From: Christian Schmidt Date: Sun, 10 Oct 2010 05:09:34 +0000 (+0200) Subject: guardian: Added interface and alias detection. Added Forward Chain. X-Git-Tag: v2.9-beta1~86 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=057249ba530658f9565021df825d7d76545eb625;hp=06fb3d3711be19fe4f75039325e5f87381a71bdf;p=ipfire-2.x.git guardian: Added interface and alias detection. Added Forward Chain. --- diff --git a/config/guardian/guardian.pl b/config/guardian/guardian.pl index 0c37c34f4f..c7fd5f8656 100644 --- a/config/guardian/guardian.pl +++ b/config/guardian/guardian.pl @@ -50,6 +50,8 @@ print "My gatewayaddess is: $gatewayaddr\n"; # destination was found. "$hostipaddr" => 1); +&get_aliases; + %sshhash = (); if ( -e $targetfile ) { @@ -186,8 +188,8 @@ sub ipchain { my ($source, $dest, $type) = @_; &write_log ("$source\t$type\n"); if ($hash{$source} eq "") { - &write_log ("Running '$blockpath $source'\n"); - system ("$blockpath $source"); + &write_log ("Running '$blockpath $source $interface'\n"); + system ("$blockpath $source $interface"); $hash{$source} = time() + $TimeLimit; } else { # We have already blocked this one, but snort detected another attack. So @@ -244,6 +246,9 @@ sub load_conf { } if (/Interface\s+(.*)/) { $interface = $1; + if ( $interface eq "" ) { + $interface = `cat /var/ipfire/ethernet/settings | grep RED_DEV | cut -d"=" -f2`; + } } if (/AlertFile\s+(.*)/) { $alert_file = $1; @@ -265,16 +270,13 @@ sub load_conf { } } - if ($interface eq "") { - die "Fatal! Interface is undefined.. Please define it in $opt_o with keyword Interface\n"; - } if ($alert_file eq "") { print "Warning! AlertFile is undefined.. Assuming /var/log/snort.alert\n"; $alert_file="/var/log/snort.alert"; } if ($hostipaddr eq "") { print "Warning! HostIpAddr is undefined! Attempting to guess..\n"; - $hostipaddr = &get_ip($interface); + $hostipaddr = `cat /var/ipfire/red/local-ipaddress`; print "Got it.. your HostIpAddr is $hostipaddr\n"; } if ($ignorefile eq "") { @@ -345,30 +347,9 @@ sub daemonize { } } -sub get_ip { - my ($interface) = $_[0]; - my $ip; - open (IFCONFIG, "/bin/netstat -iee |grep $interface -A7 |"); - while () { - if ($OS eq "FreeBSD") { - if (/inet (\d+\.\d+\.\d+\.\d+)/) { - $ip = $1; - } - } - if ($OS eq "Linux") { - if (/inet addr:(\d+\.\d+\.\d+\.\d+)/) { - $ip = $1; - } - } - } - close (IFCONFIG); - - if ($ip eq "") { die "Couldn't figure out the ip address\n"; } - $ip; - } - sub sig_handler_setup { - $SIG{TERM} = \&clean_up_and_exit; # kill + $SIG{INT} = \&clean_up_and_exit; # kill -2 + $SIG{TERM} = \&clean_up_and_exit; # kill -9 $SIG{QUIT} = \&clean_up_and_exit; # kill -3 # $SIG{HUP} = \&flush_and_reload; # kill -1 } @@ -387,7 +368,7 @@ sub remove_blocks { sub call_unblock { my ($source, $message) = @_; &write_log ("$message"); - system ("$unblockpath $source"); + system ("$unblockpath $source $interface"); } sub clean_up_and_exit { @@ -412,3 +393,22 @@ sub load_targetfile { close (TARG); print "Loaded $count addresses from $targetfile\n"; } + +sub get_aliases { + my $ip; + print "Scanning for aliases on $interface and add them to the target hash..."; + + open (IFCONFIG, "/sbin/ip addr show $interface |"); + my @lines = ; + close(IFCONFIG); + + foreach $line (@lines) { + if ( $line =~ /inet (\d+\.\d+\.\d+\.\d+)/) { + $ip = $1; + print " got $ip on $interface ... "; + $targethash{'$ip'} = "1"; + } + } + + print "done \n"; +} \ No newline at end of file diff --git a/config/guardian/guardian_block.sh b/config/guardian/guardian_block.sh index 0a44325f18..a8331faaa1 100644 --- a/config/guardian/guardian_block.sh +++ b/config/guardian/guardian_block.sh @@ -2,10 +2,11 @@ # this is a sample block script for guardian. This should work with ipchains. # This command gets called by guardian as such: -# guardian_block.sh +# guardian_block.sh # and the script will issue a command to block all traffic from that source ip # address. The logic of weither or not it is safe to block that address is # done inside guardian itself. source=$1 +interface=$2 -/sbin/iptables -I GUARDIANINPUT -s $source -j DROP +/sbin/iptables -I GUARDIAN -s $source -i $interface -j DROP diff --git a/config/guardian/guardian_unblock.sh b/config/guardian/guardian_unblock.sh index e0d3b5d481..315d771951 100644 --- a/config/guardian/guardian_unblock.sh +++ b/config/guardian/guardian_unblock.sh @@ -2,8 +2,9 @@ # this is a sample unblock script for guardian. This should work with ipchains. # This command gets called by guardian as such: -# unblock.sh +# unblock.sh # and the script will issue a command to remove the block that was created with # block.sh address. source=$1 +interface=$2 -/sbin/iptables -D GUARDIANINPUT -s $source -j DROP +/sbin/iptables -D GUARDIAN -s $source -i $interface -j DROP diff --git a/lfs/guardian b/lfs/guardian index 6cec09bd9d..251a56f2aa 100644 --- a/lfs/guardian +++ b/lfs/guardian @@ -30,7 +30,7 @@ THISAPP = guardian-$(VER) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = guardian -PAK_VER = 6 +PAK_VER = 7 DEPS = "" diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 366ae071c8..f4d5611d36 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -140,8 +140,9 @@ case "$1" in # CUSTOM chains, can be used by the users themselves /sbin/iptables -N CUSTOMINPUT /sbin/iptables -A INPUT -j CUSTOMINPUT - /sbin/iptables -N GUARDIANINPUT - /sbin/iptables -A INPUT -j GUARDIANINPUT + /sbin/iptables -N GUARDIAN + /sbin/iptables -A INPUT -j GUARDIAN + /sbin/iptables -A FORWARD -j GUARDIAN /sbin/iptables -N CUSTOMFORWARD /sbin/iptables -A FORWARD -j CUSTOMFORWARD /sbin/iptables -N CUSTOMOUTPUT