v5

This is a much more reliable method to extract the IP address
from the log entries, and allows us to consolidate 2 matches into
a single operation.

Once matched, we extract the IP substring and pass it to `find()`
as usual. We can add more regexes later if that is useful.

.gitignore

@@ -11,6 +11,8 @@ install-sh
 missing
 tallow
 tallow-*.tar.gz
-tallow-1/
+tallow-*/
 tallow.o
 tallow.service
+*~
+DEADJOE

.travis.yml

@@ -0,0 +1,21 @@
+sudo: required
+dist: trusty
+language: c
+compiler: gcc
+os: linux
+
+before_script:
+    - ./autogen.sh
+
+addons:
+    apt:
+        sources:
+            - ubuntu-toolchain-r-test
+        packages:
+            - libsystemd-journal-dev
+            - valgrind
+            - autoconf
+            - automake
+
+script:
+    - ./configure && make && make distcheck

Makefile.am

@@ -1,17 +1,26 @@
 
-AM_CFLAGS = -g $(LIBSYSTEMD_CFLAGS) -Wall -Wno-uninitialized
+AM_CFLAGS = -g $(PCRE_CFLAGS) $(LIBSYSTEMD_CFLAGS) -Wall -Wno-uninitialized -W -D_FORTIFY_SOURCE=2
 
 systemdsystemunitdir = @SYSTEMD_SYSTEMUNITDIR@
 systemdsystemunit_DATA = tallow.service
 
 sbin_PROGRAMS = tallow
 tallow_SOURCES = tallow.c
-tallow_LDADD = $(LIBSYSTEMD_LIBS)
+tallow_LDADD = $(PCRE_LIBS) $(LIBSYSTEMD_LIBS)
 
-EXTRA_DIST = AUTHORS COPYING INSTALL tallow.service.in
+EXTRA_DIST = AUTHORS COPYING INSTALL tallow.service.in tallow.1.md
+
+dist_man_MANS = tallow.1 tallow.conf.5
 
 dist_doc_DATA = tallow.conf
-dist_man_MANS = tallow.1 tallow.conf.5
 
 DISTCHECK_CONFIGURE_FLAGS = \
 	--with-systemdsystemunitdir=$(DESTDIR)$(SYSTEMDSYSTEMUNITDIR)
+
+docs: tallow.1 tallow.conf.5
+tallow.conf.5:
+	ronn -r tallow.conf.5.md --pipe > tallow.conf.5
+
+tallow.1:
+	ronn -r tallow.1.md --pipe > tallow.1
+

configure.ac

@@ -2,7 +2,7 @@
 # Process this file with autoconf to produce a configure script.
 
 AC_PREREQ([2.64])
-AC_INIT([tallow], [1], [auke-jan.h.kok@intel.com])
+AC_INIT([tallow], [5], [auke-jan.h.kok@intel.com])
 AM_INIT_AUTOMAKE([])
 AC_CONFIG_FILES([Makefile])
 
@@ -10,9 +10,12 @@ AC_CONFIG_FILES([Makefile])
 AC_PROG_CC
 AC_PROG_INSTALL
 
-PKG_CHECK_MODULES([LIBSYSTEMD], [libsystemd])
+PKG_CHECK_MODULES(PCRE, libpcre)
+PKG_CHECK_MODULES(LIBSYSTEMD, libsystemd,, [PKG_CHECK_MODULES(LIBSYSTEMD, libsystemd-journal)])
 AC_SUBST(LIBSYSTEMD_CFLAGS)
 AC_SUBST(LIBSYSTEMD_LIBS)
+AC_SUBST(LIBSYSTEMD_JOURNAL_CFLAGS)
+AC_SUBST(LIBSYSTEMD_JOURNAL_LIBS)
 
