From 5f73cc6cde571cd52f317d56fb1087169ebea7e0 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 20 Nov 2009 14:28:12 -0500 Subject: Adding new changes from pompom --- filterwall.sh | 31 ++++ firewall | 357 ++++++++++++++++++++-------------------- firewall.conf | 60 ------- policies/blocked-ips | 15 ++ policies/iptables-default | 17 ++ policies/iptables-web | 19 +++ policies/iptables-webrestricted | 18 ++ policies/profile | 1 + 8 files changed, 282 insertions(+), 236 deletions(-) create mode 100755 filterwall.sh delete mode 100644 firewall.conf create mode 100644 policies/blocked-ips create mode 100644 policies/iptables-default create mode 100644 policies/iptables-web create mode 100644 policies/iptables-webrestricted create mode 100644 policies/profile diff --git a/filterwall.sh b/filterwall.sh new file mode 100755 index 0000000..deba71f --- /dev/null +++ b/filterwall.sh @@ -0,0 +1,31 @@ +#!/bin/bash +# +# Log Filter/Firewall Generator +# by Mike Crute (mcrute@gmail.com) +# on November 20, 2009 +# +# Script to scrape over logfiles and generate blocked-ip +# list for people abusing machine services. This is designed +# to be run as a cron. +# + +BLOCK_FILE=/etc/firewall/blocked-ips + +# Filter SSHD Abusers +egrep "sshd\[[0-9]+\]: Failed password for" /var/log/auth.log | \ + egrep -o '([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | \ + awk '{ a[$1]++ } END { for (i in a) { if (a[i] > 10) { print i }}}' \ +>> $BLOCK_FILE + +# Filter FTP Abusers +grep 'FAIL LOGIN: Client' /var/log/vsftpd.log | \ + egrep -o '([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | \ + awk '{ a[$1]++ } END { for (i in a) { if (a[i] > 10) { print i }}}' \ +>> $BLOCK_FILE + +# De-dup the filter file. +cat $BLOCK_FILE | sort -u > $BLOCK_FILE.tmp +mv $BLOCK_FILE.tmp $BLOCK_FILE + +# Refresh the firewall +/root/bin/firewall diff --git a/firewall b/firewall index d19f0ce..9661098 100644 --- a/firewall +++ b/firewall @@ -1,179 +1,184 @@ -# Make sure we have all the commands to continue -if [[ ! `which iptables` || ! `which ifconfig` || ! `which grep` || ! `which sed` ]]; then - echo 'Essential commands are missing. Can not continue.' - exit 1 -fi +#!/bin/bash +# +# Iptables Setup and Initialization Script +# Version 1.0 +# +# Written by Michael Crute (mcrute@gmail.com) +# for SoftGroup Interactive on July 10, 2006 +# Last updated: same +# -# Check for root -if [[ $UID != 0 ]]; then - echo 'You are not root.' - exit 1 +if [ $UID != 0 ]; then + echo "You are not root. Goodbye." + exit 1 fi -# First set LC_ALL to en to avoid l10n problems when awk-ing IPs etc. -export LC_ALL="en" - -# Source our configuration file -source /etc/firewall.conf - -# Go into lockdown mode while we setup the rules -iptables -P INPUT DROP -iptables -P OUTPUT DROP -iptables -P FORWARD DROP - -# Flush all existing chains and erase personal chains -CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null` -for i in $CHAINS; do - iptables -t $i -F - iptables -t $i -X -done -echo 1 > /proc/sys/net/ipv4/tcp_syncookies -echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts - -# Source Address Verification -for f in /proc/sys/net/ipv4/conf/*/rp_filter; do - echo 1 > $f -done - -# Disable IP source routing and ICMP redirects -for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do - echo 0 > $f -done -for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do - echo 0 > $f -done -echo 1 > /proc/sys/net/ipv4/ip_forward - -# Determine the IP/Broadcast/Netmask for the outside interface -# dynamically by grepping ifconfig commands -# -# Due to absence of EXTBC in ifconfig output I manually set it -# to 255.255.255.255 this hopefully will serve the same purpose -EXTIP="`ifconfig $EXTIF|grep addr:|sed 's/.