bastian/deploy_home
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9d562c718895a6dd3f8dd7660fbed3074a76a869
deploy_home/ansible/roles/podman/templates/fluent-bit/fluent-bit.conf.j2
Bastian de Byl 9d562c7188 feat: smart zomboid traffic filtering with packet-size detection 
Replace per-IP hashlimit with smarter filtering that distinguishes
legitimate players from scanner bots based on packet behavior:
- Players send varied packet sizes (53, 37, 1472 bytes)
- Scanners only send 53-byte query packets

New firewall rule chain:
- Priority 2: Mark + ACCEPT non-query packets (verifies player)
- Priority 3: ACCEPT queries from verified IPs (1 hour TTL)
- Priority 4: LOG rate-limited queries from unverified IPs
- Priority 5: DROP rate-limited queries (2 burst, then 1/hour)

Also includes:
- Fail2ban zomboid jail with tighter thresholds (5 retries/4h, 1w ban)
- Graylog streams for zomboid-connections, zomboid-ratelimit, fail2ban
- GeoIP pipeline enrichment for zomboid traffic
- Fluent-bit inputs for ratelimit logs and fail2ban events
- Remove Legendary Katana mod (Workshop 3418366499) - removed from Steam
- Bump Immich to v2.5.0
- Fix fulfillr config (nil → null)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-27 15:09:26 -05:00

150 lines
4.9 KiB
Django/Jinja
Raw Blame History

[SERVICE]
Flush 5
Daemon Off
Log_Level info
Parsers_File parsers.conf
# =============================================================================
# INPUT: Podman container logs
# =============================================================================
# Container logs come from conmon process with CONTAINER_NAME field
[INPUT]
Name systemd
Tag podman.*
Systemd_Filter _COMM=conmon
Read_From_Tail On
Strip_Underscores On
# =============================================================================
# INPUT: SSH logs for security monitoring
# =============================================================================
[INPUT]
Name systemd
Tag ssh.*
Systemd_Filter _SYSTEMD_UNIT=sshd.service
Read_From_Tail On
Strip_Underscores On
# =============================================================================
# INPUT: Kernel firewall logs for Zomboid connections
# =============================================================================
# Captures ZOMBOID_CONN firewall events with source IP for player correlation
[INPUT]
Name systemd
Tag firewall.zomboid
Systemd_Filter _TRANSPORT=kernel
Read_From_Tail On
Strip_Underscores On
# =============================================================================
# INPUT: Kernel firewall logs for Zomboid rate limiting
# =============================================================================
# Captures ZOMBOID_RATELIMIT firewall events for fail2ban monitoring
[INPUT]
Name systemd
Tag firewall.zomboid.ratelimit
Systemd_Filter _TRANSPORT=kernel
Read_From_Tail On
Strip_Underscores On
# =============================================================================
# INPUT: Fail2ban actions (ban/unban events)
# =============================================================================
[INPUT]
Name systemd
Tag fail2ban.*
Systemd_Filter _SYSTEMD_UNIT=fail2ban.service
Read_From_Tail On
Strip_Underscores On
# =============================================================================
# INPUT: Caddy access logs (JSON format)
# =============================================================================
{% for log_name in caddy_log_names %}
[INPUT]
Name tail
Tag caddy.{{ log_name }}
Path {{ caddy_log_path }}/{{ log_name }}.log
Parser caddy_json
Read_From_Head False
Refresh_Interval 5
DB /var/lib/fluent-bit/caddy_{{ log_name }}.db
{% endfor %}
# =============================================================================
# FILTERS: Add metadata for Graylog categorization
# =============================================================================
[FILTER]
Name record_modifier
Match podman.*
Record host {{ ansible_hostname }}
Record source podman
Record log_type container
[FILTER]
Name record_modifier
Match ssh.*
Record host {{ ansible_hostname }}
Record source sshd
Record log_type security
# Copy msg to MESSAGE for caddy logs (GELF requires MESSAGE)
[FILTER]
Name modify
Match caddy.*
Copy msg MESSAGE
[FILTER]
Name record_modifier
Match caddy.*
Record host {{ ansible_hostname }}
Record source caddy
Record log_type access
# Filter kernel logs to only keep ZOMBOID_CONN messages
[FILTER]
Name grep
Match firewall.zomboid
Regex MESSAGE ZOMBOID_CONN
[FILTER]
Name record_modifier
Match firewall.zomboid
Record host {{ ansible_hostname }}
Record source firewall
Record log_type zomboid_connection
# Filter kernel logs to only keep ZOMBOID_RATELIMIT messages
[FILTER]
Name grep
Match firewall.zomboid.ratelimit
Regex MESSAGE ZOMBOID_RATELIMIT
[FILTER]
Name record_modifier
Match firewall.zomboid.ratelimit
Record host {{ ansible_hostname }}
Record source firewall
Record log_type zomboid_ratelimit
# Fail2ban ban/unban events
[FILTER]
Name record_modifier
Match fail2ban.*
Record host {{ ansible_hostname }}
Record source fail2ban
Record log_type security
# =============================================================================
# OUTPUT: All logs to Graylog GELF UDP
# =============================================================================
# Graylog needs a GELF UDP input configured on port 12203
[OUTPUT]
Name gelf
Match *
Host 127.0.0.1
Port 12203
Mode udp
Gelf_Short_Message_Key MESSAGE
Gelf_Host_Key host
Reference in New Issue View Git Blame Copy Permalink