mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-09 18:45:54 +02:00
guardian: Added interface and alias detection. Added Forward Chain.
This commit is contained in:
Christian Schmidt
@@ -50,6 +50,8 @@ print "My gatewayaddess is: $gatewayaddr\n";
|
||||
# destination was found.
|
||||
"$hostipaddr" => 1);
|
||||
|
||||
&get_aliases;
|
||||
|
||||
%sshhash = ();
|
||||
|
||||
if ( -e $targetfile ) {
|
||||
@@ -186,8 +188,8 @@ sub ipchain {
|
||||
my ($source, $dest, $type) = @_;
|
||||
&write_log ("$source\t$type\n");
|
||||
if ($hash{$source} eq "") {
|
||||
&write_log ("Running '$blockpath $source'\n");
|
||||
system ("$blockpath $source");
|
||||
&write_log ("Running '$blockpath $source $interface'\n");
|
||||
system ("$blockpath $source $interface");
|
||||
$hash{$source} = time() + $TimeLimit;
|
||||
} else {
|
||||
# We have already blocked this one, but snort detected another attack. So
|
||||
@@ -244,6 +246,9 @@ sub load_conf {
|
||||
}
|
||||
if (/Interface\s+(.*)/) {
|
||||
$interface = $1;
|
||||
if ( $interface eq "" ) {
|
||||
$interface = `cat /var/ipfire/ethernet/settings | grep RED_DEV | cut -d"=" -f2`;
|
||||
}
|
||||
}
|
||||
if (/AlertFile\s+(.*)/) {
|
||||
$alert_file = $1;
|
||||
@@ -265,16 +270,13 @@ sub load_conf {
|
||||
}
|
||||
}
|
||||
|
||||
if ($interface eq "") {
|
||||
die "Fatal! Interface is undefined.. Please define it in $opt_o with keyword Interface\n";
|
||||
}
|
||||
if ($alert_file eq "") {
|
||||
print "Warning! AlertFile is undefined.. Assuming /var/log/snort.alert\n";
|
||||
$alert_file="/var/log/snort.alert";
|
||||
}
|
||||
if ($hostipaddr eq "") {
|
||||
print "Warning! HostIpAddr is undefined! Attempting to guess..\n";
|
||||
$hostipaddr = &get_ip($interface);
|
||||
$hostipaddr = `cat /var/ipfire/red/local-ipaddress`;
|
||||
print "Got it.. your HostIpAddr is $hostipaddr\n";
|
||||
}
|
||||
if ($ignorefile eq "") {
|
||||
@@ -345,30 +347,9 @@ sub daemonize {
|
||||
}
|
||||
}
|
||||
|
||||
sub get_ip {
|
||||
my ($interface) = $_[0];
|
||||
my $ip;
|
||||
open (IFCONFIG, "/bin/netstat -iee |grep $interface -A7 |");
|
||||
while (<IFCONFIG>) {
|
||||
if ($OS eq "FreeBSD") {
|
||||
if (/inet (\d+\.\d+\.\d+\.\d+)/) {
|
||||
$ip = $1;
|
||||
}
|
||||
}
|
||||
if ($OS eq "Linux") {
|
||||
if (/inet addr:(\d+\.\d+\.\d+\.\d+)/) {
|
||||
$ip = $1;
|
||||
}
|
||||
}
|
||||
}
|
||||
close (IFCONFIG);
|
||||
|
||||
if ($ip eq "") { die "Couldn't figure out the ip address\n"; }
|
||||
$ip;
|
||||
}
|
||||
|
||||
sub sig_handler_setup {
|
||||
$SIG{TERM} = \&clean_up_and_exit; # kill
|
||||
$SIG{INT} = \&clean_up_and_exit; # kill -2
|
||||
$SIG{TERM} = \&clean_up_and_exit; # kill -9
|
||||
$SIG{QUIT} = \&clean_up_and_exit; # kill -3
|
||||
# $SIG{HUP} = \&flush_and_reload; # kill -1
|
||||
}
|
||||
@@ -387,7 +368,7 @@ sub remove_blocks {
|
||||
