utils/filtron.sh: add script to install filtron middleware

Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
2025-08-02 18:12:21 +02:00 · 2020-01-08 19:21:07 +01:00 · 2020-01-08 19:21:07 +01:00 · 4139c63d23
commit 4139c63d23
parent 28dacee288
5 changed files with 307 additions and 5 deletions
--- a/utils/templates/etc/filtron/rules.json
+++ b/utils/templates/etc/filtron/rules.json
@ -0,0 +1,56 @@
+[
+    {
+        "name": "api limit",
+        "interval": 60,
+        "limit": 1000,
+        "filters": ["Path=^/api"],
+        "aggregations": ["Path"],
+        "actions": [
+            {"name": "block"}
+        ],
+        "subrules": [
+            {
+                "name": "drop put",
+                "interval": 60,
+                "limit": 100,
+                "filters": ["Method=PUT"],
+                "aggregations": ["Header:X-Forwarded-For"],
+                "actions": [
+                    {"name": "shell",
+                     "params": {"cmd": "iptables -A INPUT -s %v -j DROP", "args": ["Header:X-Forwarded-For"]}}
+                ]
+            }
+        ]
+    },
+    {
+        "name": "log'n'block rss",
+        "interval": 300,
+        "limit": 2500,
+        "filters": ["Path=^/$", "GET:format=rss"],
+        "actions": [
+            {"name": "log"},
+            {"name": "block"}
+        ]
+    },
+    {
+        "name": "log rule",
+        "filters": ["Path=/"],
+        "actions": [ {"name": "log"} ],
+        "subrules": [
+            {
+                "name": "block missing accept-language",
+                "filters": ["!Header:Accept-Language"],
+                "actions": [
+                    {"name": "block"}
+                ]
+            },
+            {
+                "name": "block curl",
+                "filters": ["Header:User-Agent=[Cc]url"],
+                "actions": [
+                    {"name": "block"}
+                ]
+            }
+        ]
+    }
+]
--- a/utils/templates/lib/systemd/system/filtron.service
+++ b/utils/templates/lib/systemd/system/filtron.service
@ -0,0 +1,29 @@
+[Unit]
+
+Description=${SERVICE_NAME}
+After=syslog.target
+After=network.target
+
+[Service]
+
+Type=simple
+User=${SERVICE_USER}
+Group=${SERVICE_GROUP}
+WorkingDirectory=${SERVICE_HOME}
+ExecStart=${SERVICE_HOME}/go-apps/bin/filtron -rules ${FILTRON_RULES}
+
+Restart=always
+Environment=USER=${SERVICE_USER} HOME=${SERVICE_HOME}
+
+# Some distributions may not support these hardening directives.  If you cannot
+# start the service due to an unknown option, comment out the ones not supported
+# by your version of systemd.
+
+ProtectSystem=full
+PrivateDevices=yes
+PrivateTmp=yes
+NoNewPrivileges=true
+
+[Install]
+
+WantedBy=multi-user.target