 AC_ARG_WITH([systemdsystemunitdir], AC_HELP_STRING([--with-systemdsystemunitdir=DIR],
 	[path to systemd system service directory]), [path_systemdsystemunit=${withval}],

tallow.1

@@ -1,41 +1,37 @@
-.TH tallow 1 "31 October 2012" ".1" "Tallow"
-.SH NAME
-Tallow \- Reduce log clutter due to ssh login attempts.
-.SH SYNOPSIS
-/usr/sbin/tallow
-.SH DESCRIPTION
-\fBtallow\fR is a daemon that watches the systemd journal for
-messages from the \fBsshd\fR service. It parses the messages
-and looks for attempted random logins such as failed logins to the
-root account and failed logins to invalid user accounts.
-.PP
-If such logins were detected, the offending IP address is stored
-in a list. Items from this list are regularly purged, but if
-the amount of times that a specific IP address is seen exceeds
-a threshold (default 3), an iptables(1) rule is inserted in the
-\fBTALLOW\fR chain in the \fBfilter\fR netfilter table. The
-rule will match all packets from the IP address and \fBDROP\dR
-them.
-.PP
-The system administrator needs to assure that all incoming packets
-are routed through the \fBTALLOW\fR chain by inserting a rule
-appropriately, e.g. \`iptables -I INPUT -j TALLOW\`. The \fBTALLOW\fR
-chain may have to be created manually first with e.g. \`iptables -N
-TALLOW\`.
-.PP
-Care should be taken to assure that legitimate users are not
-blocked inadvertently. You may wish to list any valid IP address
-with the whitelist option in tallow.conf(5). Multiple addresses
-can be whitelisted.
-
-.SH OPTIONS
-The \fBtallow\fR daemon itself has no runtime configuration. All
-configuration is done through the tallow.conf(5) config file.
-.SH SEE ALSO
-systemd-journald(1), iptables(1), tallow.conf(5)
-.SH BUGS
-\fBtallow\fR is \fBNOT A SECURITY SOLUTION\fR, nor does it protect
-against random password logins. A attacker may still be able to
-logon to your systems if you allow password logins.
-.SH AUTHOR
-Auke Kok <auke-jan.h.kok@intel.com>
+.\" generated with Ronn/v0.7.3
+.\" http://github.com/rtomayko/ronn/tree/0.7.3
+.
+.TH "TALLOW" "1" "May 2017" "" ""
+.
+.SH "NAME"
+\fBtallow\fR
+.
+.SH "tallow"
+Reduce log clutter due to ssh login attempts\.
+.
+.SH "SYNOPSIS"
+\fB/usr/sbin/tallow\fR
+.
+.SH "DESCRIPTION"
+\fBtallow\fR is a daemon that watches the systemd journal for messages from the \fBsshd\fR service\. It parses the messages and looks for attempted random logins such as failed logins to the root account and failed logins to invalid user accounts\.
+.
+.P
+If such logins were detected, the offending IP address is stored in a list\. Items from this list are regularly purged, but if the amount of times that a specific IP address is seen exceeds a threshold (default 3), an ipset(1) entry is inserted in the \fBtallow\fR or \fBtallow6\fR ipset, and further packets from that ip address will be blocked by an \fBiptables(1)\fR or \fBip6tables(1)\fR rule that tallow creates at startup\.
+.
+.P
+The system administrator needs to assure that the tallow and tallow6 ipsets are left alone and that the inserted iptables rules are properly matching on packets\.
+.
+.P
+Care should be taken to assure that legitimate users are not blocked inadvertently\. You may wish to list any valid IP address with the whitelist option in tallow\.conf(5)\. Multiple addresses can be whitelisted\.
+.
+.SH "OPTIONS"
+The \fBtallow\fR daemon itself has no runtime configuration\. All configuration is done through the tallow\.conf(5) config file\.
+.
+.SH "SEE ALSO"
+systemd\-journald(1), iptables(1), tallow\.conf(5)
+.
+.SH "BUGS"
+\fBtallow\fR is \fBNOT A SECURITY SOLUTION\fR, nor does it protect against random password logins\. A attacker may still be able to logon to your systems if you allow password logins\.
+.
+.SH "AUTHOR"
+Auke Kok \fIauke\-jan\.h\.kok@intel\.com\fR

