From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tim FitzGeorge To: development@lists.ipfire.org Subject: Re: [PATCH v2 0/8] ipblacklist: IP Address Blacklists Date: Tue, 26 May 2020 18:44:35 +0100 Message-ID: <60d44f5b-36ec-c3b0-4dc1-e82e81663774@tfitzgeorge.me.uk> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3117259794951885925==" List-Id: --===============3117259794951885925== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Michael, The diff between the V1 and V2 patches is at the end of this email. I've not= included html/cgi-bin/logs.cgi/ipblacklists.dat html/cgi-bin/logs.cgi/showrequestfromblacklist.dat (V2 patches 0003 and 0004) as they're completely new at V2 - they're modifica= tions of the other similar log files. There are a lot of lines here, but a lot of them are deletions due to moving = the status etc. into the logging. I hope the is OK. Tim On 16/05/2020 10:40, Michael Tremer wrote: > Hi Tim, >=20 > This has now been sitting in my inbox for almost a month. Nobody else has c= ommented on it. >=20 > I tried a couple of times to review this, but I do not even know where to s= tart. This patch is just too large. >=20 > First of all, although it is split across multiple patches, it is one large= patch. It is not split by changes that belong together, but just one patch p= er file. >=20 > I have no idea what has changed since I last time looked at the code. It ha= s been months since the previous patchset and I do not remember each individu= al line. >=20 > You Git repository also does not have any changes any more. The branch has = been reset. >=20 > Are you able to send a diff with the changes since the first patchset? >=20 > How can we finally bring this into the distribution? >=20 > Best, > -Michael >=20 >> On 27 Apr 2020, at 15:31, Tim FitzGeorge wrote: >> >> Implements downloading of IP address blacklists and implementing >> them as IPSets. A separate IPSet is used for each blacklist; this >> simplifies handling of overlaps between different lists. Traffic >> to or from the red0/ppp0 interface is checked against the IPSets. >> The check is placed before the IPS check as the IPSet check is >> much lighter on CPU use which means that overall CPU use is >> reduced. >> >> The available lists are defined in a separate file. A WUI page >> allows the desired lists to be enabled. A minimum update check >> interval is defined for each blacklist in the definition file. >> >> Changes since Version 1: >> >> - Changed Dshield download URL to preferred address. >> - Removed Abuse.ch blacklist (discontinued). >> - Removed Talos Malicious blacklist (not for production use). >> - Added Feodo recommended blacklist. >> - Added blocklist.de all blacklist. >> - Updated ignored messages in logwatch. >> - Modified sources file 'rate' to allow unit to be specified. >> - Updated sources file 'disable' to allow list to be specified. >> - Removed autoblacklist. >> - Added WUI log pages. >> - Removed status from settings WUI page. >> >> Tim FitzGeorge (8): >> ipblacklist: Main script >> ipblacklist: WUI Settings page >> ipblacklist: WUI Log page >> ipblacklist: WUI Log details page >> ipblacklist: WUI menus, language file etc >> ipblacklist: Ancillary files >> ipblacklist: Modifications to system >> ipblacklist: Build infrastructure >> >> config/backup/backup.pl | 1 + >> config/backup/include | 2 + >> config/ipblacklist/sources | 138 ++ >> config/logwatch/ipblacklist | 105 ++ >> config/logwatch/ipblacklist.conf | 34 + >> config/menu/50-firewall.menu | 5 + >> config/menu/70-log.menu | 5 + >> config/rootfiles/common/aarch64/stage2 | 1 + >> config/rootfiles/common/configroot | 2 + >> config/rootfiles/common/ipblacklist-sources | 1 + >> config/rootfiles/common/logwatch | 2 + >> config/rootfiles/common/misc-progs | 2 + >> config/rootfiles/common/stage2 | 1 + >> config/rootfiles/common/web-user-interface | 3 + >> config/rootfiles/common/x86_64/stage2 | 1 + >> html/cgi-bin/ipblacklist.cgi | 463 +++++++ >> html/cgi-bin/logs.cgi/ipblacklists.dat | 363 +++++ >> html/cgi-bin/logs.cgi/log.dat | 2 + >> html/cgi-bin/logs.cgi/showrequestfromblacklist.dat | 415 ++++++ >> langs/en/cgi-bin/en.pl | 27 +- >> lfs/configroot | 4 +- >> lfs/ipblacklist-sources | 53 + >> lfs/logwatch | 2 + >> make.sh | 1 + >> src/initscripts/system/firewall | 12 + >> src/misc-progs/Makefile | 2 +- >> src/misc-progs/getipsetstat.c | 25 + >> src/misc-progs/ipblacklistctrl.c | 48 + >> src/scripts/ipblacklist | 1382 ++++++++++++++++= ++++ >> 29 files changed, 3098 insertions(+), 4 deletions(-) >> create mode 100644 config/ipblacklist/sources >> create mode 100644 config/logwatch/ipblacklist >> create mode 100644 config/logwatch/ipblacklist.conf >> create mode 100644 config/rootfiles/common/ipblacklist-sources >> create mode 100644 html/cgi-bin/ipblacklist.cgi >> create mode 100755 html/cgi-bin/logs.cgi/ipblacklists.dat >> create mode 100755 html/cgi-bin/logs.cgi/showrequestfromblacklist.dat >> create mode 100644 lfs/ipblacklist-sources >> create mode 100644 src/misc-progs/getipsetstat.c >> create mode 100644 src/misc-progs/ipblacklistctrl.c >> create mode 100755 src/scripts/ipblacklist >> >> --=20 >> 2.16.4 >> >=20 diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy index 1198d120f..21165e933 100755 --- a/config/firewall/firewall-policy +++ b/config/firewall/firewall-policy @@ -22,7 +22,6 @@ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) eval $(/usr/local/bin/readhash /var/ipfire/firewall/settings) eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) -eval $(/usr/local/bin/readhash /var/ipfire/ipblacklist/settings) =20 function iptables() { /sbin/iptables --wait "$@" @@ -98,10 +97,6 @@ case "${HAVE_OPENVPN},${POLICY}" in ;; esac =20 -if [ "${AUTOBLACKLIST}" =3D "on" ]; then - iptables -A POLICYIN -i ${IFACE} -m hashlimit --hashlimit-mode srcip --hash= limit-above ${BLOCK_THRESHOLD}/hour --hashlimit-name AUTOBLACKLIST -j SET --a= dd-set AUTOBLACKLIST src -fi - case "${FWPOLICY2}" in REJECT) if [ "${DROPINPUT}" =3D "on" ]; then diff --git a/config/ipblacklist/sources b/config/ipblacklist/sources index ab991e12a..3cfa7f7d4 100644 --- a/config/ipblacklist/sources +++ b/config/ipblacklist/sources @@ -13,139 +13,126 @@ # # # The fields are: # # # -# name The blacklist's full name # -# url URL of the file containing the list # -# info URL giving information about the source # -# parser The parser function used to extract IP addresses from the # -# downloaded list # -# method Method used to download updates. # -# rate Minimum number of hours between checks for updates # -# safe 'yes' if the list is unlikely to contain addresses that can be # -# used for legitimate traffic, or 'no' otherwise # -# disable Name of another list to disable if this one is enabled. Used # -# when the other list is a subset of this one. # +# name The blacklist's full name # +# url URL of the file containing the list # +# info URL giving information about the source # +# parser The parser function used to extract IP addresses from the # +# downloaded list # +# rate Minimum period between checks for updates. Can be specified in # +# days (d), hours (h) or minutes (m) # +# category Used for documentation on the WUI. Can be one of the following # +# 'application' Potentially unwanted applications # +# 'attacker' Generic source of malicious packets # +# 'c and c' Malware Command and Control source # +# 'composite' Composite of other lists # +# 'invalid' Invalid addresses on the public internet # +# 'scanner' Port scanner that is not initself malicious # +# disable Name of another list to disable if this one is enabled. Used # +# when the other list is a subset of this one. # # # -# The info and safe fields are purely for documentation. # -# # -# Note that the Emerging Threats blacklist is a composite list containing # -# addresses from some of the other lists. It is unnecessary to enable # -# this list if the other lists are enabled. # +# The info and category fields are purely for documentation. # # # ############################################################################ =20 %sources =3D ( 'EMERGING_FWRULE' =3D> { 'name' =3D> 'Emerging Threats Bl= ocklist', 'url' =3D> 'https://rules.emergingt= hreats.net/fwrules/emerging-Block-IPs.txt', 'info' =3D> 'https://doc.emergingthr= eats.net/bin/view/Main/EmergingFirewallRules', - 'parser' =3D> 'text-with-hash-comments= ', - 'method' =3D> 'check-header-time', - 'rate' =3D> 1, - 'safe' =3D> 'no' }, + 'parser' =3D> 'ip-or-net-list', + 'rate' =3D> '1h', + 'category' =3D> 'composite', + 'disable' =3D> ['FEODO_RECOMMENDED', 'F= EODO_IP', 'FEODO_AGGRESIVE', 'SPAMHAUS_DROP', 'DSHIELD'] }, 'EMERGING_COMPROMISED' =3D> { 'name' =3D> 'Emerging Threats Com= promised IPs', 'url' =3D> 'https://rules.emergingt= hreats.net/blockrules/compromised-ips.txt', 'info' =3D> 'https://doc.emergingthr= eats.net/bin/view/Main/CompromisedHost', - 'parser' =3D> 'text-with-hash-comments= ', - 'method' =3D> 'check-header-time', - 'rate' =3D> 1, - 'safe' =3D> 'no' }, + 'parser' =3D> 'ip-or-net-list', + 'rate' =3D> '1h', + 'category' =3D> 'attacker' }, 'SPAMHAUS_DROP' =3D> { 'name' =3D> "Spamhaus Don't Route = or Peer List", 'url' =3D> 'https://www.spamhaus.or= g/drop/drop.txt', 'info' =3D> 'https://www.spamhaus.or= g/drop/', - 