"Fossies" - the Fresh Open Source Software Archive

Member "aif-2.1.1/share/arno-iptables-firewall/plugins/90ids-protection.plugin" (16 Sep 2020, 6059 Bytes) of package /linux/privat/aif-2.1.1.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "90ids-protection.plugin": 2.1.0_vs_2.1.1.

    1 # ------------------------------------------------------------------------------
    2 #           -= Arno's Iptables Firewall(AIF) - IDS-protection plugin =-
    3 #
    4 PLUGIN_NAME="IDS-protection plugin"
    5 PLUGIN_VERSION="1.1a"
    6 PLUGIN_CONF_FILE="ids-protection.conf"
    7 #
    8 # Last changed          : June 14, 2017
    9 # Requirements          : kernel 2.6 + ipt_recent or xt_recent
   10 #                       : AIF 1.9.2k (and later)
   11 # Comments              : This implements IDS protection aka Intrusion-Detection-System.
   12 #                         It will block remote hosts trying to eg. scan/access your
   13 #                         system on firewalled ports.
   14 #                         Updated for mixed IPv4/IPv6
   15 #
   16 # Author                : (C) Copyright 2007-2017 by Arno van Amersfoort
   17 # Homepage              : https://rocky.eld.leidenuniv.nl/
   18 # Email                 : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
   19 #                         (note: you must remove all spaces and substitute the @ and the .
   20 #                         at the proper locations!)
   21 # ------------------------------------------------------------------------------
   22 # This program is free software; you can redistribute it and/or
   23 # modify it under the terms of the GNU General Public License
   24 # version 2 as published by the Free Software Foundation.
   25 #
   26 # This program is distributed in the hope that it will be useful,
   27 # but WITHOUT ANY WARRANTY; without even the implied warranty of
   28 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   29 # GNU General Public License for more details.
   30 #
   31 # You should have received a copy of the GNU General Public License
   32 # along with this program; if not, write to the Free Software
   33 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
   34 # ------------------------------------------------------------------------------------------
   35 
   36 # Plugin start function
   37 plugin_start()
   38 {
   39   if [ "$IPV6_DETECTED" = "1" ] && [ "$IDS_IPV6_ENABLE" = "0" ]; then
   40     echo "${INDENT}NOTE: Only IPv4 is protected."
   41   fi
   42 
   43   # Probe module xt_recent for IPv4/IPv6 or ipt_recent for IPv4:
   44   # (Allows checking for recent packets)
   45   modprobe_multi xt_recent ipt_recent
   46 
   47   # Create new IDS_LOG_DROP chain for loggin' 'n droppin':
   48   $IPTABLES -N IDS_LOG_DROP 2>/dev/null
   49   $IPTABLES -F IDS_LOG_DROP
   50 
   51   $IPTABLES -A IDS_LOG_DROP -m limit --limit 1/m --limit-burst 1 -j LOG \
   52     --log-level $LOGLEVEL --log-prefix "AIF:IDS violation: "
   53   $IPTABLES -A IDS_LOG_DROP -j DROP
   54 
   55   # Create new IDS_CHK to insert IDS checker + whitelist:
   56   $IPTABLES -N IDS_CHK 2>/dev/null
   57   $IPTABLES -F IDS_CHK
   58 
   59   if [ -n "$IDS_TRUSTED_HOSTS" ]; then
   60     # Create whitelist:
   61     echo "${INDENT}Allowing bypass of IDS protection checks for: $IDS_TRUSTED_HOSTS"
   62     IFS=' ,'
   63     for host in `ip_range "$IDS_TRUSTED_HOSTS"`; do
   64       $IPTABLES -A IDS_CHK -s $host -j RETURN
   65     done
   66   fi
   67 
   68   # We also ignore ICMP traffic since we can not reliabily check it for IDS
   69   $IPTABLES -A IDS_CHK -p icmp -j RETURN
   70   
