forked from extern/shorewall_code
Add an AutoBL action with helper AutoBLL
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
04c2a88d74
commit
7aa33c140d
@ -49,6 +49,7 @@ our @EXPORT = qw(
|
||||
assert
|
||||
currentlineinfo
|
||||
clear_currentfilename
|
||||
validate_level
|
||||
|
||||
progress_message
|
||||
progress_message_nocompress
|
||||
@ -128,7 +129,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
|
||||
pop_action_params
|
||||
default_action_params
|
||||
read_a_line
|
||||
validate_level
|
||||
which
|
||||
qt
|
||||
ensure_config_path
|
||||
|
59
Shorewall/action.AutoBL
Normal file
59
Shorewall/action.AutoBL
Normal file
@ -0,0 +1,59 @@
|
||||
#
|
||||
# Shorewall version 4 - Auto Blacklist Action
|
||||
#
|
||||
# Parameters are:
|
||||
#
|
||||
# Event - Name of the event to associate with this blacklist
|
||||
# Interval
|
||||
# Count - Interval and number of Packets to trigger blacklisting
|
||||
# Default is 60 seconds and 5 packets.
|
||||
# Successive - If a matching packet arrives within this many
|
||||
# seconds of the preceding one, it should be logged
|
||||
# and dealt with according to the Disposition and
|
||||
# Log Level parameters below. Default is 2 seconds.
|
||||
# Blacklist time - Number of seconds to blacklist
|
||||
# Default is 300 (5 minutes)
|
||||
# Disposition - Disposition of blacklisted packets
|
||||
# Default is DROP
|
||||
# Log Level - Level to Log Rejects
|
||||
# Default is info (6)
|
||||
#
|
||||
?format 2
|
||||
DEFAULTS -,60,5,2,300,DROP,info
|
||||
|
||||
?begin perl
|
||||
my ( $event, $interval, $count, $successive, $bltime, $disposition, $level ) = get_action_params(7);
|
||||
|
||||
fatal_error "The event name parameter to AutoBL is required" unless supplied $event;
|
||||
fatal_error "Invalid interval ($interval) passed to AutoBL" unless $interval =~ /^\d+$/ && $interval;
|
||||
fatal_error "Invalid successive interval ($succesive) passed to AutoBL" unless $successive =~ /^\d+$/;
|
||||
fatal_error "Invalid packet count ($count) passed to AutoBL" unless $count =~ /^\d+$/ && $count;
|
||||
fatal_error "Invalid blacklist time ($bltime) passed to AutoBL" unless $bltime =~ /^\d+$/ && $bltime;
|
||||
validate_level( $level );
|
||||
|
||||
?end perl
|
||||
###############################################################################
|
||||
#TARGET SOURCE DEST PROTO DPORT SPORT
|
||||
#
|
||||
# Silently reject the client if blacklisted
|
||||
#
|
||||
IfEvent(${1}_BL,$6,$5,1,src,check:reap)
|
||||
#
|
||||
# Blacklist if M attempts in the last N seconds
|
||||
#
|
||||
IfEvent($1,AutoBLL($1,$6,$7),$2,$3,src,check:reap)
|
||||
#
|
||||
# Log and reject if the client has tried to connect
|
||||
# in the last N seconds
|
||||
#
|
||||
?if $4
|
||||
IfEvent($1,$6:$7,$4,1,-,update,Added)
|
||||
?endif
|
||||
#
|
||||
# Un-blacklist the client
|
||||
#
|
||||
ResetEvent(${1}_BL,LOG:$7,-,Removed)
|
||||
#
|
||||
# Set the event and accept the connection
|
||||
#
|
||||
SetEvent($1,ACCEPT,src)