tallow.1.md

@@ -0,0 +1,51 @@
+
+## tallow 
+
+Reduce log clutter due to ssh login attempts.
+
+## SYNOPSIS
+
+`/usr/sbin/tallow`
+
+## DESCRIPTION
+
+`tallow` is a daemon that watches the systemd journal for
+messages from the `sshd` service. It parses the messages
+and looks for attempted random logins such as failed logins to the
+root account and failed logins to invalid user accounts.
+
+If such logins were detected, the offending IP address is stored
+in a list. Items from this list are regularly purged, but if
+the amount of times that a specific IP address is seen exceeds
+a threshold (default 3), an ipset(1) entry is inserted in the
+`tallow` or `tallow6` ipset, and further packets from that ip
+address will be blocked by an `iptables(1)` or `ip6tables(1)`
+rule that tallow creates at startup.
+
+The system administrator needs to assure that the tallow
+and tallow6 ipsets are left alone and that the inserted
+iptables rules are properly matching on packets.
+
+Care should be taken to assure that legitimate users are not
+blocked inadvertently. You may wish to list any valid IP address
+with the whitelist option in tallow.conf(5). Multiple addresses
+can be whitelisted.
+
+## OPTIONS
+
+The `tallow` daemon itself has no runtime configuration. All
+configuration is done through the tallow.conf(5) config file.
+
+## SEE ALSO
+
+systemd-journald(1), iptables(1), tallow.conf(5)
+
+## BUGS
+
+`tallow` is `NOT A SECURITY SOLUTION`, nor does it protect
+against random password logins. A attacker may still be able to
+logon to your systems if you allow password logins.
+
+## AUTHOR
+
+Auke Kok <auke-jan.h.kok@intel.com>

tallow.c

@@ -15,10 +15,12 @@
 #include <stdio.h>
 #include <string.h>
 #include <stdarg.h>
+#include <stdbool.h>
 #include <signal.h>
 #include <unistd.h>
 #include <limits.h>
 #include <sys/time.h>
+#include <pcre.h>
 
 #include <systemd/sd-journal.h>
 
@@ -34,9 +36,11 @@ static struct tallow_struct *head;
 static struct tallow_struct *whitelist;
 
 #define FILTER_STRING "SYSLOG_IDENTIFIER=sshd"
+static char *pattern = "MESSAGE=Failed password for .* from ([0-9a-z:.]+) port \\d+ ssh2";
 
-static char iptables_path[PATH_MAX] = "/usr/sbin";
-static char chain[PATH_MAX] = "TALLOW";
+#define MAX_OFFSETS 30
+
+static char ipt_path[PATH_MAX];
 static int threshold = 3;
 static int expires = 3600;
 static int has_ipv6 = 0;
@@ -67,7 +71,41 @@ static void ext_ignore(char *fmt, ...)
 	vsnprintf(cmd, sizeof(cmd), fmt, args);
 	va_end(args);
 
-	(void) system(cmd);
+	__attribute__((unused)) int ret = system(cmd);
+}
+
+static void setup(void)
+{
+	static bool done = false;
+	if (done)
+		return;
+	done = true;
+
+	/* init ipset and iptables */
+	/* delete iptables ref to set before the ipset! */
+	ext_ignore("%s/iptables -t filter -D INPUT -m set --match-set tallow src -j DROP 2> /dev/null", ipt_path);
+	ext_ignore("%s/ipset destroy tallow 2> /dev/null", ipt_path);
+	if (ext("%s/ipset create tallow hash:ip family inet timeout %d", ipt_path, expires)) {
+		fprintf(stderr, "Unable to create ipv4 ipset.\n");
+		exit(EXIT_FAILURE);
+	}
+	if (ext("%s/iptables -t filter -A INPUT -m set --match-set tallow src -j DROP", ipt_path)) {
+		fprintf(stderr, "Unable to create iptables rule.\n");
+		exit(EXIT_FAILURE);
+	}
+
+	if (has_ipv6) {
+		ext_ignore("%s/ip6tables -t filter -D INPUT -m set --match-set tallow6 src -j DROP 2> /dev/null", ipt_path);
+		ext_ignore("%s/ipset destroy tallow6 2> /dev/null", ipt_path);
+		if (ext("%s/ipset create tallow6 hash:ip family inet6 timeout %d", ipt_path, expires)) {
+			fprintf(stderr, "Unable to create ipv6 ipset.\n");
+			exit(EXIT_FAILURE);
+		}
+		if (ext("%s/ip6tables -t filter -A INPUT -m set --match-set tallow6 src -j DROP", ipt_path)) {
+			fprintf(stderr, "Unable to create ipt6ables rule.\n");
+			exit(EXIT_FAILURE);
+		}
+	}
 }
 
