]> Raphaƫl G. Git Repositories - tools/blob - blacklist
Rapsys Git / tools / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Change whitelist variable type from regexp to hash
[tools] / blacklist
1 #! /usr/bin/perl
2
3 use strict;
4 use warnings;
5
6 use IPC::System::Simple qw(capturex);
7 use Data::Validate::IP qw(is_ipv4 is_ipv6);
8 use NetAddr::IP;
9
10 my %ip4s = ();
11 my %ip6s = ();
12 my @blrule4s = ();
13 my @blrule6s = ();
14 my %whitelist = (
15 ipv4 => [
16 # Localhost
17 '127.0.0.0/8',
18 # Aurae
19 '144.76.27.210/32',
20 # Toulouse
21 '82.241.255.46/32',
22 # Akasha
23 '89.3.145.115/32'
24 ],
25 ipv6 => [
26 # Localhost
27 '::1/32',
28 # Aurae
29 '2a01:4f8:191:1405::/64'
30 ]
31 );
32 my @userlist = ('rapsys');
33
34 # Extract sshd.service scan
35 #map {
36 # # Extract user and ip
37 # if (/Failed password for (?:invalid user )?(.+) from (.+) port [0-9]+ ssh2/ && grep($_ ne $1, @userlist)) {
38 # # Save ip
39 # my $ip = $2;
40 # # Check if v4 ip and not in whitelist
41 # if (is_ipv4($ip) && not scalar map { my $network = NetAddr::IP->new($_); my $netip = NetAddr::IP->new($ip); unless ($network->contains($netip)) { (); } } @{$whitelist{ipv4}}) {
42 # # Add ip in v4 blacklist
43 # $ip4s{$ip}=1;
44 # # Check if v6 ip
45 # } elsif (is_ipv6($ip) && not scalar map { my $network = NetAddr::IP->new($_); my $netip = NetAddr::IP->new($ip); unless ($network->contains($netip)) { (); } } @{$whitelist{ipv6}}) {
46 # $ip6s{$ip}=1;
47 # }
48 # }
49 #} capturex('journalctl', '-u', 'sshd.service');
50 #
51 # Extract kernel port scan
52 map {
53 if (/kernel: net-fw DROP .* SRC=([^\s]+) DST=.*/) {
54 # Save ip
55 my $ip = $1;
56 # Check if v4 ip and not in whitelist
57 if (is_ipv4($ip) && not scalar map { my $network = NetAddr::IP->new($_); my $netip = NetAddr::IP->new($ip); unless ($network->contains($netip)) { (); } } @{$whitelist{ipv4}}) {
58 $ip4s{$ip}=1;
59 } elsif (is_ipv6($ip) && not scalar map { my $network = NetAddr::IP->new($_); my $netip = NetAddr::IP->new($ip); unless ($network->contains($netip)) { (); } } @{$whitelist{ipv6}}) {
60 $ip6s{$ip}=1;
61 }
62 } elsif (/op=PAM:authentication grantors=\? acct="(.+)" exe="\/usr\/(?:libexec\/dovecot\/auth|sbin\/sshd)" hostname=.+ addr=(.+) terminal=(?:dovecot|ssh) res=failed/ && grep($_ ne $1, @userlist)) {
63 # Save ip
64 my $ip = $2;
65 # Check if v4 ip and not in whitelist
66 if (is_ipv4($ip) && not scalar map { my $network = NetAddr::IP->new($_); my $netip = NetAddr::IP->new($ip); unless ($network->contains($netip)) { (); } } @{$whitelist{ipv4}}) {
67 # Add ip in v4 blacklist
68 $ip4s{$ip}=1;
69 # Check if v6 ip
70 } elsif (is_ipv6($ip) && not scalar map { my $network = NetAddr::IP->new($_); my $netip = NetAddr::IP->new($ip); unless ($network->contains($netip)) { (); } } @{$whitelist{ipv6}}) {
71 $ip6s{$ip}=1;
72 }
73 }
74 } capturex('journalctl', '-m', '-t', 'kernel');
75
76 # Open blrule4s file for reading
77 open (my $fh, '<', '/etc/shorewall/blrules') or die "Can't open < /etc/shorewall/blrules: $!";
78
79 # Populate with comments
80 @blrule4s = map { chomp($_); if (/^#/) { $_; } else { (); } } <$fh>;
81
82 # Prepend each specific ip from whitelist
83 map { push @blrule4s, "WHITELIST\tnet:$1\tall" if (/^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\/32$/); } @{$whitelist{ipv4}};
84
85 # Build blacklist
86 map { push @blrule4s, "DROP\t\tnet:".$_.(length lt 12?"\t":'')."\tfw"; } sort keys %ip4s;
87
88 # Close blrule4s file
89 close $fh or die "Can't close fh: $!";
90
91 # Open blrule4s file for writing
92 open ($fh, '>', '/etc/shorewall/blrules') or die "Can't open > /etc/shorewall/blrules: $!";
93
94 # Inject content of blacklist
95 map { print $fh $_."\n"; } @blrule4s;
96
97 # Close blrule4s file
98 close $fh or die "Can't close fh: $!";
99
100 # Print ipv6 to update hash
101 #XXX; right now it don't seems scanned at all...
102 for (sort keys %ip6s) {
103 print $_."\n";
104 }
105
106 # Restart shorewall service
107 capturex('systemctl', 'restart', 'shorewall.service');
Local scripts repository