added README docs for fail2ban

2026-03-25 09:25:49 +00:00 · 2013-06-14 16:07:01 +10:00 · 2013-06-14 16:07:01 +10:00 · 9761faf6be
commit 9761faf6be
parent baffa83687
1 changed files with 27 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -88,6 +88,33 @@ A [Rack::Request](http://rack.rubyforge.org/doc/classes/Rack/Request.html) objec
      req.path == '/login' && req.post? && req.user_agent == 'BadUA'
    end

+`Rack::Attack::Fail2Ban` can be combined with blacklists to block all requests from misbehaving clients.
+This pattern is inspired by [fail2ban](http://www.fail2ban.org/wiki/index.php/Main_Page).
+See the [fail2ban documentation](http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Jail_Options) for more details on
+how the parameters work.
+
+    # Block requests from IP addresses that misbehave
+    Rack::Attack.blacklist('fail2ban pentesters') do |req|
+      # `filter` returns truthy value if request fails, or if it's from a previously banned IP
+      # this causes `blacklist` to block the request
+      Rack::Attack::Fail2Ban.filter("pentest",                  # namespace for cache key
+                                    req.ip,                     # count matching requests based on IP
+                                    :maxretry => 3,             # allow up to 3 bad requests...
+                                    :findtime => 10.minutes,    # to occur within 10 minutes...
+                                    :bantime => 5.minutes) do   # and ban the IP address for 5 minutes if exceeded
+        # if block is truthy, the count for the IP is incremented
+        CGI.unescape(req.query_string) =~ %r{/etc/passwd} 
+      end
+
+    end
+
+
+Rack::Attack.blacklist('pentest') do |request|
+  Rack::Attack::Fail2Ban.filter('pentest', request.ip, bantime: 10.minutes, findtime: 10.minutes, maxretry: 3) do
+    RACK_ATTACK_DIE_PEN_TESTER_TESTS.any?{|test| test.(request)}
+  end
+end
+
 ### Throttles

    # Throttle requests to 5 requests per second per ip