d3m0k1d/BanForge
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 14 Wiki Activity

feat: new cli command and new logic for rules on dir
All checks were successful
build / build (push) Successful in 2m25s
Details

Browse Source
This commit is contained in:
d3m0k1d
2026-02-23 17:02:39 +03:00
parent d534fc79d7
commit 6897ea8753
3 changed files with 363 additions and 117 deletions
Download Patch File Download Diff File Expand all files Collapse all files

120
cmd/banforge/command/rule.go
View File

@@ -3,19 +3,22 @@ package command
import (
"fmt"
"os"
"path/filepath"
"github.com/d3m0k1d/BanForge/internal/config"
"github.com/jedib0t/go-pretty/v6/table"
"github.com/spf13/cobra"
)
var (
name string
service string
path string
status string
method string
ttl string
max_retry int
name string
service string
path string
status string
method string
ttl string
maxRetry int
editName string
)
var RuleCmd = &cobra.Command{
@@ -25,24 +28,25 @@ var RuleCmd = &cobra.Command{
var AddCmd = &cobra.Command{
Use: "add",
Short: "CLI interface for add new rule to file /etc/banforge/rules.toml",
Short: "Add a new rule to /etc/banforge/rules.d/",
Long: "Creates a new rule file in /etc/banforge/rules.d/<name>.toml",
Run: func(cmd *cobra.Command, args []string) {
if name == "" {
fmt.Printf("Rule name can't be empty\n")
fmt.Println("Rule name can't be empty (use -n flag)")
os.Exit(1)
}
if service == "" {
fmt.Printf("Service name can't be empty\n")
fmt.Println("Service name can't be empty (use -s flag)")
os.Exit(1)
}
if path == "" && status == "" && method == "" {
fmt.Printf("At least 1 rule field must be filled in.")
fmt.Println("At least one rule field must be filled: path, status, or method")
os.Exit(1)
}
if ttl == "" {
ttl = "1y"
}
err := config.NewRule(name, service, path, status, method, ttl, max_retry)
err := config.NewRule(name, service, path, status, method, ttl, maxRetry)
if err != nil {
fmt.Println(err)
os.Exit(1)
@@ -51,37 +55,103 @@ var AddCmd = &cobra.Command{
},
}
var ListCmd = &cobra.Command{
Use: "list",
Short: "List rules",
var EditCmd = &cobra.Command{
Use: "edit",
Short: "Edit an existing rule",
Long: "Edit rule fields by name. Only specified fields will be updated.",
Run: func(cmd *cobra.Command, args []string) {
r, err := config.LoadRuleConfig()
if editName == "" {
fmt.Println("Rule name is required (use -n flag)")
os.Exit(1)
}
if service == "" && path == "" && status == "" && method == "" {
fmt.Println("At least one field must be specified to edit: -s, -p, -c, or -m")
os.Exit(1)
}
err := config.EditRule(editName, service, path, status, method)
if err != nil {
fmt.Println(err)
os.Exit(1)
}
for _, rule := range r {
fmt.Printf(
"Name: %s\nService: %s\nPath: %s\nStatus: %s\n MaxRetry: %d\nMethod: %s\n\n",
fmt.Println("Rule updated successfully!")
},
}
var RemoveCmd = &cobra.Command{
Use: "remove <name>",
Short: "Remove a rule by name",
Args: cobra.ExactArgs(1),
Run: func(cmd *cobra.Command, args []string) {
ruleName := args[0]
fileName := config.SanitizeRuleFilename(ruleName) + ".toml"
filePath := filepath.Join("/etc/banforge/rules.d", fileName)
if _, err := os.Stat(filePath); os.IsNotExist(err) {
fmt.Printf("Rule '%s' not found\n", ruleName)
os.Exit(1)
}
if err := os.Remove(filePath); err != nil {
fmt.Printf("Failed to remove rule: %v\n", err)
os.Exit(1)
}
fmt.Printf("Rule '%s' removed successfully\n", ruleName)
},
}
var ListCmd = &cobra.Command{
Use: "list",
Short: "List all rules",
Run: func(cmd *cobra.Command, args []string) {
rules, err := config.LoadRuleConfig()
if err != nil {
fmt.Println(err)
os.Exit(1)
}
if len(rules) == 0 {
fmt.Println("No rules found")
return
}
t := table.NewWriter()
t.SetOutputMirror(os.Stdout)
t.AppendHeader(table.Row{
"Name", "Service", "Path", "Status", "Method", "MaxRetry", "BanTime",
})
for _, rule := range rules {
t.AppendRow(table.Row{
rule.Name,
rule.ServiceName,
rule.Path,
rule.Status,
rule.MaxRetry,
rule.Method,
)
rule.MaxRetry,
rule.BanTime,
})
}
t.Render()
},
}
func RuleRegister() {
RuleCmd.AddCommand(AddCmd)
RuleCmd.AddCommand(EditCmd)
RuleCmd.AddCommand(RemoveCmd)
RuleCmd.AddCommand(ListCmd)
AddCmd.Flags().StringVarP(&name, "name", "n", "", "rule name (required)")
AddCmd.Flags().StringVarP(&service, "service", "s", "", "service name")
