yes
+- name: download binary
+  ansible.builtin.get_url:
+    url: https://static.ppom.me/reaction/releases/v1.4.1/reaction
+    dest: /usr/local/bin/reaction
+    mode: '0755'
+  become: True
+- name: copy systemd file
+  copy:
+    src: files/reaction.service
+    dest: /etc/systemd/system/reaction.service
+    owner: root
+    group: root
+    mode: 0700
+  become: True
+- name: copy reaction.yml
+  copy:
+    src: files/reaction.yml
+    dest: /etc/reaction.yml
+    owner: root
+    group: root
+    mode: 0755
+  become: True
+- name: reload daemon
+  command: "systemctl daemon-reload"
+  become: True
+- name: enable reaction
+  command: "systemctl enable reaction.service"
+  become: True
+- name: restart reaction
+  service:
+    name: reaction.service
+    state: restarted
+  become: True
+</code>
+and the config file for SSH based on [[https://reaction.ppom.me/filters/ssh.html|official documentation]]
+<code>
+patterns:
+  ip:
+    regex: '(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3})'
+streams:
+  ssh:
+    cmd: ['tail', '-F', '/var/log/auth.log']
+    filters:
+      fail:
+        regex:
+          - 'authentication failure;.*rhost=<ip>'
+          - 'Connection (reset|closed) by (authenticating|invalid) user .* <ip>'
+          - 'Failed password for .* from <ip>'
+        retry: 3
+        retryperiod: '3h'
+        actions:
+          ban:
+            cmd: ['iptables', '-w', '-A', 'reaction', '-s', '<ip>', '-j', 'DROP']
+          unban:
+            cmd: ['iptables', '-w', '-D', 'reaction', '-s', '<ip>', '-j', 'DROP']
+            after: '24h'
+start:
+  - [ 'iptables', '-w', '-N', 'reaction' ]
+  - [ 'iptables', '-w', '-I', 'INPUT', '-p', 'all', '-j', 'reaction' ]
+stop:
+  - [ 'iptables', '-w', '-D', 'INPUT', '-p', 'all', '-j', 'reaction' ]
+  - [ 'iptables', '-w', '-F', 'reaction' ]
+  - [ 'iptables', '-w', '-X', 'reaction' ]
+</code>
+and the service
+<code>
+[Install]
+WantedBy=multi-user.target
+[Service]
+ExecStart=/usr/local/bin/reaction start -c /etc/reaction.yml
+StateDirectory=reaction
+RuntimeDirectory=reaction
+WorkingDirectory=/var/lib/reaction
+</code>
+This code is based on the one you can find on the official blog of [[https://blog.ppom.me/en-reaction/|reaction]].
+===== Conclusion =====
+This tool is a very good initiative that everybody should support! At least everybody that needs such tool should give a try. The creator is very talented and tries to push the tool into a direction that can make everything more safe.