|
20
Shorewall/action.AutoBLL
Normal file
20
Shorewall/action.AutoBLL
Normal file
@ -0,0 +1,20 @@
|
||||
#
|
||||
# Shorewall version 4 - Auto Blacklisting Logger Action
|
||||
#
|
||||
# Arguments are
|
||||
#
|
||||
# Event: Name of the blacklisted event
|
||||
# Disposition: What to do with packets
|
||||
# Level: Log level and optional tag for logging.
|
||||
###############################################################################
|
||||
#TARGET SOURCE DEST PROTO DPORT SPORT
|
||||
#
|
||||
# Log the Reject
|
||||
#
|
||||
?if "$3" ne 'none'
|
||||
LOG:$3
|
||||
?endif
|
||||
#
|
||||
# And set the AutoBL Event for the SOURCE IP address
|
||||
#
|
||||
SetEvent(${1}_BL,$2,src)
|
@ -28,6 +28,8 @@
|
||||
A_Drop # Audited Default Action for DROP policy
|
||||
A_Reject # Audited Default action for REJECT policy
|
||||
allowInvalid inline # Accepts packets in the INVALID conntrack state
|
||||
AutoBL noinline # Auto-blacklist IPs that exceed thesholds
|
||||
AutoBLL noinline # Helper for AutoBL
|
||||
Broadcast noinline # Handles Broadcast/Multicast/Anycast
|
||||
Drop # Default Action for DROP policy
|
||||
dropInvalid inline # Drops packets in the INVALID conntrack state
|
||||
|
@ -20,6 +20,8 @@ A_Reject # Audited Default Action for REJECT policy
|
||||
A_AllowICMPs # Audited Accept needed ICMP6 types
|
||||
AllowICMPs # Accept needed ICMP6 types
|
||||
allowInvalid inline # Accepts packets in the INVALID conntrack state
|
||||
AutoBL noinline # Auto-blacklist IPs that exceed thesholds
|
||||
AutoBLL noinline # Helper for AutoBL
|
||||
Broadcast noinline # Handles Broadcast/Multicast/Anycast
|
||||
Drop # Default Action for DROP policy
|
||||
dropInvalid inline # Drops packets in the INVALID conntrack state
|
||||
|
101
docs/Events.xml
101
docs/Events.xml
@ -551,6 +551,107 @@ SSHLIMIT net $FW tcp 22
|
||||
</caution>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Generalized Automatic Blacklisting</title>
|
||||
|
||||
<para>The above two actions are generalized in the AutoBL and AutoBLL
|
||||
actions released in Shorewall 4.5.19. Only AutoBL is invoked directly
|
||||
from your rules file; AutoBL invoked AutoBLL internally.</para>
|
||||
|
||||
<section>
|
||||
<title>AutoBL</title>
|
||||
|
||||
<para><emphasis role="bold">AutoBL</emphasis>(
|
||||
<replaceable>event</replaceable>, [
|
||||
<replaceable>Interval</replaceable> ], [
|
||||
<replaceable>hitcount</replaceable> ], [
|
||||
<replaceable>successive</replaceable> ], [
|
||||
<replaceable>blacklist-time</replaceable> ], [
|
||||
<replaceable>disposition </replaceable>], [
|
||||
<replaceable>log_level</replaceable> ] )</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>event</term>
|
||||
|
||||
<listitem>
|
||||
<para>Name of the event. The blacklisting event itself will be
|
||||
<replaceable>event</replaceable>_BL (analogous to SSH_COUNTER
|
||||
above).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>interval</term>
|
||||
|
||||
<listitem>
|
||||
<para>Interval, in seconds, over which hits are to be counted.
|
||||
Default is 60 seconds.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>hitcount</term>
|
||||
|
||||
<listitem>
|
||||
<para>Number of matching packets that will trigger automatic
|
||||
blacklisting when they arrive in
|
||||
<replaceable>interval</replaceable> seconds. Default is
|
||||
5.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>successive</term>
|
||||
|
||||
<listitem>
|
||||
<para>If a matching packet arrives within this many seconds of
|
||||
the preceding one, it should be logged according to
|
||||
<replaceable>log_level</replaceable> and handled according to
|
||||
the <replaceable>disposition</replaceable>. If successive
|
||||
packets are not to be considered, enter 0. Default is 2
|
||||
seconds.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>blacklist-time</term>
|
||||
|
||||
<listitem>
|
||||
<para>Time, in seconds, that the source IP address is to be
|
||||
blacklisted. Default is 300 (5 minutes).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>disposition</term>
|
||||
|
||||
<listitem>
|
||||
<para>The disposition of blacklisted packets. Default is
|
||||
DROP.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>log_level</term>
|
||||
|
||||
<listitem>
|
||||
<para>Log level at which packets are to be logged. Default is
|
||||
info.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>To duplicate the SSHLIMIT entry in
|
||||
<filename>/etc/shorewall/rules</filename> shown above:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
AutoBL(SSH,-,-,-,REJECT,warn)\
|
||||
net $FW tcp 22 </programlisting>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Port Knocking</title>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user