'parser' =3D> 'text-with-semicolon-com= ments', - 'method' =3D> 'check-header-time', - 'rate' =3D> 12, - 'safe' =3D> 'yes' }, + 'parser' =3D> 'ip-or-net-list', + 'rate' =3D> '12h', + 'category' =3D> 'reputation' }, 'SPAMHAUS_EDROP' =3D> { 'name' =3D> "Spamhaus Extended Don= 't Route or Peer List", 'url' =3D> 'https://www.spamhaus.or= g/drop/edrop.txt', 'info' =3D> 'https://www.spamhaus.or= g/drop/', - 'parser' =3D> 'text-with-semicolon-com= ments', - 'method' =3D> 'check-header-time', - 'rate' =3D> 1, - 'safe' =3D> 'no' }, + 'parser' =3D> 'ip-or-net-list', + 'rate' =3D> '1h', + 'category' =3D> 'reputation' }, 'DSHIELD' =3D> { 'name' =3D> 'Dshield.org Recommend= ed Block List', 'url' =3D> 'https://www.dshield.org= /block.txt', 'info' =3D> 'https://dshield.org/', 'parser' =3D> 'dshield', - 'method' =3D> 'check-header-time', - 'rate' =3D> 2, - 'safe' =3D> 'no' }, + 'rate' =3D> '1h', + 'category' =3D> 'attacker' }, + 'FEODO_RECOMMENDED'=3D> {'name' =3D> 'Feodo Trojan IP Block= list (Recommended)', + 'url' =3D> 'https://feodotracker.ab= use.ch/downloads/ipblocklist_recommended.txt', + 'info' =3D> 'https://feodotracker.ab= use.ch/blocklist', + 'parser' =3D> 'ip-or-net-list', + 'rate' =3D> '5m', + 'category' =3D> 'c and c' }, 'FEODO_IP' =3D> { 'name' =3D> 'Feodo Trojan IP Block= list', 'url' =3D> 'https://feodotracker.ab= use.ch/downloads/ipblocklist.txt', 'info' =3D> 'https://feodotracker.ab= use.ch/blocklist', - 'parser' =3D> 'text-with-hash-comments= ', - 'method' =3D> 'check-header-time', - 'rate' =3D> 1, - 'safe' =3D> 'no' }, + 'parser' =3D> 'ip-or-net-list', + 'rate' =3D> '5m', + 'category' =3D> 'c and c', + 'disable' =3D> 'FEODO_RECOMMENDED' }, 'FEODO_AGGRESIVE' =3D> { 'name' =3D> 'Feodo Trojan IP Block= list (Aggresive)', 'url' =3D> 'https://feodotracker.ab= use.ch/downloads/ipblocklist_aggressive.txt', 'info' =3D> 'https://feodotracker.ab= use.ch/blocklist', - 'parser' =3D> 'text-with-hash-comments= ', - 'method' =3D> 'check-header-time', - 'rate' =3D> 1, - 'safe' =3D> 'no', - 'disable' =3D> 'FEODO_IP' }, - 'ABUSE_CH' =3D> { 'name' =3D> 'Abuse.ch Ransomware C= &C Blocklist', - 'url' =3D> 'https://ransomwaretrack= er.abuse.ch/downloads/RW_IPBL.txt', - 'info' =3D> 'https://ransomwaretrack= er.abuse.ch/blocklist/', - 'parser' =3D> 'text-with-hash-comments= ', - 'method' =3D> 'check-header-time', - 'rate' =3D> 1, - 'safe' =3D> 'no' }, + 'parser' =3D> 'ip-or-net-list', + 'rate' =3D> '5m', + 'category' =3D> 'c and c', + 'disable' =3D> ['FEODO_IP', 'FEODO_RECO= MMENDED'] }, 'CIARMY' =3D> { 'name' =3D> 'The CINS Army List', 'url' =3D> 'https://cinsscore.com/l= ist/ci-badguys.txt', 'info' =3D> 'https://cinsscore.com/#= list', - 'parser' =3D> 'text-with-hash-comments= ', - 'method' =3D> 'check-header-time', - 'rate' =3D> 1, - 'safe' =3D> 'no' }, + 'parser' =3D> 'ip-or-net-list', + 'rate' =3D> '15m', + 'category' =3D> 'reputation' }, 'TOR_ALL' =3D> { 'name' =3D> 'Known TOR Nodes', 'url' =3D> 'https://www.dan.me.uk/t= orlist', 'info' =3D> 'https://www.dan.me.uk/t= ornodes', - 'parser' =3D> 'text-with-hash-comments= ', - 'method' =3D> 