extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-02 19:49:08 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add an AutoBL action with helper AutoBLL

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-07-17 10:19:18 -07:00
parent 04c2a88d74
commit 7aa33c140d
6 changed files with 185 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/Perl/Shorewall/Config.pm
View File

@ -49,6 +49,7 @@ our @EXPORT = qw(
assert assert
currentlineinfo currentlineinfo
clear_currentfilename clear_currentfilename
validate_level
progress_message progress_message
progress_message_nocompress progress_message_nocompress
@ -128,7 +129,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
pop_action_params pop_action_params
default_action_params default_action_params
read_a_line read_a_line
validate_level
which which
qt qt
ensure_config_path ensure_config_path

59
Shorewall/action.AutoBL Normal file
View File

@ -0,0 +1,59 @@
#
# Shorewall version 4 - Auto Blacklist Action
#
# Parameters are:
#
# Event - Name of the event to associate with this blacklist
# Interval
# Count - Interval and number of Packets to trigger blacklisting
# Default is 60 seconds and 5 packets.
# Successive - If a matching packet arrives within this many
# seconds of the preceding one, it should be logged
# and dealt with according to the Disposition and
# Log Level parameters below. Default is 2 seconds.
# Blacklist time - Number of seconds to blacklist
# Default is 300 (5 minutes)
# Disposition - Disposition of blacklisted packets
# Default is DROP
# Log Level - Level to Log Rejects
# Default is info (6)
#
?format 2
DEFAULTS -,60,5,2,300,DROP,info
?begin perl
my ( $event, $interval, $count, $successive, $bltime, $disposition, $level ) = get_action_params(7);
fatal_error "The event name parameter to AutoBL is required" unless supplied $event;
fatal_error "Invalid interval ($interval) passed to AutoBL" unless $interval =~ /^\d+$/ && $interval;
fatal_error "Invalid successive interval ($succesive) passed to AutoBL" unless $successive =~ /^\d+$/;
fatal_error "Invalid packet count ($count) passed to AutoBL" unless $count =~ /^\d+$/ && $count;
fatal_error "Invalid blacklist time ($bltime) passed to AutoBL" unless $bltime =~ /^\d+$/ && $bltime;
validate_level( $level );
?end perl
###############################################################################
#TARGET SOURCE DEST PROTO DPORT SPORT
#
# Silently reject the client if blacklisted
#
IfEvent(${1}_BL,$6,$5,1,src,check:reap)
#
# Blacklist if M attempts in the last N seconds
#
IfEvent($1,AutoBLL($1,$6,$7),$2,$3,src,check:reap)
#
# Log and reject if the client has tried to connect
# in the last N seconds
#
?if $4
IfEvent($1,$6:$7,$4,1,-,update,Added)
?endif
#
# Un-blacklist the client
#
ResetEvent(${1}_BL,LOG:$7,-,Removed)
#
# Set the event and accept the connection
#
SetEvent($1,ACCEPT,src)

20
Shorewall/action.AutoBLL Normal file
View File

@ -0,0 +1,20 @@
#
# Shorewall version 4 - Auto Blacklisting Logger Action
#
# Arguments are
#
# Event: Name of the blacklisted event
# Disposition: What to do with packets
# Level: Log level and optional tag for logging.
###############################################################################
#TARGET SOURCE DEST PROTO DPORT SPORT
#
# Log the Reject
#
?if "$3" ne 'none'
LOG:$3
?endif
#
# And set the AutoBL Event for the SOURCE IP address
#
SetEvent(${1}_BL,$2,src)

