Change whitelist variable type from regexp to hash

Fix journalctl to extract from kernel identifier instead of limited dmesg
Switch to new dovecot/ssh/shorewall matching
Whitelist ipv4 netmask from hash instead of hardcoded values
Remove sshd.service journal parsing

diff --git a/blacklist b/blacklist
index ec10c88e28490e9add39e8a68e73b7546faad22a..6e3f5c6ca23ddf0b8da57ea839e427c32cf972f1 100755 (executable)
--- a/blacklist
+++ b/blacklist
@@ -4,36 +4,74 @@ use strict;
 use warnings;
 
 use IPC::System::Simple qw(capturex);
 use warnings;
 
 use IPC::System::Simple qw(capturex);

-use Data::Validate::IP;
+use Data::Validate::IP qw(is_ipv4 is_ipv6);
+use NetAddr::IP;

 
 my %ip4s = ();
 my %ip6s = ();
 my @blrule4s = ();
 my @blrule6s = ();
 
 my %ip4s = ();
 my %ip6s = ();
 my @blrule4s = ();
 my @blrule6s = ();

-my $whitelist = qr/^(?:127.|5.9.143.173|85.68.182.45|195.25.233.49|::1|2a01:4f8:190:22a6:)/;
+my %whitelist = (
+       ipv4 => [
+               # Localhost
+               '127.0.0.0/8',
+               # Aurae
+               '144.76.27.210/32',
+               # Toulouse
+               '82.241.255.46/32',
+               # Akasha
+               '89.3.145.115/32'
+       ],
+       ipv6 => [
+               # Localhost
+               '::1/32',
+               # Aurae
+               '2a01:4f8:191:1405::/64'
+       ]
+);

 my @userlist = ('rapsys');
 
 # Extract sshd.service scan
 my @userlist = ('rapsys');
 
 # Extract sshd.service scan

-map {
-       if (/Failed password for (?:invalid user )?(.+) from (.+) port [0-9]+ ssh2/ && grep($_ ne $1, @userlist) && $2 !~ /$whitelist/) {
-               if (Data::Validate::IP::is_ipv4($2)) {
-                       $ip4s{$2}=1;
-               } elsif (Data::Validate::IP::is_ipv6($2)) {
-                       $ip6s{$2}=1;
-               }
-       }
-} capturex('journalctl', '-u', 'sshd.service');
-
+#map {
+#      # Extract user and ip
+#      if (/Failed password for (?:invalid user )?(.+) from (.+) port [0-9]+ ssh2/ && grep($_ ne $1, @userlist)) {
+#              # Save ip
+#              my $ip = $2;
+#              # Check if v4 ip and not in whitelist
+#              if (is_ipv4($ip) && not scalar map { my $network = NetAddr::IP->new($_); my $netip = NetAddr::IP->new($ip); unless ($network->contains($netip)) { (); } } @{$whitelist{ipv4}}) {
+#                      # Add ip in v4 blacklist
+#                      $ip4s{$ip}=1;
+#              # Check if v6 ip
+#              } elsif (is_ipv6($ip) && not scalar map { my $network = NetAddr::IP->new($_); my $netip = NetAddr::IP->new($ip); unless ($network->contains($netip)) { (); } } @{$whitelist{ipv6}}) {
+#                      $ip6s{$ip}=1;
+#              }
+#      }
+#} capturex('journalctl', '-u', 'sshd.service');
+#

 # Extract kernel port scan
 map {
 # Extract kernel port scan
 map {

-       if (/Shorewall:net-fw:DROP:.* SRC=([^\s]+) DST=.*/ && $1 !~ /$whitelist/) {
-               if (Data::Validate::IP::is_ipv4($1)) {
-                       $ip4s{$1}=1;
-               } elsif (Data::Validate::IP::is_ipv6($1)) {
-                       $ip6s{$1}=1;
+       if (/kernel: net-fw DROP .* SRC=([^\s]+) DST=.*/) {
+               # Save ip
+               my $ip = $1;
+               # Check if v4 ip and not in whitelist
+               if (is_ipv4($ip) && not scalar map { my $network = NetAddr::IP->new($_); my $netip = NetAddr::IP->new($ip); unless ($network->contains($netip)) { (); } } @{$whitelist{ipv4}}) {
+                       $ip4s{$ip}=1;
+               } elsif (is_ipv6($ip) && not scalar map { my $network = NetAddr::IP->new($_); my $netip = NetAddr::IP->new($ip); unless ($network->contains($netip)) { (); } } @{$whitelist{ipv6}}) {
+                       $ip6s{$ip}=1;
+               }
+       } elsif (/op=PAM:authentication grantors=\? acct="(.+)" exe="\/usr\/(?:libexec\/dovecot\/auth|sbin\/sshd)" hostname=.+ addr=(.+) terminal=(?:dovecot|ssh) res=failed/ && grep($_ ne $1, @userlist)) {
+               # Save ip
+               my $ip = $2;
+               # Check if v4 ip and not in whitelist
+               if (is_ipv4($ip) && not scalar map { my $network = NetAddr::IP->new($_); my $netip = NetAddr::IP->new($ip); unless ($network->contains($netip)) { (); } } @{$whitelist{ipv4}}) {
+                       # Add ip in v4 blacklist
+                       $ip4s{$ip}=1;
+               # Check if v6 ip
+               } elsif (is_ipv6($ip) && not scalar map { my $network = NetAddr::IP->new($_); my $netip = NetAddr::IP->new($ip); unless ($network->contains($netip)) { (); } } @{$whitelist{ipv6}}) {
+                       $ip6s{$ip}=1;

                }
        }
                }
        }

-} capturex('journalctl', '-k');
+} capturex('journalctl', '-m', '-t', 'kernel');

 
 # Open blrule4s file for reading
 open (my $fh, '<', '/etc/shorewall/blrules') or die "Can't open < /etc/shorewall/blrules: $!";
 
 # Open blrule4s file for reading
 open (my $fh, '<', '/etc/shorewall/blrules') or die "Can't open < /etc/shorewall/blrules: $!";


@@ -41,10 +79,8 @@ open (my $fh, '<', '/etc/shorewall/blrules') or die "Can't open < /etc/shorewall
 # Populate with comments
 @blrule4s = map { chomp($_); if (/^#/) { $_; } else { (); } } <$fh>;
 
 # Populate with comments
 @blrule4s = map { chomp($_); if (/^#/) { $_; } else { (); } } <$fh>;
 

-# Prepend header
-push @blrule4s, "WHITELIST\tnet:5.9.143.173\tall";
-push @blrule4s, "WHITELIST\tnet:85.68.182.45\tall";
-push @blrule4s, "WHITELIST\tnet:195.25.233.49\tall";
+# Prepend each specific ip from whitelist
+map { push @blrule4s, "WHITELIST\tnet:$1\tall" if (/^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\/32$/); } @{$whitelist{ipv4}};

 
 # Build blacklist
 map { push @blrule4s, "DROP\t\tnet:".$_.(length lt 12?"\t":'')."\tfw"; } sort keys %ip4s;
 
 # Build blacklist
 map { push @blrule4s, "DROP\t\tnet:".$_.(length lt 12?"\t":'')."\tfw"; } sort keys %ip4s;