# nono : say "no no" to intruders
       
       Download nono.tgz:
 (BIN) nono.tgz
       
       This is a tool to parse logs and ban ip when they have inappropriate behaviour.
       
       First, you need to setup pf and create a table of banned ip:
       
       ```
       block in quick on egress from <bot> to any
       ```
       
       If you don't want to run nono as root (it's probably better), create a dedicated user:
       
       ```
       # useradd -s /sbin/nologin -m -d /var/empty _nono
       ```
       
       Then, setup doas so _nono don't need to enter its password:
       
       ```
       permit nopass _nono cmd /sbin/pfctl
       ```
       
       Once ready, you can pipe with ''tail -f'' any logs to nono:
       
       ```
       tail -f /var/log/authlog /var/log/maillog | nono.awk
       ```
       
       An example ''nono.sh'' is included. It can be started at boot in ''/etc/rc.local'' or edit root's crontab:
       
       ```
       # crontab -e
       @reboot /usr/local/bin/nono.sh
       ```
       
       ## Options
       
       Set options with flags ''-v var=something''. Available options are:
       
       * TRIES=5 : Maximum attemps an IP can do.
       * BANCMD="doas -u _nono pfctl -T add -t bot" : command to ban an IP. Set to "echo" to just see what happens.
       * KILLSTATE="doas -u _nono pfctl -k " : command to kill all states with an ip
       * IGNORE=/etc/nono.ignore : file containing ignored IP, one per line.
       
       ## Expire
       
       You may want to set a cron task to release IP after some time :
       
       ```
       pfctl -t bot -T expire "$(( 60 * 60 * 24 * $EXPIRE_DAYS ))"
       ```
       
       ## Trivia
       
       Previous attempt to build such tool was named vilain:
 (HTM) https://framagit.org/prx/vilain
       
       Original idea by solene:
 (HTM) https://dataswamp.org/~solene/2023-06-22-opensmtpd-block-attempts.html
       
       ---
 (DIR) /