Blocky

Blocky is a simple HTTP server that block IPs that Graylog detects as malicious.

Warning

Blocky is a WIP and is not currenly configurable without changes in the code. It works on my Graylog setup, but may not work on yours. Don't run it on your servers without understanding what it does, as it may create unwanted UFW rules that could result in an outage. If you still want to try, don't forget the --dryrun flag.

Todo: configuration file with log/request format.

Requirements

• UFW
• Graylog with an HTTP custom notification configured like this:

Title: Blocky
Notification Type: http-notification-v2
Method: POST
Content Type: FORM_DATA
Body Template: message=${event.message},priority=${event.priority}

Usage

Usage of blocky:
  -clean
        Cleanup the banlist
  -dryrun
        Dry run mode
  -port string
        Port to listen on (default "8080")
  -sev1 int
        Severity 1 ban time in seconds (default 60)
  -sev2 int
        Severity 2 ban time in seconds (default 300)
  -sev3 int
        Severity 3 ban time in seconds (default 3600)

Installation

wget https://git.rznet.fr/tchivert/blocky/releases/download/latest/blocky -O /usr/local/bin/blocky
wget https://git.rznet.fr/tchivert/blocky/raw/branch/main/systemd/blocky.service -O /etc/systemd/system/blocky.service
systemctl enable --now blocky

Cleanup cron

*/5 * * * * /usr/local/bin/blocky --clean >> /var/log/cron/blocky.log 2>&1

Build

go build -o blocky

License

This project is licensed under the MIT License. See the LICENSE file for more information.