"Fossies" - the Fresh Open Source Software Archive

Member "aif-2.1.1/share/arno-iptables-firewall/plugins/95adaptive-ban.plugin" (16 Sep 2020, 7022 Bytes) of package /linux/privat/aif-2.1.1.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "95adaptive-ban.plugin": 2.1.0_vs_2.1.1.

    1 # ------------------------------------------------------------------------------
    2 #            -= Arno's Iptables Firewall(AIF) - Adaptive Ban plugin =-
    3 #
    4 PLUGIN_NAME="Adaptive Ban plugin"
    5 PLUGIN_VERSION="1.04 BETA"
    6 PLUGIN_CONF_FILE="adaptive-ban.conf"
    7 #
    8 # Last changed          : February 3, 2019
    9 # Requirements          : AIF 2.1.0 (or newer)
   10 # Comments              : Parse a log file for failed access with offending IP addresses
   11 #                         Ban the IP address after multiple failed attempts
   12 #
   13 # Author                : (C) Copyright 2010-2019 by Arno van Amersfoort & Lonnie Abelbeck
   14 # Credits               : AstLinux Project
   15 # Homepage              : https://www.astlinux-project.org/
   16 # Credits               : Fail2ban Project
   17 # Homepage              : https://www.fail2ban.org/
   18 # Credits               : Arno van Amersfoort
   19 # Homepage              : https://rocky.eld.leidenuniv.nl/
   20 # Email                 : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
   21 #                         (note: you must remove all spaces and substitute the @ and the .
   22 #                         at the proper locations!)
   23 # ------------------------------------------------------------------------------
   24 # This program is free software; you can redistribute it and/or
   25 # modify it under the terms of the GNU General Public License
   26 # version 2 as published by the Free Software Foundation.
   27 #
   28 # This program is distributed in the hope that it will be useful,
   29 # but WITHOUT ANY WARRANTY; without even the implied warranty of
   30 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   31 # GNU General Public License for more details.
   32 #
   33 # You should have received a copy of the GNU General Public License
   34 # along with this program; if not, write to the Free Software
   35 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
   36 # ------------------------------------------------------------------------------
   37 
   38 # (Background) job name
   39 JOB_NAME="adaptive-ban"
   40 
   41 # (Background) job helper script
   42 JOB_HELPER_SCRIPT="$PLUGIN_BIN_PATH/adaptive-ban-helper"
   43 
   44 # Plugin start function
   45 plugin_start()
   46 {
   47   local host net IFS
   48 
   49   iptables -N ADAPTIVE_BAN_DROP_CHAIN 2>/dev/null
   50   iptables -F ADAPTIVE_BAN_DROP_CHAIN
   51   iptables -A ADAPTIVE_BAN_DROP_CHAIN -m limit --limit 1/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Adaptive-Ban host: "
   52   if [ "$ADAPTIVE_BAN_REJECT" = "1" ]; then
   53     ip4tables -A ADAPTIVE_BAN_DROP_CHAIN -j REJECT --reject-with icmp-host-unreachable
   54     if [ "$IPV6_SUPPORT" = "1" ]; then
   55       ip6tables -A ADAPTIVE_BAN_DROP_CHAIN -j REJECT --reject-with icmp6-addr-unreachable
   56     fi
   57   else
   58     iptables -A ADAPTIVE_BAN_DROP_CHAIN -j DROP
   59   fi
   60 
   61   iptables -N ADAPTIVE_BAN_CHAIN 2>/dev/null
   62   iptables -F ADAPTIVE_BAN_CHAIN
   63   if [ "$ADAPTIVE_BAN_WHITELIST_INTERNAL" != "0" ]; then
   64     printf "${INDENT}Adaptive Ban - Whitelisting INTERNAL net(s): "
   65     IFS=' ,'
   66     for net in $INTERNAL_NET; do
   67       printf "$net "
   68       iptables -A ADAPTIVE_BAN_CHAIN -s $net -j RETURN
   69     done
   70     echo ""
   71   fi
   72   if [ -n "$ADAPTIVE_BAN_WHITELIST" ]; then
   73     printf "${INDENT}Adaptive Ban - Whitelisting host(s): "
   74     IFS=' ,'
   75     for host in $ADAPTIVE_BAN_WHITELIST; do
   76       printf "$host "
   77       iptables -A ADAPTIVE_BAN_CHAIN -s $host -j RETURN
   78     done
   79     echo ""
   80   fi
   81 
   82   # Insert rule in the INPUT chain
   83   iptables -I INPUT -j ADAPTIVE_BAN_CHAIN
   84 
   85   # Insert rule in the FORWARD chain
   86   iptables -I FORWARD -j ADAPTIVE_BAN_CHAIN
   87 
