====== Reaction v2 ======

Great news, [[https://framagit.org/ppom/reaction/-/releases|reaction]] has released a version 2. It goes from GO to Rust.

In my OpenSSH use case, memory usage drops down by half.


{{ :fr:security:reaction-v2-usage.png?600 |usage reaction v2}}

Background image by [[https://www.davidrevoy.com/article1005/cozy|David Revoy]] [[http://creativecommons.org/licenses/by/4.0/|CC-BY 4.0]]


To celebrate, I updated my ansible playbook.


<code yaml>
- name: install packages required to have logs
  package:
    name: "{{ item }}"
    state: latest
  with_items:
    - iptables
    - iptables-persistent
    - logrotate
    - rsyslog
  become: True

- name: stop reaction if running
  service:
    name: reaction@reaction.jsonnet.service
    state: stopped
  become: True
  ignore_errors: yes

- name: download deb package
  ansible.builtin.get_url:
    url: https://static.ppom.me/reaction/releases/v2.1.2/reaction_2.1.2-1_amd64.deb
    dest: /root/reaction.deb
    mode: '0755'
  become: True

- name: Install .deb package
  ansible.builtin.apt:
    deb: /root/reaction.deb
  become: True

- name: copy reaction.jsonnet
  template:
    src: "templates/{{ ansible_fqdn }}/reaction.jsonnet"
    dest: /etc/reaction.jsonnet
    owner: root
    group: root
    mode: 0755
  become: True

- name: reload daemon
  command: "systemctl daemon-reload"
  become: True


- name: enable reaction
  command: "systemctl enable --now reaction@reaction.jsonnet.service"
  become: True

- name: restart reaction
  service:
    name: reaction@reaction.jsonnet.service
    state: restarted
  become: True
</code>

Here is the template for OpenSSH

<code jsonnet>
local banFor(time) = {
  ban: {
    cmd: ['iptables', '-w', '-A', 'reaction', '-s', '<ip>', '-j', 'DROP'],
  },
  unban: {
    after: time,
    cmd: ['iptables', '-w', '-D', 'reaction', '-s', '<ip>', '-j', 'DROP'],
  },
};
{
  patterns: {
    ip: {
      regex: @'(([0-9]{1,3}\.){3}[0-9]{1,3})|([0-9a-fA-F:]{2,90})',
    },
  },
  start: [
    [ 'iptables', '-w', '-N', 'reaction' ],
    [ 'iptables', '-w', '-I', 'INPUT', '-p', 'all', '-j', 'reaction' ],
  ],
  stop: [
    [ 'iptables', '-w', '-D', 'INPUT', '-p', 'all', '-j', 'reaction' ],
    [ 'iptables', '-w', '-F', 'reaction' ],
    [ 'iptables', '-w', '-X', 'reaction' ],
  ],
  streams: {
    ssh: {
      cmd: ['tail', '-n0', '-f', '/var/log/auth.log'],
      filters: {
        login: {
          regex: [ @'authentication failure;.*rhost=<ip>' ],
          retry: 3,
          retryperiod: '3h',
          actions: banFor('48h'),
        },
      },
    },
  },
}

</code>

Please take time to test reaction instead of fail2ban if you did not yet. You won't be disappointed.