AddCmd.Flags().StringVarP(&service, "service", "s", "", "service name (required)")
AddCmd.Flags().StringVarP(&path, "path", "p", "", "request path")
AddCmd.Flags().StringVarP(&status, "status", "c", "", "status code")
AddCmd.Flags().StringVarP(&method, "method", "m", "", "method")
AddCmd.Flags().StringVarP(&ttl, "ttl", "t", "", "ban time")
AddCmd.Flags().IntVarP(&max_retry, "max_retry", "r", 0, "max retry")
AddCmd.Flags().StringVarP(&method, "method", "m", "", "HTTP method")
AddCmd.Flags().StringVarP(&ttl, "ttl", "t", "", "ban time (e.g., 1h, 1d, 1y)")
AddCmd.Flags().IntVarP(&maxRetry, "max_retry", "r", 0, "max retry before ban")
EditCmd.Flags().StringVarP(&editName, "name", "n", "", "rule name to edit (required)")
EditCmd.Flags().StringVarP(&service, "service", "s", "", "new service name")
EditCmd.Flags().StringVarP(&path, "path", "p", "", "new path")
EditCmd.Flags().StringVarP(&status, "status", "c", "", "new status code")
EditCmd.Flags().StringVarP(&method, "method", "m", "", "new HTTP method")
}

204
docs/cli.md
View File

@@ -1,16 +1,24 @@
# CLI commands BanForge
BanForge provides a command-line interface (CLI) to manage IP blocking,
BanForge provides a command-line interface (CLI) to manage IP blocking,
configure detection rules, and control the daemon process.
## Commands
### init - create a deps file
### init - Create configuration files
```shell
banforge init
```
**Description**
This command creates the necessary directories and base configuration files
required for the daemon to operate.
**Description**
This command creates the necessary directories and base configuration files
required for the daemon to operate:
- `/etc/banforge/config.toml` — main configuration
- `/etc/banforge/rules.toml` — default rules file
- `/etc/banforge/rules.d/` — directory for individual rule files
---
### version - Display BanForge version
@@ -18,67 +26,201 @@ required for the daemon to operate.
banforge version
```
**Description**
**Description**
This command displays the current version of the BanForge software.
---
### daemon - Starts the BanForge daemon process
```shell
banforge daemon
```
**Description**
This command starts the BanForge daemon process in the background.
The daemon continuously monitors incoming requests, detects anomalies,
**Description**
This command starts the BanForge daemon process in the background.
The daemon continuously monitors incoming requests, detects anomalies,
and applies firewall rules in real-time.
---
### firewall - Manages firewall rules
```shell
banforge ban <ip>
banforge unban <ip>
```
**Description**
**Description**
These commands provide an abstraction over your firewall. If you want to simplify the interface to your firewall, you can use these commands.
Flag -t or -ttl add bantime if not used default ban 1 year
| Flag | Description |
| ----------- | ------------------------------ |
| `-t`, `-ttl` | Ban duration (default: 1 year) |
### ports - Open and Close ports on firewall
**Examples:**
```bash
# Ban IP for 1 hour
banforge ban 192.168.1.100 -t 1h
# Unban IP
banforge unban 192.168.1.100
```
---
### ports - Open and close ports on firewall
```shell
banforge open -port <port> -protocol <protocol>
banforge close -port <port> -protocol <protocol>
```
**Description**
**Description**
These commands provide an abstraction over your firewall. If you want to simplify the interface to your firewall, you can use these commands.
### list - Lists the IP addresses that are currently blocked
| Flag | Required | Description |
| ------------- | -------- | ------------------------ |
| `-port` | + | Port number (e.g., 80) |
| `-protocol` | + | Protocol (tcp/udp) |
**Examples:**
```bash
# Open port 80 for TCP
banforge open -port 80 -protocol tcp
# Close port 443
banforge close -port 443 -protocol tcp
```
---
### list - List blocked IP addresses
```shell
banforge list
```
**Description**
This command output table of IP addresses that are currently blocked
**Description**
This command outputs a table of IP addresses that are currently blocked.
### rule - Manages detection rules
---
### rule - Manage detection rules
Rules are stored in `/etc/banforge/rules.d/` as individual `.toml` files.
