+-------------------------------------------------------------------------------
| Running ${PKGSTEM} on OpenBSD
+-------------------------------------------------------------------------------

Access to log files
==============

You need to give the _reaction user access to the log files in one of the
following ways.

Adding _reaction to the wheel group
-------------------
# usermod -G wheel _reaction

Creating a new group
-------------------
# groupadd groupname
# usermod -G groupname admin
# usermod -G groupname _reaction
# chown :groupname /var/log/authlog

Allowing world readable access
-------------------
# chmod 644 /var/log/authlog

Each option has its own security considerations.

Choose which best fits your needs.

Access to pfctl
==============

Add the following to the bottom of your doas.conf(5) file:

    deny _reaction
    permit nopass keepenv _reaction as root cmd pfctl

This denies the _reaction user any of the earlier privileges and only
grants access to pfctl.

Reaction configuration
==============

You can find yml and jsonnet configuration examples at:
/usr/local/share/examples/reaction/

The example file, authlog.jsonnet, is configured to monitor /var/log/authlog
and block any repeated attempts at logon through pfctl(8).

Altering your pf.conf(5) configuration to add the following rules for
reaction to take effect:

    table <blocked_ssh> persist

    block return in quick log from <blocked_ssh>