'wget', - 'rate' =3D> 1, - 'safe' =3D> 'no', + 'parser' =3D> 'ip-or-net-list', + 'rate' =3D> '1h', + 'category' =3D> 'application', 'disable' =3D> 'TOR_EXIT' }, 'TOR_EXIT' =3D> { 'name' =3D> 'Known TOR Exit Nodes', 'url' =3D> 'https://www.dan.me.uk/t= orlist/?exit', 'info' =3D> 'https://www.dan.me.uk/t= ornodes', - 'parser' =3D> 'text-with-hash-comments= ', - 'method' =3D> 'wget', - 'rate' =3D> 1, - 'safe' =3D> 'no' }, - 'TALOS_MALICIOUS' =3D> { 'name' =3D> 'Talos Malicious hosts= list', - 'url' =3D> 'https://www.talosintell= igence.com/documents/ip-blacklist', - 'info' =3D> 'https://www.talosintell= igence.com/reputation', - 'parser' =3D> 'text-with-hash-comments= ', - 'method' =3D> 'wget', - 'rate' =3D> 24, - 'safe' =3D> 'no' }, + 'parser' =3D> 'ip-or-net-list',, + 'rate' =3D> '1h', + 'category' =3D> 'application' }, 'ALIENVAULT' =3D> { 'name' =3D> 'AlienVault IP Reputat= ion database', 'url' =3D> 'https://reputation.alie= nvault.com/reputation.generic', 'info' =3D> 'https://www.alienvault.= com/resource-center/videos/what-is-ip-domain-reputation', - 'parser' =3D> 'text-with-hash-comments= ', - 'method' =3D> 'check-header-time', - 'rate' =3D> 1, - 'safe' =3D> 'no' }, - 'BOGON' =3D> { 'name' =3D> 'Bogus address list (M= artian)', + 'parser' =3D> 'ip-or-net-list', + 'rate' =3D> '1h', + 'category' =3D> 'reputation' }, + 'BOGON' =3D> { 'name' =3D> 'Bogus address list (M= artian)', 'url' =3D> 'https://www.team-cymru.= org/Services/Bogons/bogon-bn-agg.txt', 'info' =3D> 'https://www.team-cymru.= com/bogon-reference.html', - 'parser' =3D> 'text-with-hash-comments= ', - 'method' =3D> 'check-header-time', - 'rate' =3D> 24, - 'safe' =3D> 'yes' }, - 'BOGON_FULL' =3D> { 'name' =3D> 'Full Bogus Address Li= st', + 'parser' =3D> 'ip-or-net-list', + 'rate' =3D> '1d', + 'category' =3D> 'invalid' }, + 'BOGON_FULL' =3D> { 'name' =3D> 'Full Bogus Address Li= st', 'url' =3D> 'https://www.team-cymru.= org/Services/Bogons/fullbogons-ipv4.txt', 'info' =3D> 'https://www.team-cymru.= com/bogon-reference.html', - 'parser' =3D> 'text-with-hash-comments= ', - 'method' =3D> 'check-header-time', - 'rate' =3D> 24, - 'safe' =3D> 'yes', + 'parser' =3D> 'ip-or-net-list', + 'rate' =3D> '4h', + 'category' =3D> 'invalid', 'disable' =3D> 'BOGON' }, - 'SHODAN' =3D> { 'name' =3D> 'ISC Shodan scanner bl= acklist', + 'SHODAN' =3D> { 'name' =3D> 'ISC Shodan scanner bl= acklist', 'url' =3D> 'https://isc.sans.edu/ap= i/threatlist/shodan?tab', 'info' =3D> 'https://isc.sans.edu', - 'parser' =3D> 'text-with-hash-comments= ', - 'method' =3D> 'wget', - 'rate' =3D> 24, - 'safe' =3D> 'no' } + 'parser' =3D> 'ip-or-net-list', + 'rate' =3D> '1d', + 'category' =3D> 'scanner' }, + 'BLOCKLIST_DE' =3D> { 'name' =3D> 'Blocklist.de all atta= cks list', + 'url' =3D> 'https://lists.blocklist= .de/lists/all.txt', + 'info' =3D> 'https://www.blocklist.d= e', + 'parser' =3D> 'ip-or-net-list', + 'rate' =3D> '30m', + 'category' =3D> 'attacker' } ); diff --git a/config/logwatch/ipblacklist b/config/logwatch/ipblacklist index 0fadc6250..6d6c46188 100644 --- a/config/logwatch/ipblacklist +++ b/config/logwatch/ipblacklist @@ -49,24 +49,26 @@ while (defined(my $ThisLine =3D )) =20 my $text =3D $2; =20 - if ($text =3D~ m/Finished updating (\w+) blacklist with (\d+) changes/) + if ($text =3D~ m/Updated (\w+) blacklist with (\d+) changes/) { $Updates{$1}{updates}++; $Updates{$1}{changes} +=3D $2; } - elsif ($text !