   71   if [ -n "$IDS_EXCLUDE_TCP" ]; then
   72     echo "${INDENT}Excluding IDS check for TCP port(s): $IDS_EXCLUDE_TCP"
   73     IFS=' ,'
   74     for port in $IDS_EXCLUDE_TCP; do
   75       $IPTABLES -A IDS_CHK -p tcp --dport $port -j RETURN
   76     done
   77   fi
   78 
   79   if [ -n "$IDS_EXCLUDE_UDP" ]; then
   80     echo "${INDENT}Excluding IDS check for UDP port(s): $IDS_EXCLUDE_UDP"
   81     IFS=' ,'
   82     for port in $IDS_EXCLUDE_UDP; do
   83       $IPTABLES -A IDS_CHK -p udp --dport $port -j RETURN
   84     done
   85   fi
   86 
   87   $IPTABLES -A IDS_CHK -m recent --set --name idschk
   88   $IPTABLES -A IDS_CHK -m recent --update --name idschk
   89 
   90   if [ -z "$IDS_INTERFACE" ]; then
   91     IDS_INTERFACE="$EXT_IF"
   92   fi
   93 
   94   IFS=' ,'
   95   for interface in $IDS_INTERFACE; do
   96     # Create rate1 & rate2 checker:
   97     $IPTABLES -A INPUT_CHAIN -i $interface -m recent --rcheck --seconds $IDS_MAX_TIME1 --hitcount $IDS_MAX_RATE1 --name idschk -j IDS_LOG_DROP
   98     $IPTABLES -A INPUT_CHAIN -i $interface -m recent --rcheck --seconds $IDS_MAX_TIME2 --hitcount $IDS_MAX_RATE2 --name idschk -j IDS_LOG_DROP
   99 
  100     # Insert rule into the POST_INPUT_DROP_CHAIN chain:
  101     $IPTABLES -A POST_INPUT_DROP_CHAIN -i $interface ${NF_CONNTRACK_STATE:--m state --state} NEW -j IDS_CHK
  102   done
  103 
  104   return 0
  105 }
  106 
  107 
  108 # Plugin stop function
  109 plugin_stop()
  110 {
  111   $IPTABLES -F IDS_CHK
  112   $IPTABLES -X IDS_CHK 2>/dev/null
  113   $IPTABLES -F IDS_LOG_DROP
  114   $IPTABLES -X IDS_LOG_DROP 2>/dev/null
  115 
  116   return 0
  117 }
  118 
  119 
  120 # Plugin status function
  121 plugin_status()
  122 {
  123   return 0
  124 }
  125 
  126 # Check sanity of eg. environment
  127 plugin_sanity_check()
  128 {
  129   if [ -z "$IDS_MAX_RATE1" -o -z "$IDS_MAX_TIME1" -o -z "$IDS_MAX_RATE2" -o -z "$IDS_MAX_TIME2" ]; then
  130     printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2
  131     return 1
  132   fi
  133 
  134   return 0
  135 }
  136 
  137 
  138 ############
  139 # Mainline #
  140 ############
  141 
  142 # Check where to find the config file
  143 CONF_FILE=""
  144 if [ -n "$PLUGIN_CONF_PATH" ]; then
  145   CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
  146 fi
  147 
  148 # Preinit to success:
  149 PLUGIN_RET_VAL=0
  150 
  151 # Check if the config file exists
  152 if [ ! -f "$CONF_FILE" ]; then
  153   printf "NOTE: Config file \"$CONF_FILE\" not found!\n        Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2
  154 else
  155   # Source the plugin config file
  156   . "$CONF_FILE"
  157 
  158   if [ "$ENABLED" = "1" ] ||
  159      [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] ||
  160      [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then
  161     # Show who we are:
  162     echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION"
  163 
  164     # Increment indention
  165     INDENT="$INDENT "
  166 
  167     if [ "$IDS_IPV6_ENABLE" = "0" ]; then
  168       IPTABLES="ip4tables"
  169     else
  170       IPTABLES="iptables"
  171     fi
  172 
  173     # Only proceed if environment ok
  174     if ! plugin_sanity_check; then
  175       PLUGIN_RET_VAL=1
  176     else
  177       case $PLUGIN_CMD in
  178         start|'') plugin_start; PLUGIN_RET_VAL=$? ;;
  179         stop    ) plugin_stop; PLUGIN_RET_VAL=$? ;;
  180         status  ) plugin_status; PLUGIN_RET_VAL=$? ;;
  181         *       ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;;
  182       esac
  183     fi
  184     unset IPTABLES
  185   fi
  186 fi