 static void block(struct tallow_struct *s)
@@ -75,31 +113,18 @@ static void block(struct tallow_struct *s)
 	if (s->count != threshold)
 		return;
 
+	setup();
+
 	if (strchr(s->ip, ':')) {
 		if (has_ipv6)
-			(void) ext("%s/ip6tables -t filter -A %s -s %s -j DROP", iptables_path, chain, s->ip);
+			(void) ext("%s/ipset -A tallow6 %s", ipt_path, s->ip);
 	} else {
-		(void) ext("%s/iptables -t filter -A %s -s %s -j DROP", iptables_path, chain, s->ip);
+		(void) ext("%s/ipset -A tallow %s", ipt_path, s->ip);
 	}
 
 	fprintf(stderr, "Blocked %s\n", s->ip);
 }
 
-static void unblock(struct tallow_struct *s)
-{
-	if (s->count < threshold)
-		return;
-
-	if (strchr(s->ip, ':')) {
-		if (has_ipv6)
-			(void) ext("%s/ip6tables -t filter -D %s -s %s -j DROP", iptables_path, chain, s->ip);
-	} else {
-		(void) ext("%s/iptables -t filter -D %s -s %s -j DROP", iptables_path, chain, s->ip);
-	}
-
-	fprintf(stderr, "Unblocked %s\n", s->ip);
-}
-
 static void whitelist_add(char *ip)
 {
 	struct tallow_struct *w = whitelist;
@@ -111,7 +136,7 @@ static void whitelist_add(char *ip)
 	n = malloc(sizeof(struct tallow_struct));
 	if (!n) {
 		fprintf(stderr, "Out of memory.\n");
-		exit(1);
+		exit(EXIT_FAILURE);
 	}
 	memset(n, 0, sizeof(struct tallow_struct));
 	n->ip = strdup(ip);
@@ -123,12 +148,15 @@ static void whitelist_add(char *ip)
 		w->next = n;
 }
 
-static void find(char *ip)
+static void find(const char *ip)
 {
 	struct tallow_struct *s = head;
 	struct tallow_struct *n;
 	struct tallow_struct *w = whitelist;
 
+	if (!ip)
+		return;
+
 	/*
 	 * not validating the IP address format here, just
 	 * making sure we're not passing special characters
@@ -164,7 +192,7 @@ static void find(char *ip)
 	n = malloc(sizeof(struct tallow_struct));
 	if (!n) {
 		fprintf(stderr, "Out of memory.\n");
-		exit(1);
+		exit(EXIT_FAILURE);
 	}
 	memset(n, 0, sizeof(struct tallow_struct));
 
