"Fossies" - the Fresh Open Source Software Archive

Member "aif-2.1.1/share/arno-iptables-firewall/plugins/50ssh-brute-force-protection.plugin" (16 Sep 2020, 5751 Bytes) of package /linux/privat/aif-2.1.1.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "50ssh-brute-force-protection.plugin": 2.1.0_vs_2.1.1.

    1 # ------------------------------------------------------------------------------
    2 #    -= Arno's Iptables Firewall(AIF) - SSH Brute Force Protection plugin =-
    3 #
    4 PLUGIN_NAME="SSH Brute-Force Protection plugin"
    5 PLUGIN_VERSION="1.1b"
    6 PLUGIN_CONF_FILE="ssh-brute-force-protection.conf"
    7 #
    8 # Last changed          : June 14, 2017
    9 # Requirements          : kernel 2.6 + ipt_recent or xt_recent
   10 #                       : AIF 1.9.2k (and later)
   11 # Comments              : This plugin implements protecting for brute force
   12 #                         cracking by limiting the amount of connection attempts
   13 #                         for each source IP in specific time slot. Its
   14 #                         primarely intended for SSH/port 22 but in principle
   15 #                         it can be used for any TCP protocol
   16 #                         (eg. FTP/SMTP/IMAP etc.
   17 #                         Updated for mixed IPv4/IPv6
   18 #
   19 # Author                : (C) Copyright 2006-2017 by Arno van Amersfoort
   20 # Homepage              : https://rocky.eld.leidenuniv.nl/
   21 # Email                 : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
   22 #                         (note: you must remove all spaces and substitute the @ and the .
   23 #                         at the proper locations!)
   24 # ------------------------------------------------------------------------------
   25 # This program is free software; you can redistribute it and/or
   26 # modify it under the terms of the GNU General Public License
   27 # version 2 as published by the Free Software Foundation.
   28 #
   29 # This program is distributed in the hope that it will be useful,
   30 # but WITHOUT ANY WARRANTY; without even the implied warranty of
   31 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   32 # GNU General Public License for more details.
   33 #
   34 # You should have received a copy of the GNU General Public License
   35 # along with this program; if not, write to the Free Software
   36 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
   37 # ------------------------------------------------------------------------------
   38 
   39 # Plugin start function
   40 plugin_start()
   41 {
   42   if [ "$IPV6_DETECTED" = "1" ] && [ "$SSH_BFP_IPV6_ENABLE" = "0" ]; then
   43     echo "${INDENT}NOTE: Only IPv4 is protected."
   44   fi
   45 
   46   # Probe module xt_recent for IPv4/IPv6 or ipt_recent for IPv4:
   47   # (Allows checking for recent packets)
   48   modprobe_multi xt_recent ipt_recent
   49 
   50   # Create new SSH_CHK to insert SSH checker + whitelist:
   51   $IPTABLES -N SSH_CHK 2>/dev/null
   52   $IPTABLES -F SSH_CHK
   53 
   54   # Create new SSH_LOG_DROP chain for loggin' 'n droppin':
   55   $IPTABLES -N SSH_LOG_DROP 2>/dev/null
   56   $IPTABLES -F SSH_LOG_DROP
   57 
   58   $IPTABLES -A SSH_LOG_DROP -m limit --limit 1/m --limit-burst 1 -j LOG \
   59     --log-level $LOGLEVEL --log-prefix "AIF:SSH Brute force attack?: "
   60   $IPTABLES -A SSH_LOG_DROP -j DROP
   61 
   62   if [ -n "$SSH_BFP_TRUSTED_HOSTS" ]; then