*addr:\([^ ]*\) .*/\1/'`" -EXTBC="255.255.255.255" -EXTMSK="`ifconfig $EXTIF|grep Mask:|sed 's/.*Mask:\([^ ]*\)/\1/'`" -EXTNET="$EXTIP/$EXTMSK" -echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET" - -# Determine the IP/Broadcast/Netmask for the outside interface -# dynamically by grepping ifconfig commands -INTIP="`ifconfig $INTIF|grep addr:|sed 's/.*addr:\([^ ]*\) .*/\1/'`" -INTBC="`ifconfig $INTIF|grep Bcast:|sed 's/.*Bcast:\([^ ]*\) .*/\1/'`" -INTMSK="`ifconfig $INTIF|grep Mask:|sed 's/.*Mask:\([^ ]*\)/\1/'`" -INTNET="$INTIP/$INTMSK" -echo "INTIP=$INTIP INTBC=$INTBC INTMSK=$INTMSK INTNET=$INTNET" - -# We are now going to create a few custom chains that will result in -# logging of dropped packets. This will enable us to avoid having to -# enter a log command prior to every drop we wish to log. The -# first will be first log drops the other will log rejects. -# Do not complain if chain already exists (so restart is clean) -iptables -N DROPl 2> /dev/null -iptables -A DROPl -j LOG --log-prefix 'DROPl:' -iptables -A DROPl -j DROP -iptables -N REJECTl 2> /dev/null -iptables -A REJECTl -j LOG --log-prefix 'REJECTl:' -iptables -A REJECTl -j REJECT - -# Now we are going to accpet all traffic from our loopback device -# if the IP matches any of our interfaces. -iptables -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT -iptables -A INPUT -i $LPDIF -s $EXTIP -j ACCEPT -iptables -A INPUT -i $LPDIF -s $INTIP -j ACCEPT - -# Blocking Broadcasts -iptables -A INPUT -i $EXTIF -d $EXTBC -j DROPl -iptables -A INPUT -i $INTIF -d $INTBC -j DROPl -iptables -A OUTPUT -o $EXTIF -d $EXTBC -j DROPl -iptables -A OUTPUT -o $INTIF -d $INTBC -j DROPl -iptables -A FORWARD -o $EXTIF -d $EXTBC -j DROPl -iptables -A FORWARD -o $INTIF -d $INTBC -j DROPl - -# Block WAN access to internal network -# -# This also stops nefarious crackers from using our network as a -# launching point to attack other people -iptables -A INPUT -i $EXTIF -d ! $EXTIP -j DROPl - -# Now we will block internal addresses originating from anything but our -# two predefined interfaces... just remember that if you jack your -# your laptop or another pc into one of these NIC's directly, you'll need -# to ensure that they either have the same ip or that you add a line explicitly -# for that IP as well -iptables -A INPUT -i $INTIF -s ! $INTNET -j DROPl -iptables -A OUTPUT -o $INTIF -d ! $INTNET -j DROPl -iptables -A FORWARD -i $INTIF -s ! $INTNET -j DROPl -iptables -A FORWARD -o $INTIF -d ! $INTNET -j DROPl - -# An additional Egress check -iptables -A OUTPUT -o $EXTIF -s ! $EXTNET -j DROPl - -# Block outbound ICMP (except for PING) -iptables -A OUTPUT -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl -iptables -A FORWARD -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl - -# Explicitly block TCP ports -for i in $TCPBLOCK; do - iptables -A INPUT -p tcp --dport $i -j DROPl - iptables -A OUTPUT -p tcp --dport $i -j DROPl - iptables -A FORWARD -p tcp --dport $i -j DROPl -done - -# Explicitly block UDP ports -for i in $UDPBLOCK; do - iptables -A INPUT -p udp --dport $i -j DROPl - iptables -A OUTPUT -p udp --dport $i -j DROPl - iptables -A FORWARD -p udp --dport $i -j DROPl -done - -# Open inbound service ports -for i in $INPORTS; do - iptables -A INPUT -p tcp --dport $i -j ACCEPT -done - -iptables -A FORWARD -t filter -o $EXTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -iptables -A FORWARD -t filter -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT - -# Opening up ftp connection tracking -MODULES="ip_nat_ftp ip_conntrack_ftp" -for i in $MODULES; do - modprobe $i -done - -# Allow inside systems to use external services -for i in $TCPSERV; do - iptables -A OUTPUT -o $EXTIF -p tcp -s $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT - iptables -A FORWARD -i $INTIF -p tcp -s $INTNET --dport $i --syn -m state --state NEW -j ACCEPT -done - -for i in $UDPSERV; do - iptables -A OUTPUT -o $EXTIF -p udp -s $EXTIP --dport $i -m state --state NEW -j ACCEPT - iptables -A FORWARD -i $INTIF -p udp -s $INTNET --dport $i -m state --state NEW -j ACCEPT -done - -# Allow to ping out -iptables -A OUTPUT -o $EXTIF -p icmp -s $EXTIP --icmp-type 8 -m state --state NEW -j ACCEPT -iptables -A FORWARD -i $INTIF -p icmp -s $INTNET --icmp-type 8 -m state --state NEW -j ACCEPT - -# Allow firewall to ping internal systems -iptables -A OUTPUT -o $INTIF -p icmp -s $INTNET --icmp-type 8 -m state --state NEW -j ACCEPT - -# Allow a few services internally -iptables -A OUTPUT -o $INTIF -p tcp -s $INTNET --dport 80 -m state --state NEW -j ACCEPT -iptables -A OUTPUT -o $INTIF -p tcp -s $INTNET --dport 443 -m state --state NEW -j ACCEPT -iptables -A INPUT -i $INTIF -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT - -# Setup dynamic NAT -iptables -t nat -A PREROUTING -j ACCEPT -iptables -t nat -A POSTROUTING -o $EXTIF -s $INTNET -j MASQUERADE -iptables -t nat -A POSTROUTING -j ACCEPT -iptables -t nat -A OUTPUT -j ACCEPT -iptables -A INPUT -p tcp --dport auth --syn -m state --state NEW -j ACCEPT -iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT - -# Block and log what me may have forgot -iptables -A INPUT -j DROPl -iptables -A OUTPUT -j REJECTl -iptables -A FORWARD -j DROPl \ No newline at end of file +IPT='/sbin/iptables' + +GREEN='\033[0;32m' +WHITE='\033[0m' +RED='\033[0;31m' + +ALLOW_PING=0 + +function do_log +{ + timestamp=`date +"[%Y-%m-%d %H:%M:%S]"` + if [ $2 == 0 ]; then + echo -e "$timestamp $1: [$GREEN OK $WHITE]" + else + echo -e "$timestamp $1: [$RED FAILED $WHITE]" + fi +} + +function flush_all +{ + # Flush all existing chains and erase personal chains + CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null` + for i in $CHAINS; do + $IPT -t $i -F + $IPT -t $i -X + do_log "Flushing chain $i" $? + done + + # Flush the conntrack database if we can + if [ `which conntrack > /dev/null 2>&1` ]; then + conntrack -F + do_log "Flushing conntrack" $? + fi + + $IPT -P INPUT ACCEPT + do_log "All chains flushed" $? +} + +function set_ping +{ + policy="ACCEPT" + [[ $1 == 0 ]] && policy="DROP" + + $IPT -A INPUT -p icmp --icmp-type 8 -j $policy + do_log "$policy pings" $? +} + +function block_port +{ + $IPT -A INPUT -p $1 -m state --state NEW -m $1 --dport $2 -j DROP + $IPT -A OUTPUT -p $1 -m state --state NEW -m $1 --dport $2 -j DROP + do_log "Blocking $1 port $2" $? +} + +function load_policy +{ + policy=`cat /etc/firewall/profile 2>/dev/null || echo 'default'` + [[ ! -z "$1" ]] && policy=$1 + LOADFILE="/etc/firewall/iptables-$policy" + + if [ -r $LOADFILE ]; then + . $LOADFILE + flush_all + do_log "Loading ruleset $LOADFILE" $? + else + do_log "Could not load a ruleset" 1 + exit 1 + fi +} + +function filter_host +{ + $IPT -I INPUT -s $2 -j $1 + do_log "$1 host $2" $? +} + +function filter_port +{ + $IPT -A INPUT -p $2 -m state --state NEW -m $2 --dport $1 -j $3 + do_log "$3 $2 port $1" $? +} + +function add_exception +{ + ip=`echo $1 | cut -d' ' -f1` + prot=`echo $1 | cut -d' ' -f2` + port=`echo $1 | cut -d' ' -f3` + + $IPT -A INPUT -p $prot -m state --state NEW -s $ip -m $prot --dport $port -j ACCEPT + + do_log "Allowing $ip for $prot $port" $? +} + +function set_defaults +{ + $IPT -A INPUT -s 127.0.0.1 -j ACCEPT + $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -P INPUT DROP + $IPT -P FORWARD DROP + $IPT -P OUTPUT ACCEPT +} + +# Lockdown is the most strict policy that only passes +# ssh traffic. This is good for new servers and emergencies +function lockdown +{ + flush_all + + $IPT -P INPUT DROP + $IPT -P FORWARD DROP + $IPT -P OUTPUT DROP + do_log "All chains set to drop" $? + + $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT + $IPT -A OUTPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT + do_log "Allowing ssh only" $? + + do_log "Firewall locked down" $? +} + +function build_firewall +{ + load_policy $1 + set_defaults + set_ping $ALLOW_PING + + # Set exceptions + for idx in $(seq ${#RULES[@]}); do + item=${RULES[$idx]} + add_exception $item + done; + + # Allow or deny hosts + for host in $HOSTS_DENY; do + filter_host "DROP" $host + done + for host in $HOSTS_ALLOW; do + filter_host "ALLOW" $host + done + + # Allow or deny tcp ports + for port in $TCP_DENY; do + block_port "tcp" $port + done + for port in $TCP_ALLOW; do + filter_port $port "tcp" "ACCEPT" + done + + # Allow or deny udp ports + for port in $UDP_DENY; do + block_port "udp" $port + done + for i in $UDP_ALLOW; do + filter_port $port "udp" "ACCEPT" + done +} + +if [[ $1 == "--flush" ]]; then + flush_all + exit 0 +elif [[ $1 == "--lockdown" ]]; then + lockdown + exit 0 +else + build_firewall $1 + do_log "Firewall started" $? +fi diff --git a/firewall.conf b/firewall.conf deleted file mode 100644 index 78f873b..0000000 --- a/firewall.conf +++ /dev/null @@ -1,60 +0,0 @@ -EXTIF=eth1 # External interface -INTIF=eth0 # Internal interface - -# Loop device/localhost -LPDIF=lo -LPDIP=127.0.0.1 -LPDMSK=255.0.0.0 -LPDNET="$LPDIP/$LPDMSK" - -# Defining some common chat clients. Remove these from your accepted list for better security. -# ICQ and AOL are 5190 -# MSN is 1863 -# Y! is 5050 -# Jabber is 5222 -# Y! and Jabber ports not added by author and therefore left out of the script -IRC='ircd' -MSN=1863 -ICQ=5190 -YIM=5050 -AIM=5190 -NFS='sunrpc' -PORTAGE='rsync' -OpenPGP_HTTP_Keyserver=11371 - -# All services ports are read from /etc/services -TCPSERV="domain ssh http https ftp ftp-data mail pop3 pop3s time $PORTAGE $YIM $AIM" -UDPSERV="domain time" - -INPORTS="ssh http" - -# COMmon ports: -# 0 is tcpmux; SGI had vulnerability, 1 is common attack -# 13 is daytime -# 98 is Linuxconf -# 111 is sunrpc (portmap) -# 137:139, 445 is Microsoft -# SNMP: 161,2 -# Squid flotilla: 3128, 8000, 8008, 8080 -# 1214 is Morpheus or KaZaA -# 2049 is NFS -# 3049 is very virulent Linux Trojan, mistakable for NFS -# Common attacks: 1999, 4329, 6346 -# Common Trojans 12345 65535 -COMBLOCK="0:1 13 98 111 113 137:139 161:162 445 1214 1999 2049 3049 4329 6346 3128 8000 8008 8080 12345 65535" - -# TCP ports: -# 98 is Linuxconf -# 512-515 is rexec, rlogin, rsh, printer(lpd) -# [very serious vulnerabilities; attacks continue daily] -# 1080 is Socks proxy server -# 6000 is X (NOTE X over SSH is secure and runs on TCP 22) -# Block 6112 (Sun's/HP's CDE) -TCPBLOCK="$COMBLOCK 98 512:515 1080 3330 1128 3054 6000:6009 6112" - -# UDP ports: -# 161:162 is SNMP -# 520 is RIP -# 9000 is Sangoma -# 517:518 are talk and ntalk (more annoying than anything) -UDPBLOCK="$COMBLOCK 161:162 520 123 517:518 1427 9000" \ No newline at end of file diff --git a/policies/blocked-ips b/policies/blocked-ips new file mode 100644 index 0000000..ceed910 --- /dev/null +++ b/policies/blocked-ips @@ -0,0 +1,15 @@ +115.47.3.229 +116.11.253.154 +118.129.166.149 +122.225.226.67 +125.46.15.194 +202.99.42.188 +218.145.128.230 +220.189.246.26 +222.68.199.238 +59.125.229.74 +60.217.229.222 +61.129.60.23 +70.85.215.42 +87.121.75.179 +88.220.70.24 diff --git a/policies/iptables-default b/policies/iptables-default new file mode 100644 index 0000000..8f2377f --- /dev/null +++ b/policies/iptables-default @@ -0,0 +1,17 @@ +# +# iptables Firewall Policy +# by Mike Crute (mcrute@gmail.com) +# on September 19, 2009 +# + +ALLOW_PING=1 + +TCP_ALLOW="22" # SSH + +#TCP_ALLOW="" +#HOSTS_ALLOW="" +#HOSTS_DENY="" +#TCP_DENY="" +#UDP_ALLOW="53" +#UDP_DENY="" +#RULES="" diff --git a/policies/iptables-web b/policies/iptables-web new file mode 100644 index 0000000..9dc9ca5 --- /dev/null +++ b/policies/iptables-web @@ -0,0 +1,19 @@ +# +# iptables Firewall Policy +# by Mike Crute (mcrute@gmail.com) +# on September 19, 2009 +# + +ALLOW_PING=1 + +TCP_ALLOW="22" # SSH +TCP_ALLOW="${TCP_ALLOW} 80 443" # Web Ports +TCP_ALLOW="${TCP_ALLOW} 20 21" # FTP Ports +TCP_ALLOW="${TCP_ALLOW} 5870 5871" # Inbound tunnels +HOSTS_DENY=$(cat /etc/firewall/blocked-ips) + +#HOSTS_ALLOW="" +#TCP_DENY="" +#UDP_ALLOW="53" +#UDP_DENY="" +#RULES="" diff --git a/policies/iptables-webrestricted b/policies/iptables-webrestricted new file mode 100644 index 0000000..149cb82 --- /dev/null +++ b/policies/iptables-webrestricted @@ -0,0 +1,18 @@ +# +# iptables Firewall Policy +# by Mike Crute (mcrute@gmail.com) +# on September 19, 2009 +# + +ALLOW_PING=1 + +TCP_ALLOW="22" # SSH +TCP_ALLOW="${TCP_ALLOW} 80" # Web Ports +TCP_ALLOW="${TCP_ALLOW} 20 21" # FTP Ports + +#HOSTS_ALLOW="" +#HOSTS_DENY="" +#TCP_DENY="" +#UDP_ALLOW="53" +#UDP_DENY="" +#RULES="" diff --git a/policies/profile b/policies/profile new file mode 100644 index 0000000..c077218 --- /dev/null +++ b/policies/profile @@ -0,0 +1 @@ +web -- cgit v1.2.3