@@ -182,36 +210,21 @@ static void find(char *ip)
 	return;
 }
 
-static void dump(void)
+static void sig(int u __attribute__ ((unused)))
 {
+	fprintf(stderr, "Exiting on request.\n");
+	sd_journal_close(j);
+
 	struct tallow_struct *s = head;
-	fprintf(stderr, "Received SIGUSR1 - dumping address table: address: count, time\n");
-
 	while (s) {
-		fprintf(stderr, "%s: %d, %lu.%lu\n", s->ip, s->count, s->time.tv_sec, s->time.tv_usec);
+		struct tallow_struct *n = NULL;
+
+		free(s->ip);
+		n = s;
 		s = s->next;
+		free(n);
 	}
-}
-
-static void sig(int s)
-{
-	if (s == SIGUSR1) {
-		dump();
-	} else {
-		fprintf(stderr, "Exiting on request.\n");
-		sd_journal_close(j);
-
-		struct tallow_struct *s = head;
-		while (s) {
-			struct tallow_struct *n = NULL;
-
-			free(s->ip);
-			n = s;
-			s = s->next;
-			free(n);
-		}
-		exit(0);
-	}
+	exit(EXIT_SUCCESS);
 }
 
 static void prune(void)
@@ -226,14 +239,12 @@ static void prune(void)
 	while (s) {
 		if ((tv.tv_sec - s->time.tv_sec) > expires) {
 			if (p) {
-				unblock(s);
 				p->next = s->next;
 				free(s->ip);
 				free(s);
 				s = p->next;
 				continue;
 			} else {
-				unblock(s);
 				head = s->next;
 				free(s->ip);
 				free(s);
@@ -247,16 +258,17 @@ static void prune(void)
 	}
 }
 
-int main(int argc, char *argv[])
+int main(void)
 {
 	int r;
 	FILE *f;
 	struct sigaction s;
 	int timeout = 60;
 
+	strcpy(ipt_path, "/usr/sbin");
+
 	memset(&s, 0, sizeof(struct sigaction));
 	s.sa_handler = sig;
-	sigaction(SIGUSR1, &s, NULL);
 	sigaction(SIGHUP, &s, NULL);
 	sigaction(SIGTERM, &s, NULL);
 	sigaction(SIGINT, &s, NULL);
@@ -287,11 +299,8 @@ int main(int argc, char *argv[])
 				continue;
 
 			// todo: filter leading/trailing whitespace
-
-			if (!strcmp(key, "iptables_path"))
-				strncpy(iptables_path, val, PATH_MAX - 1);
-			if (!strcmp(key, "chain"))
-				strncpy(chain, val, PATH_MAX - 1);
+			if (!strcmp(key, "ipt_path"))
+				strncpy(ipt_path, val, PATH_MAX - 1);
 			if (!strcmp(key, "threshold"))
 				threshold = atoi(val);
 			if (!strcmp(key, "expires"))
@@ -313,23 +322,9 @@ int main(int argc, char *argv[])
 	r = sd_journal_open(&j, SD_JOURNAL_LOCAL_ONLY);
 	if (r < 0) {
 		fprintf(stderr, "Failed to open journal: %s\n", strerror(-r));
-		exit(1);
+		exit(EXIT_FAILURE);
 	}
 
-	/* init ip(6)tables chains */
-	ext_ignore("%s/iptables -t filter -N %s > /dev/null 2>&1", iptables_path, chain);
-	if (ext("%s/iptables -t filter -F %s", iptables_path, chain)) {
-		fprintf(stderr, "Unable to create/flush iptables chain \"%s\".\n", chain);
-		exit(1);
-	}
-
-	if (has_ipv6) {
-		ext_ignore("%s/ip6tables -t filter -N %s > /dev/null 2>&1", iptables_path, chain);
-		if (ext("%s/ip6tables -t filter -F %s", iptables_path, chain)) {
-			fprintf(stderr, "Unable to create/flush ip6tables chain \"%s\".\n", chain);
-			exit(1);
-		}
-	}
 
 	/* ffwd journal */
 	sd_journal_add_match(j, FILTER_STRING, 0);
@@ -342,6 +337,11 @@ int main(int argc, char *argv[])
 
 	fprintf(stderr, "Started\n");
 