2
Shorewall/actions.std
View File

@ -28,6 +28,8 @@
A_Drop # Audited Default Action for DROP policy A_Drop # Audited Default Action for DROP policy
A_Reject # Audited Default action for REJECT policy A_Reject # Audited Default action for REJECT policy
allowInvalid inline # Accepts packets in the INVALID conntrack state allowInvalid inline # Accepts packets in the INVALID conntrack state
AutoBL noinline # Auto-blacklist IPs that exceed thesholds
AutoBLL noinline # Helper for AutoBL
Broadcast noinline # Handles Broadcast/Multicast/Anycast Broadcast noinline # Handles Broadcast/Multicast/Anycast
Drop # Default Action for DROP policy Drop # Default Action for DROP policy
dropInvalid inline # Drops packets in the INVALID conntrack state dropInvalid inline # Drops packets in the INVALID conntrack state

2
Shorewall6/actions.std
View File

@ -20,6 +20,8 @@ A_Reject # Audited Default Action for REJECT policy
A_AllowICMPs # Audited Accept needed ICMP6 types A_AllowICMPs # Audited Accept needed ICMP6 types
AllowICMPs # Accept needed ICMP6 types AllowICMPs # Accept needed ICMP6 types
allowInvalid inline # Accepts packets in the INVALID conntrack state allowInvalid inline # Accepts packets in the INVALID conntrack state
AutoBL noinline # Auto-blacklist IPs that exceed thesholds
AutoBLL noinline # Helper for AutoBL
Broadcast noinline # Handles Broadcast/Multicast/Anycast Broadcast noinline # Handles Broadcast/Multicast/Anycast
Drop # Default Action for DROP policy Drop # Default Action for DROP policy
dropInvalid inline # Drops packets in the INVALID conntrack state dropInvalid inline # Drops packets in the INVALID conntrack state

101
docs/Events.xml
View File

@ -551,6 +551,107 @@ SSHLIMIT net $FW tcp 22
</caution> </caution>
</section> </section>
<section>
<title>Generalized Automatic Blacklisting</title>
<para>The above two actions are generalized in the AutoBL and AutoBLL
actions released in Shorewall 4.5.19. Only AutoBL is invoked directly
from your rules file; AutoBL invoked AutoBLL internally.</para>
<section>
<title>AutoBL</title>
<para><emphasis role="bold">AutoBL</emphasis>(
<replaceable>event</replaceable>, [
<replaceable>Interval</replaceable> ], [
<replaceable>hitcount</replaceable> ], [
<replaceable>successive</replaceable> ], [
<replaceable>blacklist-time</replaceable> ], [
<replaceable>disposition </replaceable>], [
<replaceable>log_level</replaceable> ] )</para>
<variablelist>
<varlistentry>
<term>event</term>
<listitem>
<para>Name of the event. The blacklisting event itself will be
<replaceable>event</replaceable>_BL (analogous to SSH_COUNTER
above).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>interval</term>
<listitem>
<para>Interval, in seconds, over which hits are to be counted.
Default is 60 seconds.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>hitcount</term>
<listitem>
<para>Number of matching packets that will trigger automatic
blacklisting when they arrive in
<replaceable>interval</replaceable> seconds. Default is
5.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>successive</term>
<listitem>
<para>If a matching packet arrives within this many seconds of
the preceding one, it should be logged according to
<replaceable>log_level</replaceable> and handled according to
the <replaceable>disposition</replaceable>. If successive
packets are not to be considered, enter 0. Default is 2
seconds.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>blacklist-time</term>
<listitem>
<para>Time, in seconds, that the source IP address is to be
blacklisted. Default is 300 (5 minutes).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>disposition</term>
<listitem>
<para>The disposition of blacklisted packets. Default is
DROP.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>log_level</term>
<listitem>
<para>Log level at which packets are to be logged. Default is
info.</para>
</listitem>
</varlistentry>
</variablelist>
<para>To duplicate the SSHLIMIT entry in
<filename>/etc/shorewall/rules</filename> shown above:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
AutoBL(SSH,-,-,-,REJECT,warn)\
net $FW tcp 22 </programlisting>
</section>
</section>
<section> <section>
<title>Port Knocking</title> <title>Port Knocking</title>