   63     # Create whitelist:
   64     echo "${INDENT}Allowing bypass of SSH protection checks for: $SSH_BFP_TRUSTED_HOSTS"
   65     IFS=' ,'
   66     for host in `ip_range "$SSH_BFP_TRUSTED_HOSTS"`; do
   67       $IPTABLES -A SSH_CHK -s $host -j RETURN
   68     done
   69   fi
   70 
   71   # Create rate1 & rate2 checker:
   72   $IPTABLES -A SSH_CHK -m recent --name sshchk --set
   73   $IPTABLES -A SSH_CHK -m recent --name sshchk --update \
   74     --seconds $SSH_BFP_MAX_TIME1 --hitcount $SSH_BFP_MAX_RATE1 -j SSH_LOG_DROP
   75   $IPTABLES -A SSH_CHK -m recent --name sshchk --update \
   76     --seconds $SSH_BFP_MAX_TIME2 --hitcount $SSH_BFP_MAX_RATE2 -j SSH_LOG_DROP
   77 
   78   # If no ports were not configured, use default of 22
   79   if [ -z "$SSH_BFP_PORTS" ]; then
   80     SSH_BFP_PORTS="22"
   81   fi
   82 
   83   echo "${INDENT}Protecting TCP port(s): $SSH_BFP_PORTS"
   84 
   85   # Insert rule into the EXTERNAL INPUT chain:
   86   IFS=' ,'
   87   for port in $SSH_BFP_PORTS; do
   88     $IPTABLES -A EXT_INPUT_CHAIN -p tcp --dport $port ${NF_CONNTRACK_STATE:--m state --state} NEW -j SSH_CHK
   89   done
   90 
   91   return 0
   92 }
   93 
   94 
   95 # Plugin stop function
   96 plugin_stop()
   97 {
   98   $IPTABLES -F SSH_CHK
   99   $IPTABLES -X SSH_CHK 2>/dev/null
  100   $IPTABLES -F SSH_LOG_DROP
  101   $IPTABLES -X SSH_LOG_DROP 2>/dev/null
  102 
  103   return 0
  104 }
  105 
  106 
  107 # Plugin status function
  108 plugin_status()
  109 {
  110   return 0
  111 }
  112 
  113 
  114 # Check sanity of eg. environment
  115 plugin_sanity_check()
  116 {
  117   if [ -z "$SSH_BFP_MAX_RATE1" -o -z "$SSH_BFP_MAX_TIME1" -o -z "$SSH_BFP_MAX_RATE2" -o -z "$SSH_BFP_MAX_TIME2" ]; then
  118     printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2
  119     return 1
  120   fi
  121 
  122   return 0
  123 }
  124 
  125 
  126 ############
  127 # Mainline #
  128 ############
  129 
  130 # Check where to find the config file
  131 CONF_FILE=""
  132 if [ -n "$PLUGIN_CONF_PATH" ]; then
  133   CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
  134 fi
  135 
  136 # Preinit to success:
  137 PLUGIN_RET_VAL=0
  138 
  139 # Check if the config file exists
  140 if [ ! -f "$CONF_FILE" ]; then
  141   printf "NOTE: Config file \"$CONF_FILE\" not found!\n        Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2
  142 else
  143   # Source the plugin config file
  144   . "$CONF_FILE"
  145 
  146   if [ "$ENABLED" = "1" ] ||
  147      [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] ||
  148      [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then
  149     # Show who we are:
  150     echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION"
  151 
  152     # Increment indention
  153     INDENT="$INDENT "
  154 
  155     if [ "$SSH_BFP_IPV6_ENABLE" = "0" ]; then
  156       IPTABLES="ip4tables"
  157     else
  158       IPTABLES="iptables"
  159     fi
  160 
  161     # Only proceed if environment ok
  162     if ! plugin_sanity_check; then
  163       PLUGIN_RET_VAL=1
  164     else
  165       case $PLUGIN_CMD in
  166         start|'') plugin_start; PLUGIN_RET_VAL=$? ;;
  167         stop    ) plugin_stop; PLUGIN_RET_VAL=$? ;;
  168         status  ) plugin_status; PLUGIN_RET_VAL=$? ;;
  169         *       ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;;
  170       esac
  171     fi
  172     unset IPTABLES
  173   fi
  174 fi