From 21f18857cef25e3dc53a7536f3f77554b1534696 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Rapha=C3=ABl=20Gertz?= Date: Thu, 14 Nov 2019 08:37:01 +0100 Subject: [PATCH 1/1] Change whitelist variable type from regexp to hash Fix journalctl to extract from kernel identifier instead of limited dmesg Switch to new dovecot/ssh/shorewall matching Whitelist ipv4 netmask from hash instead of hardcoded values Remove sshd.service journal parsing --- blacklist | 80 ++++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 58 insertions(+), 22 deletions(-) diff --git a/blacklist b/blacklist index ec10c88..6e3f5c6 100755 --- a/blacklist +++ b/blacklist @@ -4,36 +4,74 @@ use strict; use warnings; use IPC::System::Simple qw(capturex); -use Data::Validate::IP; +use Data::Validate::IP qw(is_ipv4 is_ipv6); +use NetAddr::IP; my %ip4s = (); my %ip6s = (); my @blrule4s = (); my @blrule6s = (); -my $whitelist = qr/^(?:127.|5.9.143.173|85.68.182.45|195.25.233.49|::1|2a01:4f8:190:22a6:)/; +my %whitelist = ( + ipv4 => [ + # Localhost + '127.0.0.0/8', + # Aurae + '144.76.27.210/32', + # Toulouse + '82.241.255.46/32', + # Akasha + '89.3.145.115/32' + ], + ipv6 => [ + # Localhost + '::1/32', + # Aurae + '2a01:4f8:191:1405::/64' + ] +); my @userlist = ('rapsys'); # Extract sshd.service scan -map { - if (/Failed password for (?:invalid user )?(.+) from (.+) port [0-9]+ ssh2/ && grep($_ ne $1, @userlist) && $2 !~ /$whitelist/) { - if (Data::Validate::IP::is_ipv4($2)) { - $ip4s{$2}=1; - } elsif (Data::Validate::IP::is_ipv6($2)) { - $ip6s{$2}=1; - } - } -} capturex('journalctl', '-u', 'sshd.service'); - +#map { +# # Extract user and ip +# if (/Failed password for (?:invalid user )?(.+) from (.+) port [0-9]+ ssh2/ && grep($_ ne $1, @userlist)) { +# # Save ip +# my $ip = $2; +# # Check if v4 ip and not in whitelist +# if (is_ipv4($ip) && not scalar map { my $network = NetAddr::IP->new($_); my $netip = NetAddr::IP->new($ip); unless ($network->contains($netip)) { (); } } @{$whitelist{ipv4}}) { +# # Add ip in v4 blacklist +# $ip4s{$ip}=1; +# # Check if v6 ip +# } elsif (is_ipv6($ip) && not scalar map { my $network = NetAddr::IP->new($_); my $netip = NetAddr::IP->new($ip); unless ($network->contains($netip)) { (); } } @{$whitelist{ipv6}}) { +# $ip6s{$ip}=1; +# } +# } +#} capturex('journalctl', '-u', 'sshd.service'); +# # Extract kernel port scan map { - if (/Shorewall:net-fw:DROP:.* SRC=([^\s]+) DST=.*/ && $1 !~ /$whitelist/) { - if (Data::Validate::IP::is_ipv4($1)) { - $ip4s{$1}=1; - } elsif (Data::Validate::IP::is_ipv6($1)) { - $ip6s{$1}=1; + if (/kernel: net-fw DROP .* SRC=([^\s]+) DST=.*/) { + # Save ip + my $ip = $1; + # Check if v4 ip and not in whitelist + if (is_ipv4($ip) && not scalar map { my $network = NetAddr::IP->new($_); my $netip = NetAddr::IP->new($ip); unless ($network->contains($netip)) { (); } } @{$whitelist{ipv4}}) { + $ip4s{$ip}=1; + } elsif (is_ipv6($ip) && not scalar map { my $network = NetAddr::IP->new($_); my $netip = NetAddr::IP->new($ip); unless ($network->contains($netip)) { (); } } @{$whitelist{ipv6}}) { + $ip6s{$ip}=1; + } + } elsif (/op=PAM:authentication grantors=\? acct="(.+)" exe="\/usr\/(?:libexec\/dovecot\/auth|sbin\/sshd)" hostname=.+ addr=(.+) terminal=(?:dovecot|ssh) res=failed/ && grep($_ ne $1, @userlist)) { + # Save ip + my $ip = $2; + # Check if v4 ip and not in whitelist + if (is_ipv4($ip) && not scalar map { my $network = NetAddr::IP->new($_); my $netip = NetAddr::IP->new($ip); unless ($network->contains($netip)) { (); } } @{$whitelist{ipv4}}) { + # Add ip in v4 blacklist + $ip4s{$ip}=1; + # Check if v6 ip + } elsif (is_ipv6($ip) && not scalar map { my $network = NetAddr::IP->new($_); my $netip = NetAddr::IP->new($ip); unless ($network->contains($netip)) { (); } } @{$whitelist{ipv6}}) { + $ip6s{$ip}=1; } } -} capturex('journalctl', '-k'); +} capturex('journalctl', '-m', '-t', 'kernel'); # Open blrule4s file for reading open (my $fh, '<', '/etc/shorewall/blrules') or die "Can't open < /etc/shorewall/blrules: $!"; @@ -41,10 +79,8 @@ open (my $fh, '<', '/etc/shorewall/blrules') or die "Can't open < /etc/shorewall # Populate with comments @blrule4s = map { chomp($_); if (/^#/) { $_; } else { (); } } <$fh>; -# Prepend header -push @blrule4s, "WHITELIST\tnet:5.9.143.173\tall"; -push @blrule4s, "WHITELIST\tnet:85.68.182.45\tall"; -push @blrule4s, "WHITELIST\tnet:195.25.233.49\tall"; +# Prepend each specific ip from whitelist +map { push @blrule4s, "WHITELIST\tnet:$1\tall" if (/^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\/32$/); } @{$whitelist{ipv4}}; # Build blacklist map { push @blrule4s, "DROP\t\tnet:".$_.(length lt 12?"\t":'')."\tfw"; } sort keys %ip4s; -- 2.41.1