   88   echo "${INDENT}File=$ADAPTIVE_BAN_FILE Time=$ADAPTIVE_BAN_TIME Count=$ADAPTIVE_BAN_COUNT Types=$ADAPTIVE_BAN_TYPES"
   89 
   90   # Create background job
   91   if ! job_add "$JOB_NAME" "${ADAPTIVE_BAN_TIME:-2}" "$JOB_HELPER_SCRIPT"; then
   92     return 1
   93   fi
   94 
   95   return 0
   96 }
   97 
   98 
   99 # Plugin stop function
  100 plugin_stop()
  101 {
  102   printf "${INDENT}Adaptive Ban - Stopping... "
  103 
  104   iptables -D INPUT -j ADAPTIVE_BAN_CHAIN
  105   iptables -D FORWARD -j ADAPTIVE_BAN_CHAIN
  106 
  107   iptables -F ADAPTIVE_BAN_CHAIN
  108   iptables -X ADAPTIVE_BAN_CHAIN 2>/dev/null
  109 
  110   iptables -F ADAPTIVE_BAN_DROP_CHAIN
  111   iptables -X ADAPTIVE_BAN_DROP_CHAIN 2>/dev/null
  112 
  113   return 0
  114 }
  115 
  116 
  117 # Plugin status function
  118 plugin_status()
  119 {
  120   echo "  Banned Hosts:"
  121   echo "  =============================="
  122   ip4tables -n -L ADAPTIVE_BAN_CHAIN | awk '$1 == "ADAPTIVE_BAN_DROP_CHAIN" { print "  "$4 }'
  123   if [ "$IPV6_SUPPORT" = "1" ]; then
  124     ip6tables -n -L ADAPTIVE_BAN_CHAIN | awk '$1 == "ADAPTIVE_BAN_DROP_CHAIN" { print "  "$3 }'
  125   fi
  126   echo "  ------------------------------"
  127   echo ""
  128 
  129   echo "  Whitelisted Hosts:"
  130   echo "  =============================="
  131   ip4tables -n -L ADAPTIVE_BAN_CHAIN | awk '$1 == "RETURN" { print "  "$4 }'
  132   if [ "$IPV6_SUPPORT" = "1" ]; then
  133     ip6tables -n -L ADAPTIVE_BAN_CHAIN | awk '$1 == "RETURN" { print "  "$3 }'
  134   fi
  135   echo "  ------------------------------"
  136   echo ""
  137 
  138   return 0
  139 }
  140 
  141 
  142 # Check sanity of eg. environment
  143 plugin_sanity_check()
  144 {
  145   if [ -z "$ADAPTIVE_BAN_FILE" -o -z "$ADAPTIVE_BAN_TIME" -o -z "$ADAPTIVE_BAN_COUNT" -o -z "$ADAPTIVE_BAN_TYPES" ]; then
  146     printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2
  147     return 1
  148   fi
  149 
  150   if [ ! -f "$JOB_HELPER_SCRIPT" ]; then
  151     printf "\033[40m\033[1;31m${INDENT}ERROR: The job helper script($JOB_HELPER_SCRIPT) can not be found!\033[0m\n" >&2
  152     return 1
  153   fi
  154 
  155   if [ "$PLUGIN_CMD" = "start" ] && [ ! -f "$ADAPTIVE_BAN_FILE" ]; then
  156     printf "\033[40m\033[1;31m${INDENT}ERROR: Input log file $ADAPTIVE_BAN_FILE does not exist!\033[0m\n" >&2
  157     return 1
  158   fi
  159 
  160   if ! check_command sort; then
  161     printf "\033[40m\033[1;31m${INDENT}ERROR: Required command sort is not available!\033[0m\n" >&2
  162     return 1
  163   fi
  164 
  165   if ! check_command uniq; then
  166     printf "\033[40m\033[1;31m${INDENT}ERROR: Required command uniq is not available!\033[0m\n" >&2
  167     return 1
  168   fi
  169 
  170   return 0
  171 }
  172 
  173 
  174 ############
  175 # Mainline #
  176 ############
  177 
  178 # Check where to find the config file
  179 CONF_FILE=""
  180 if [ -n "$PLUGIN_CONF_PATH" ]; then
  181   CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
  182 fi
  183 
  184 # Preinit to success:
  185 PLUGIN_RET_VAL=0
  186 
  187 # Check if the config file exists
  188 if [ ! -f "$CONF_FILE" ]; then
  189   printf "NOTE: Config file \"$CONF_FILE\" not found!\n        Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2
  190 else
  191   # Source the plugin config file
  192   . "$CONF_FILE"
  193 
  194   if [ "$ENABLED" = "1" ] ||
  195      [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] ||
  196      [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then
  197     # Show who we are:
  198     echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION"
  199 
  200     # Increment indention
  201     INDENT="$INDENT "
  202 
  203     # Only proceed if environment ok
  204     if ! plugin_sanity_check; then
  205       PLUGIN_RET_VAL=1
  206     else
  207       case $PLUGIN_CMD in
  208         start|'') plugin_start; PLUGIN_RET_VAL=$?;;
  209         stop    ) plugin_stop; PLUGIN_RET_VAL=$?;;
  210         status  ) plugin_status; PLUGIN_RET_VAL=$?;;
  211         *       ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;;
  212       esac
  213     fi
  214   fi
  215 fi