9d562c7188
Replace per-IP hashlimit with smarter filtering that distinguishes legitimate players from scanner bots based on packet behavior: - Players send varied packet sizes (53, 37, 1472 bytes) - Scanners only send 53-byte query packets New firewall rule chain: - Priority 2: Mark + ACCEPT non-query packets (verifies player) - Priority 3: ACCEPT queries from verified IPs (1 hour TTL) - Priority 4: LOG rate-limited queries from unverified IPs - Priority 5: DROP rate-limited queries (2 burst, then 1/hour) Also includes: - Fail2ban zomboid jail with tighter thresholds (5 retries/4h, 1w ban) - Graylog streams for zomboid-connections, zomboid-ratelimit, fail2ban - GeoIP pipeline enrichment for zomboid traffic - Fluent-bit inputs for ratelimit logs and fail2ban events - Remove Legendary Katana mod (Workshop 3418366499) - removed from Steam - Bump Immich to v2.5.0 - Fix fulfillr config (nil → null) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
25 lines
838 B
Django/Jinja
25 lines
838 B
Django/Jinja
[PARSER]
|
|
Name caddy_json
|
|
Format json
|
|
Time_Key ts
|
|
Time_Format %s.%L
|
|
|
|
# Generic JSON parser for nested message fields
|
|
[PARSER]
|
|
Name json
|
|
Format json
|
|
|
|
# Parse ZOMBOID_CONN firewall logs to extract source IP
|
|
# Example: ZOMBOID_CONN: IN=enp0s31f6 OUT= MAC=... SRC=45.5.113.90 DST=192.168.1.10 ...
|
|
[PARSER]
|
|
Name zomboid_firewall
|
|
Format regex
|
|
Regex ZOMBOID_CONN:.*SRC=(?<src_ip>[0-9.]+).*DST=(?<dst_ip>[0-9.]+).*DPT=(?<dst_port>[0-9]+)
|
|
|
|
# Parse ZOMBOID_RATELIMIT firewall logs to extract source IP
|
|
# Example: ZOMBOID_RATELIMIT: IN=enp0s31f6 OUT= MAC=... SRC=45.5.113.90 DST=192.168.1.10 ...
|
|
[PARSER]
|
|
Name zomboid_ratelimit
|
|
Format regex
|
|
Regex ZOMBOID_RATELIMIT:.*SRC=(?<src_ip>[0-9.]+).*DST=(?<dst_ip>[0-9.]+).*DPT=(?<dst_port>[0-9]+)
|