+	pcre *re = NULL;
+	int err;
+	const char *pcre_err;
+	re = pcre_compile(pattern, 0, &pcre_err, &err, NULL);
+
 	for (;;) {
 		const void *d;
 		size_t l;
@@ -353,9 +353,7 @@ int main(int argc, char *argv[])
 		}
 
 		while (sd_journal_next(j) != 0) {
-			char *t;
 			char *m;
-			int i;
 
 			if (sd_journal_get_data(j, "MESSAGE", &d, &l) < 0) {
 				fprintf(stderr, "Failed to read message field: %s\n", strerror(-r));
@@ -365,21 +363,19 @@ int main(int argc, char *argv[])
 			m = strndup(d, l+1);
 			m[l] = '\0';
 
-			if (strstr(m, "MESSAGE=Failed password for invalid user ")) {
-				t = strtok(m, " ");
-				for (i = 0; i < 7; i++)
-					t = strtok(NULL, " ");
-				find(t);
-			}
-
-			if (strstr(m, "MESSAGE=Failed password for root ")) {
-				t = strtok(m, " ");
-				for (i = 0; i < 5; i++)
-					t = strtok(NULL, " ");
-				find(t);
+			int off[MAX_OFFSETS];
+			int ret = pcre_exec(re, NULL, m, l, 0, 0, off, MAX_OFFSETS);
+			if (ret == 2) {
+				const char *s;
+				ret = pcre_get_substring(m, off, 2, 1, &s);
+				if (ret > 0) {
+					find(s);
+					pcre_free_substring(s);
+				}
 			}
 
 			free(m);
+
 		}
 
 		prune();
@@ -387,5 +383,5 @@ int main(int argc, char *argv[])
 
 	sd_journal_close(j);
 
-	exit(0);
+	exit(EXIT_SUCCESS);
 }

tallow.conf.5

@@ -1,47 +1,40 @@
-.TH tallow.conf 5 "31 October 2012" ".5" "The tallow configuration file"
-.SH NAME
-tallow.conf \- Tallow daemon configuration file
-.SH SYNOPSIS
-/etc/tallow.conf
-.SH DESCRIPTION
-This file is read on startup by the tallow(1) daemon, and can
-be used to provide options to the tallow daemon. If not present,
-tallow will operate with built-in defaults.
-.SH OPTIONS
-.TP
-\fBiptables_path\fR=\<string\>
-Specifies the location of the iptables(1) or ip6tables(1)  program.
-By default, tallow will look in "/usr/sbin" for them.
-.TP
-\fBchain\fR=\<string\>
-Specifies the iptables(1) chain name to use for maintaining the
-block list. By default, tallow maintains its iptables(1) rules
-in the \fBTALLOW\fR chain.
-.TP
-\fBexpires\fR=\<int\>
-The number of seconds that IP addresses are blocked for. Note that
-due to the implementation, IP addresses may be blocked for much
-longer than this period. If IP addresses are seen, but not
-blocked within this period, they are also removed from the
-watch list. Defaults to 3600s.
-.TP
-\fBthreshold\fR=\<int\>
-Specifies the number of times an IP address may appear before it
-is blocked. Defaults to 3.
-.TP
-\fBwhitelist\fR=\<ipv4 address\>
-Specify an IP address that should never be blocked. Multiple IP
-addresses can be included by repeating the \fBwhitelist\fR
-option several times. By default, only 127.0.0.1 is whitelisted.
-.TP
-\fBipv6\fR=\<0|1\>
-Enable of disable ipv6 (ip6tables) support. Ipv6 is disabled
-automatically on systems that do not appear to have ipv6 support
-and enabled when ipv6 is present. Use this option to explicitly
-disable ipv6 support if your system does not have ipv6 or is
-missing ip6tables. Even with ipv6 disabled, tallow will track
-and log ipv6 addresses.
-.SH SEE ALSO
+.\" generated with Ronn/v0.7.3
+.\" http://github.com/rtomayko/ronn/tree/0.7.3
+.
+.TH "TALLOW" "5" "May 2017" "" ""
+.
+.SH "NAME"
+\fBtallow\fR
+.
+.SH "tallow\.conf"
+The tallow configuration file
+.
+.SH "NAME"
+tallow\.conf \- Tallow daemon configuration file
+.
+.SH "SYNOPSIS"
+\fB/etc/tallow\.conf\fR
+.
+.SH "DESCRIPTION"
+This file is read on startup by the tallow(1) daemon, and can be used to provide options to the tallow daemon\. If not present, tallow will operate with built\-in defaults\.
+.
+.SH "OPTIONS"
+\fBipt_path\fR=\fB<string>\fR Specifies the location of the ipset(1), iptables(1) or ip6tables(1) program\. By default, tallow will look in "/usr/sbin" for them\.
+.
+.P
+\fBexpires\fR=\fB<int>\fR The number of seconds that IP addresses are blocked for\. Note that due to the implementation, IP addresses may be blocked for much longer than this period\. If IP addresses are seen, but not blocked within this period, they are also removed from the watch list\. Defaults to 3600s\.
+.
+.P
+\fBthreshold\fR=\fB<int>\fR Specifies the number of times an IP address may appear before it is blocked\. Defaults to 3\.
+.
+.P
+\fBwhitelist\fR=\fB<ipv4 address>\fR Specify an IP address that should never be blocked\. Multiple IP addresses can be included by repeating the \fBwhitelist\fR option several times\. By default, only 127\.0\.0\.1 is whitelisted\.
+.
+.P
+\fBipv6\fR=\fB<0|1>\fR Enable of disable ipv6 (ip6tables) support\. Ipv6 is disabled automatically on systems that do not appear to have ipv6 support and enabled when ipv6 is present\. Use this option to explicitly disable ipv6 support if your system does not have ipv6 or is missing ip6tables\. Even with ipv6 disabled, tallow will track and log ipv6 addresses\.
+.
+.SH "SEE ALSO"
 tallow(1), iptables(1)
-.SH AUTHOR
-Auke Kok <auke-jan.h.kok@intel.com>
+.
+.SH "AUTHOR"
+Auke Kok \fIauke\-jan\.h\.kok@intel\.com\fR

