-
Notifications
You must be signed in to change notification settings - Fork 0
/
banjax-config.yaml
127 lines (127 loc) · 3.73 KB
/
banjax-config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
config_version: 2021-03-22_00:00:00
global_decision_lists:
allow:
- 20.20.20.20
iptables_block:
- 30.40.50.60
nginx_block:
- 70.80.90.100
challenge:
- 8.8.8.8
# These two should be the same,
# if not, it will still work but API to query banned IP will be inconsistent
expiring_decision_ttl_seconds: 300
iptables_ban_seconds: 300
iptables_unbanner_seconds: 5
kafka_brokers:
- localhost:9094
kafka_security_protocol: 'ssl'
kafka_ssl_ca: "/etc/banjax/caroot.pem"
kafka_ssl_cert: "/etc/banjax/certificate.pem"
kafka_ssl_key: "/etc/banjax/key.pem"
kafka_ssl_key_password: password
kafka_report_topic: 'banjax_report_topic'
kafka_command_topic: 'banjax_command_topic'
password_protected_paths:
"localhost:8081":
- wp-admin
"localhost":
- wp-admin
"sub.localhost":
- wp-admin
password_protected_path_exceptions:
"localhost:8081":
- wp-admin/admin-ajax.php
"localhost":
- wp-admin/admin-ajax.php
# python3 -c "import hashlib; print(hashlib.sha256('password'.encode()).hexdigest())"
password_hashes:
# hash: password
"localhost:8081": 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
"localhost": 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
"sub.localhost": 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
password_hash_roaming:
sub.example.com: example.com
password_persite_cookie_ttl_seconds:
example.com: 3600
per_site_decision_lists:
example.com:
allow:
- 90.90.90.90
challenge:
- 91.91.91.91
per_site_regexes_with_rates: {}
regexes_with_rates:
- decision: nginx_block
hits_per_interval: 800
interval: 30
regex: .*
rule: "All sites/methods: 800 req/30 sec"
hosts_to_skip:
example.com: true
foo.bar: true
- decision: challenge
hits_per_interval: 45
interval: 60
regex: "^POST .*"
rule: "All sites/POST: 45 req/60 sec"
- decision: iptables_block
hits_per_interval: 22
interval: 10
regex: "^GET .*"
rule: "All sites/GET on root: 22 req/10 sec"
- decision: allow
hits_per_interval: 0
interval: 1
regex: .*allowme.*
rule: "unblock backdoor"
- decision: challenge
hits_per_interval: 0
interval: 1
regex: .*challengeme.*
rule: "instant challenge"
- decision: iptables_block
hits_per_interval: 0
interval: 1
regex: ".*banme.*"
rule: "instant ban"
per_site_regexes_with_rates:
localhost:
- decision: nginx_block
hits_per_interval: 0
interval: 1
regex: .*blockme.*
rule: "instant block"
sitewide_sha_inv_list:
example.com: block
foobar.com: no_block
sub.localhost: no_block
www.localhost: no_block
server_log_file: /var/log/banjax/banjax-format.log
banning_log_file: /etc/banjax/ban_ip_list.log
too_many_failed_challenges_interval_seconds: 10
too_many_failed_challenges_threshold: 3
password_cookie_ttl_seconds: 345600 # Dynamic apply to internal/password-protected-path.html:170
sha_inv_cookie_ttl_seconds: 28800 # Dynamic apply to internal/sha-inverse-challenge.html:92
hmac_secret: secret
gin_log_file: /var/log/banjax/gin.log
metrics_log_file: /var/log/banjax/metrics.log
debug: true
disable_kafka: true
# sha_inv_challenge_html: /etc/banjax/sha-inverse-challenge.html
# password_protected_path_html: /etc/banjax/password-protected-path.html
disable_logging:
"localhost:8081": true
localhost: true
banning_log_file_temp: /etc/banjax/ban_ip_list_temp.log
session_cookie_hmac_secret: some_secret
session_cookie_ttl_seconds: 3600
sites_to_disable_baskerville:
sub.localhost: false
use_user_agent_in_cookie:
localhost: true
# difficulty of sha-inv page, setting above 10 might cause solving to fail
sha_inv_expected_zero_bits: 10
session_cookie_not_verify: true
block_ip_ttl_seconds: 10
block_session_ttl_seconds: 10