use warnings;
use IPC::System::Simple qw(capturex);
-use Data::Validate::IP;
+use Data::Validate::IP qw(is_ipv4 is_ipv6);
+use NetAddr::IP;
my %ip4s = ();
my %ip6s = ();
my @blrule4s = ();
my @blrule6s = ();
-my $whitelist = qr/^(?:127.|85.68.182.45|195.25.233.49|94.23.226.160|::1|2001:41d0:2:65a0:)/;
+my %whitelist = (
+ ipv4 => [
+ # Localhost
+ '127.0.0.0/8',
+ # Aurae
+ '144.76.27.210/32',
+ # Toulouse
+ '82.241.255.46/32',
+ # Akasha
+ '89.3.145.115/32'
+ ],
+ ipv6 => [
+ # Localhost
+ '::1/32',
+ # Aurae
+ '2a01:4f8:191:1405::/64'
+ ]
+);
my @userlist = ('rapsys');
# Extract sshd.service scan
-map {
- if (/Failed password for (?:invalid user )?(.+) from (.+) port [0-9]+ ssh2/ && grep($_ ne $1, @userlist) && $2 !~ /$whitelist/) {
- if (Data::Validate::IP::is_ipv4($2)) {
- $ip4s{$2}=1;
- } elsif (Data::Validate::IP::is_ipv6($2)) {
- $ip6s{$2}=1;
- }
- }
-} capturex('journalctl', '-u', 'sshd.service');
-
+#map {
+# # Extract user and ip
+# if (/Failed password for (?:invalid user )?(.+) from (.+) port [0-9]+ ssh2/ && grep($_ ne $1, @userlist)) {
+# # Save ip
+# my $ip = $2;
+# # Check if v4 ip and not in whitelist
+# if (is_ipv4($ip) && not scalar map { my $network = NetAddr::IP->new($_); my $netip = NetAddr::IP->new($ip); unless ($network->contains($netip)) { (); } } @{$whitelist{ipv4}}) {
+# # Add ip in v4 blacklist
+# $ip4s{$ip}=1;
+# # Check if v6 ip
+# } elsif (is_ipv6($ip) && not scalar map { my $network = NetAddr::IP->new($_); my $netip = NetAddr::IP->new($ip); unless ($network->contains($netip)) { (); } } @{$whitelist{ipv6}}) {
+# $ip6s{$ip}=1;
+# }
+# }
+#} capturex('journalctl', '-u', 'sshd.service');
+#
# Extract kernel port scan
map {
- if (/Shorewall:net-fw:DROP:.* SRC=([^\s]+) DST=.*/ && $1 !~ /$whitelist/) {
- if (Data::Validate::IP::is_ipv4($1)) {
- $ip4s{$1}=1;
- } elsif (Data::Validate::IP::is_ipv6($1)) {
- $ip6s{$1}=1;
+ if (/kernel: net-fw DROP .* SRC=([^\s]+) DST=.*/) {
+ # Save ip
+ my $ip = $1;
+ # Check if v4 ip and not in whitelist
+ if (is_ipv4($ip) && not scalar map { my $network = NetAddr::IP->new($_); my $netip = NetAddr::IP->new($ip); unless ($network->contains($netip)) { (); } } @{$whitelist{ipv4}}) {
+ $ip4s{$ip}=1;
+ } elsif (is_ipv6($ip) && not scalar map { my $network = NetAddr::IP->new($_); my $netip = NetAddr::IP->new($ip); unless ($network->contains($netip)) { (); } } @{$whitelist{ipv6}}) {
+ $ip6s{$ip}=1;
+ }
+ } elsif (/op=PAM:authentication grantors=\? acct="(.+)" exe="\/usr\/(?:libexec\/dovecot\/auth|sbin\/sshd)" hostname=.+ addr=(.+) terminal=(?:dovecot|ssh) res=failed/ && grep($_ ne $1, @userlist)) {
+ # Save ip
+ my $ip = $2;
+ # Check if v4 ip and not in whitelist
+ if (is_ipv4($ip) && not scalar map { my $network = NetAddr::IP->new($_); my $netip = NetAddr::IP->new($ip); unless ($network->contains($netip)) { (); } } @{$whitelist{ipv4}}) {
+ # Add ip in v4 blacklist
+ $ip4s{$ip}=1;
+ # Check if v6 ip
+ } elsif (is_ipv6($ip) && not scalar map { my $network = NetAddr::IP->new($_); my $netip = NetAddr::IP->new($ip); unless ($network->contains($netip)) { (); } } @{$whitelist{ipv6}}) {
+ $ip6s{$ip}=1;
}
}
-} capturex('journalctl', '-k');
+} capturex('journalctl', '-m', '-t', 'kernel');
# Open blrule4s file for reading
open (my $fh, '<', '/etc/shorewall/blrules') or die "Can't open < /etc/shorewall/blrules: $!";
# Populate with comments
@blrule4s = map { chomp($_); if (/^#/) { $_; } else { (); } } <$fh>;
-# Prepend header
-push @blrule4s, "WHITELIST\tnet:85.68.182.45\tall";
-push @blrule4s, "WHITELIST\tnet:94.23.226.160\tall";
-push @blrule4s, "WHITELIST\tnet:195.25.233.49\tall";
+# Prepend each specific ip from whitelist
+map { push @blrule4s, "WHITELIST\tnet:$1\tall" if (/^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\/32$/); } @{$whitelist{ipv4}};
# Build blacklist
map { push @blrule4s, "DROP\t\tnet:".$_.(length lt 12?"\t":'')."\tfw"; } sort keys %ip4s;