tallow.conf.5.md

@@ -0,0 +1,57 @@
+
+## tallow.conf
+
+The tallow configuration file
+
+## NAME
+
+tallow.conf - Tallow daemon configuration file
+
+## SYNOPSIS
+
+`/etc/tallow.conf`
+
+## DESCRIPTION
+
+This file is read on startup by the tallow(1) daemon, and can
+be used to provide options to the tallow daemon. If not present,
+tallow will operate with built-in defaults.
+
+## OPTIONS
+
+`ipt_path`=`<string>`
+Specifies the location of the ipset(1), iptables(1) or ip6tables(1)
+program. By default, tallow will look in "/usr/sbin" for them.
+
+`expires`=`<int>`
+The number of seconds that IP addresses are blocked for. Note that
+due to the implementation, IP addresses may be blocked for much
+longer than this period. If IP addresses are seen, but not
+blocked within this period, they are also removed from the
+watch list. Defaults to 3600s.
+
+`threshold`=`<int>`
+Specifies the number of times an IP address may appear before it
+is blocked. Defaults to 3.
+
+`whitelist`=`<ipv4 address>`
+Specify an IP address that should never be blocked. Multiple IP
+addresses can be included by repeating the `whitelist`
+option several times. By default, only 127.0.0.1 is whitelisted.
+
+`ipv6`=`<0|1>`
+Enable of disable ipv6 (ip6tables) support. Ipv6 is disabled
+automatically on systems that do not appear to have ipv6 support
+and enabled when ipv6 is present. Use this option to explicitly
+disable ipv6 support if your system does not have ipv6 or is
+missing ip6tables. Even with ipv6 disabled, tallow will track
+and log ipv6 addresses.
+
+## SEE ALSO
+
+tallow(1), iptables(1)
+
+## AUTHOR
+
+Auke Kok <auke-jan.h.kok@intel.com>
+