#### Add a new rule
```shell
banforge rule add -n rule.name -c 403
banforge rule list
banforge rule add -n <name> -s <service> [options]
```
**Description**
These command help you to create and manage detection rules in CLI interface.
**Flags:**
| Flag | Required |
| ----------- | -------- |
| -n -name | + |
| -s -service | + |
| -p -path | - |
| -m -method | - |
| -c -status | - |
| -t -ttl | -(if not used default ban 1 year) |
| -r -max_retry | - |
| Flag | Required | Description |
| ------------------- | -------- | ---------------------------------------- |
| `-n`, `--name` | + | Rule name (used as filename) |
| `-s`, `--service` | + | Service name (nginx, apache, ssh, etc.) |
| `-p`, `--path` | - | Request path to match |
| `-m`, `--method` | - | HTTP method (GET, POST, etc.) |
| `-c`, `--status` | - | HTTP status code (403, 404, etc.) |
| `-t`, `--ttl` | - | Ban duration (default: 1y) |
| `-r`, `--max_retry` | - | Max retries before ban (default: 0) |
You must specify at least 1 of the optional flags to create a rule.
**Note:** At least one of `-p`, `-m`, or `-c` must be specified.
**Examples:**
```bash
# Ban on 403 status
banforge rule add -n "Forbidden" -s nginx -c 403 -t 30m
# Ban on path pattern
banforge rule add -n "Admin Access" -s nginx -p "/admin/*" -t 2h -r 3
# SSH brute force protection
banforge rule add -n "SSH Bruteforce" -s ssh -c "Failed" -t 1h -r 5
```
---
#### List all rules
```shell
banforge rule list
```
**Description**
Displays all configured rules in a table format.
**Example output:**
```
+------------------+---------+--------+--------+--------+----------+---------+
| NAME | SERVICE | PATH | STATUS | METHOD | MAXRETRY | BANTIME |
+------------------+---------+--------+--------+--------+----------+---------+
| SSH Bruteforce | ssh | | Failed | | 5 | 1h |
| Nginx 404 | nginx | | 404 | | 3 | 30m |
| Admin Panel | nginx | /admin | | | 2 | 2h |
+------------------+---------+--------+--------+--------+----------+---------+
```
---
#### Edit an existing rule
```shell
banforge rule edit -n <name> [options]
```
**Description**
Edit fields of an existing rule. Only specified fields will be updated.
| Flag | Required | Description |
| ------------------- | -------- | ------------------------------- |
| `-n`, `--name` | + | Rule name to edit |
| `-s`, `--service` | - | New service name |
| `-p`, `--path` | - | New path |
| `-m`, `--method` | - | New method |
| `-c`, `--status` | - | New status code |
**Examples:**
```bash
# Update ban time for existing rule
banforge rule edit -n "SSH Bruteforce" -t 2h
# Change status code
banforge rule edit -n "Forbidden" -c 403
```
---
#### Remove a rule
```shell
banforge rule remove <name>
```
**Description**
Permanently delete a rule by name.
**Example:**
```bash
banforge rule remove "Old Rule"
```
---
## Ban time format
Use the following suffixes for ban duration:
| Suffix | Duration |
| ------ | -------- |
| `s` | Seconds |
| `m` | Minutes |
| `h` | Hours |
| `d` | Days |
| `M` | Months (30 days) |
| `y` | Years (365 days) |
**Examples:** `30s`, `5m`, `2h`, `1d`, `1M`, `1y`

156
internal/config/appconf.go
View File

@@ -1,15 +1,14 @@
package config
import (
"errors"
"fmt"
"os"
"path/filepath"
"strconv"
"strings"
"time"
"github.com/BurntSushi/toml"
"github.com/d3m0k1d/BanForge/internal/logger"
"github.com/d3m0k1d/BanForge/internal/metrics"
)
@@ -30,116 +29,151 @@ func LoadMetricsConfig() (*Metrics, error) {
}
func LoadRuleConfig() ([]Rule, error) {
log := logger.New(false)
const rulesDir = "/etc/banforge/rules.d"
var cfg Rules
_, err := toml.DecodeFile("/etc/banforge/rules.toml", &cfg)
files, err := os.ReadDir(rulesDir)
if err != nil {
log.Error(fmt.Sprintf("failed to decode config: %v", err))
return nil, err
return nil, fmt.Errorf("failed to read rules directory: %w", err)
}
for _, file := range files {
if file.IsDir() || !strings.HasSuffix(file.Name(), ".toml") {
continue
}
filePath := filepath.Join(rulesDir, file.Name())
var fileCfg Rules
if _, err := toml.DecodeFile(filePath, &fileCfg); err != nil {
return nil, fmt.Errorf("failed to parse rule file %s: %w", filePath, err)
}
cfg.Rules = append(cfg.Rules, fileCfg.Rules...)