sub call_unblock {
|
||||
my ($source, $message) = @_;
|
||||
&write_log ("$message");
|
||||
system ("$unblockpath $source");
|
||||
system ("$unblockpath $source $interface");
|
||||
}
|
||||
|
||||
sub clean_up_and_exit {
|
||||
@@ -412,3 +393,22 @@ sub load_targetfile {
|
||||
close (TARG);
|
||||
print "Loaded $count addresses from $targetfile\n";
|
||||
}
|
||||
|
||||
sub get_aliases {
|
||||
my $ip;
|
||||
print "Scanning for aliases on $interface and add them to the target hash...";
|
||||
|
||||
open (IFCONFIG, "/sbin/ip addr show $interface |");
|
||||
my @lines = <IFCONFIG>;
|
||||
close(IFCONFIG);
|
||||
|
||||
foreach $line (@lines) {
|
||||
if ( $line =~ /inet (\d+\.\d+\.\d+\.\d+)/) {
|
||||
$ip = $1;
|
||||
print " got $ip on $interface ... ";
|
||||
$targethash{'$ip'} = "1";
|
||||
}
|
||||
}
|
||||
|
||||
print "done \n";
|
||||
}
|
||||
@@ -2,10 +2,11 @@
|
||||
|
||||
# this is a sample block script for guardian. This should work with ipchains.
|
||||
# This command gets called by guardian as such:
|
||||
# guardian_block.sh <source_ip>
|
||||
# guardian_block.sh <source_ip> <interface>
|
||||
# and the script will issue a command to block all traffic from that source ip
|
||||
# address. The logic of weither or not it is safe to block that address is
|
||||
# done inside guardian itself.
|
||||
source=$1
|
||||
interface=$2
|
||||
|
||||
/sbin/iptables -I GUARDIANINPUT -s $source -j DROP
|
||||
/sbin/iptables -I GUARDIAN -s $source -i $interface -j DROP
|
||||
|
||||
@@ -2,8 +2,9 @@
|
||||
|
||||
# this is a sample unblock script for guardian. This should work with ipchains.
|
||||
# This command gets called by guardian as such:
|
||||
# unblock.sh <source_ip>
|
||||
# unblock.sh <source_ip> <interface>
|
||||
# and the script will issue a command to remove the block that was created with # block.sh address.
|
||||
source=$1
|
||||
interface=$2
|
||||
|
||||
/sbin/iptables -D GUARDIANINPUT -s $source -j DROP
|
||||
/sbin/iptables -D GUARDIAN -s $source -i $interface -j DROP
|
||||
|
||||
@@ -30,7 +30,7 @@ THISAPP = guardian-$(VER)
|
||||
DIR_APP = $(DIR_SRC)/$(THISAPP)
|
||||
TARGET = $(DIR_INFO)/$(THISAPP)
|
||||
PROG = guardian
|
||||
PAK_VER = 6
|
||||
PAK_VER = 7
|
||||
|
||||
DEPS = ""
|
||||
|
||||
|
||||
@@ -140,8 +140,9 @@ case "$1" in
|
||||
# CUSTOM chains, can be used by the users themselves
|
||||
/sbin/iptables -N CUSTOMINPUT
|
||||
/sbin/iptables -A INPUT -j CUSTOMINPUT
|
||||
/sbin/iptables -N GUARDIANINPUT
|
||||
/sbin/iptables -A INPUT -j GUARDIANINPUT
|
||||
/sbin/iptables -N GUARDIAN
|
||||
/sbin/iptables -A INPUT -j GUARDIAN
|
||||
/sbin/iptables -A FORWARD -j GUARDIAN
|
||||
/sbin/iptables -N CUSTOMFORWARD
|
||||
/sbin/iptables -A FORWARD -j CUSTOMFORWARD
|
||||
/sbin/iptables -N CUSTOMOUTPUT
|
||||
|
||||
Reference in New Issue
Block a user