#! /usr/bin/perl use strict; use warnings; use IPC::System::Simple qw(capturex); use Data::Validate::IP qw(is_ipv4 is_ipv6); use NetAddr::IP; my %ip4s = (); my %ip6s = (); my @blrule4s = (); my @blrule6s = (); my %whitelist = ( ipv4 => [ # Localhost '127.0.0.0/8', # Aurae '144.76.27.210/32', # Toulouse '82.241.255.46/32', # Akasha '89.3.145.115/32' ], ipv6 => [ # Localhost '::1/32', # Aurae '2a01:4f8:191:1405::/64' ] ); my @userlist = ('rapsys'); # Extract sshd.service scan #map { # # Extract user and ip # if (/Failed password for (?:invalid user )?(.+) from (.+) port [0-9]+ ssh2/ && grep($_ ne $1, @userlist)) { # # Save ip # my $ip = $2; # # Check if v4 ip and not in whitelist # if (is_ipv4($ip) && not scalar map { my $network = NetAddr::IP->new($_); my $netip = NetAddr::IP->new($ip); unless ($network->contains($netip)) { (); } } @{$whitelist{ipv4}}) { # # Add ip in v4 blacklist # $ip4s{$ip}=1; # # Check if v6 ip # } elsif (is_ipv6($ip) && not scalar map { my $network = NetAddr::IP->new($_); my $netip = NetAddr::IP->new($ip); unless ($network->contains($netip)) { (); } } @{$whitelist{ipv6}}) { # $ip6s{$ip}=1; # } # } #} capturex('journalctl', '-u', 'sshd.service'); # # Extract kernel port scan map { if (/kernel: net-fw DROP .* SRC=([^\s]+) DST=.*/) { # Save ip my $ip = $1; # Check if v4 ip and not in whitelist if (is_ipv4($ip) && not scalar map { my $network = NetAddr::IP->new($_); my $netip = NetAddr::IP->new($ip); unless ($network->contains($netip)) { (); } } @{$whitelist{ipv4}}) { $ip4s{$ip}=1; } elsif (is_ipv6($ip) && not scalar map { my $network = NetAddr::IP->new($_); my $netip = NetAddr::IP->new($ip); unless ($network->contains($netip)) { (); } } @{$whitelist{ipv6}}) { $ip6s{$ip}=1; } } elsif (/op=PAM:authentication grantors=\? acct="(.+)" exe="\/usr\/(?:libexec\/dovecot\/auth|sbin\/sshd)" hostname=.+ addr=(.+) terminal=(?:dovecot|ssh) res=failed/ && grep($_ ne $1, @userlist)) { # Save ip my $ip = $2; # Check if v4 ip and not in whitelist if (is_ipv4($ip) && not scalar map { my $network = NetAddr::IP->new($_); my $netip = NetAddr::IP->new($ip); unless ($network->contains($netip)) { (); } } @{$whitelist{ipv4}}) { # Add ip in v4 blacklist $ip4s{$ip}=1; # Check if v6 ip } elsif (is_ipv6($ip) && not scalar map { my $network = NetAddr::IP->new($_); my $netip = NetAddr::IP->new($ip); unless ($network->contains($netip)) { (); } } @{$whitelist{ipv6}}) { $ip6s{$ip}=1; } } } capturex('journalctl', '-m', '-t', 'kernel'); # Open blrule4s file for reading open (my $fh, '<', '/etc/shorewall/blrules') or die "Can't open < /etc/shorewall/blrules: $!"; # Populate with comments @blrule4s = map { chomp($_); if (/^#/) { $_; } else { (); } } <$fh>; # Prepend each specific ip from whitelist map { push @blrule4s, "WHITELIST\tnet:$1\tall" if (/^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\/32$/); } @{$whitelist{ipv4}}; # Build blacklist map { push @blrule4s, "DROP\t\tnet:".$_.(length lt 12?"\t":'')."\tfw"; } sort keys %ip4s; # Close blrule4s file close $fh or die "Can't close fh: $!"; # Open blrule4s file for writing open ($fh, '>', '/etc/shorewall/blrules') or die "Can't open > /etc/shorewall/blrules: $!"; # Inject content of blacklist map { print $fh $_."\n"; } @blrule4s; # Close blrule4s file close $fh or die "Can't close fh: $!"; # Print ipv6 to update hash #XXX; right now it don't seems scanned at all... for (sort keys %ip6s) { print $_."\n"; } # Restart shorewall service capturex('systemctl', 'restart', 'shorewall.service');