}
log.Info(fmt.Sprintf("loaded %d rules", len(cfg.Rules)))
return cfg.Rules, nil
}
func NewRule(
Name string,
ServiceName string,
Path string,
Status string,
Method string,
name string,
serviceName string,
path string,
status string,
method string,
ttl string,
max_retry int,
maxRetry int,
) error {
r, err := LoadRuleConfig()
if err != nil {
r = []Rule{}
if name == "" {
return fmt.Errorf("rule name can't be empty")
}
if Name == "" {
fmt.Printf("Rule name can't be empty\n")
return nil
rule := Rule{
Name: name,
ServiceName: serviceName,
Path: path,
Status: status,
Method: method,
BanTime: ttl,
MaxRetry: maxRetry,
}
r = append(
r,
Rule{
Name: Name,
ServiceName: ServiceName,
Path: Path,
Status: Status,
Method: Method,
BanTime: ttl,
MaxRetry: max_retry,
},
)
file, err := os.Create("/etc/banforge/rules.toml")
filePath := filepath.Join("/etc/banforge/rules.d", SanitizeRuleFilename(name)+".toml")
if _, err := os.Stat(filePath); err == nil {
return fmt.Errorf("rule with name '%s' already exists", name)
}
cfg := Rules{Rules: []Rule{rule}}
// #nosec G304 - validate by sanitizeRuleFilename
file, err := os.Create(filePath)
if err != nil {
return err
return fmt.Errorf("failed to create rule file: %w", err)
}
defer func() {
err = errors.Join(err, file.Close())
if closeErr := file.Close(); closeErr != nil {
fmt.Printf("warning: failed to close rule file: %v\n", closeErr)
}
}()
cfg := Rules{Rules: r}
err = toml.NewEncoder(file).Encode(cfg)
if err != nil {
return err
if err := toml.NewEncoder(file).Encode(cfg); err != nil {
return fmt.Errorf("failed to encode rule: %w", err)
}
return nil
}
func EditRule(Name string, ServiceName string, Path string, Status string, Method string) error {
if Name == "" {
return fmt.Errorf("Rule name can't be empty")
func EditRule(name string, serviceName string, path string, status string, method string) error {
if name == "" {
return fmt.Errorf("rule name can't be empty")
}
r, err := LoadRuleConfig()
rules, err := LoadRuleConfig()
if err != nil {
return fmt.Errorf("rules is empty, please use 'banforge add rule' or create rules.toml")
return fmt.Errorf("failed to load rules: %w", err)
}
found := false
for i, rule := range r {
if rule.Name == Name {
var updatedRule *Rule
for i, rule := range rules {
if rule.Name == name {
found = true
updatedRule = &rules[i]
if ServiceName != "" {
r[i].ServiceName = ServiceName
if serviceName != "" {
updatedRule.ServiceName = serviceName
}
if Path != "" {
r[i].Path = Path
if path != "" {
updatedRule.Path = path
}
if Status != "" {
r[i].Status = Status
if status != "" {
updatedRule.Status = status
}
if Method != "" {
r[i].Method = Method
if method != "" {
updatedRule.Method = method
}
break
}
}
if !found {
return fmt.Errorf("rule '%s' not found", Name)
return fmt.Errorf("rule '%s' not found", name)
}
file, err := os.Create("/etc/banforge/rules.toml")
filePath := filepath.Join("/etc/banforge/rules.d", SanitizeRuleFilename(name)+".toml")
cfg := Rules{Rules: []Rule{*updatedRule}}
// #nosec G304 - validate by sanitizeRuleFilename
file, err := os.Create(filePath)
if err != nil {
return err
return fmt.Errorf("failed to update rule file: %w", err)
}
defer func() {
err = file.Close()
if err != nil {
fmt.Println(err)
if closeErr := file.Close(); closeErr != nil {
fmt.Printf("warning: failed to close rule file: %v\n", closeErr)
}
}()
cfg := Rules{Rules: r}
if err := toml.NewEncoder(file).Encode(cfg); err != nil {
return fmt.Errorf("failed to encode config: %w", err)
return fmt.Errorf("failed to encode updated rule: %w", err)
}
return nil
}
func SanitizeRuleFilename(name string) string {
result := strings.Map(func(r rune) rune {
if (r >= 'a' && r <= 'z') || (r >= 'A' && r <= 'Z') ||
(r >= '0' && r <= '9') || r == '-' || r == '_' {
return r
}
return '_'
}, name)
return strings.ToLower(result)
}
func ParseDurationWithYears(s string) (time.Duration, error) {
if ss, ok := strings.CutSuffix(s, "y"); ok {
years, err := strconv.Atoi(ss)