~ m/Starting IP Blacklists/ and - $text !~ m/Starting IP Blacklist processing/ and - $text !~ m/Updating \w+ blacklist/ and - $text !~ m/Stopping IP Blacklists/ and - $text !~ m/Deleting IP Blacklists/ and - $text !~ m/Completed IP Blacklist update/ and - $text !~ m/Finished IP Blacklist processing/ and - $text !~ m/Blacklist \w+ Modification times/ and - $text !~ m/Create IPTables chains for blacklist/ and - $text !~ m/Delete IPTables chains for blacklist/ and - $text !~ m/Checking modification time for blacklist/ and - $text !~ m/Restoring blacklist / and - $text !~ m/Downloading blacklist/ ) + elsif ($text !~ m/Starting IP Blacklists/ and + $text !~ m/Starting IP Blacklist processing/ and + $text !~ m/Stopping IP Blacklists/ and + $text !~ m/Deleting IP Blacklists/ and + $text !~ m/Finished IP Blacklist processing/ and + $text !~ m/Create IPTables chains for blacklist/ and + $text !~ m/Delete IPTables chains for blacklist/ and + $text !~ m/Add IP Address Blacklist update to crontab/ and + $text !~ m/Enable IP Address Blacklist update in crontab/ and + $text !~ m/Disable IP Address Blacklist updates/ and + $text !~ m/Restoring blacklist / and + $text !~ m/Blacklist \w+ changed type/ and + $text !~ m/Blacklist \w+ changed size/ and + $text !~ m/Enabling IP Blacklist logging/ and + $text !~ m/Disabling IP Blacklist logging/ ) { $Errors{$text}++; } diff --git a/config/menu/50-firewall.menu b/config/menu/50-firewall.menu index cd82bfaa3..3cfcde835 100644 --- a/config/menu/50-firewall.menu +++ b/config/menu/50-firewall.menu @@ -21,7 +21,7 @@ 'title' =3D> "$Lang::tr{'intrusion detection= system'}", 'enabled' =3D> 1, }; - $subfirewall->{'45.ipblacklist'} =3D {'caption' =3D> $Lang::tr{'ipblackl= ist'}, + $subfirewall->{'45.ipblacklist'} =3D {'caption' =3D> $Lang::tr{'ipblacklist= '}, 'uri' =3D> '/cgi-bin/ipblacklist.cgi', 'title' =3D> "$Lang::tr{'ipblacklist'}", 'enabled' =3D> 1, diff --git a/config/menu/70-log.menu b/config/menu/70-log.menu index 2fa0e426e..c597de60a 100644 --- a/config/menu/70-log.menu +++ b/config/menu/70-log.menu @@ -43,12 +43,16 @@ 'title' =3D> "$Lang::tr{'ids logs'}", 'enabled' =3D> 1 }; + $sublogs->{'55.ipblacklist'} =3D {'caption' =3D> $Lang::tr{'ipblacklist = logs'}, + 'uri' =3D> '/cgi-bin/logs.cgi/ipblacklists.dat', + 'title' =3D> "$Lang::tr{'ipblacklist logs'}", + 'enabled' =3D> 1 + }; $sublogs->{'55.ovpnclients'} =3D { 'caption' =3D> $Lang::tr{'ovpn rw connection log'}, 'uri' =3D> '/cgi-bin/logs.cgi/ovpnclients.dat', 'title' =3D> "$Lang::tr{'ovpn rw connection log'}", 'enabled' =3D> 1, - }; $sublogs->{'60.urlfilter'} =3D { 'caption' =3D> $Lang::tr{'urlfilter logs'}, 'uri' =3D> '/cgi-bin/logs.cgi/urlfilter.dat', diff --git a/config/rootfiles/common/web-user-interface b/config/rootfiles/co= mmon/web-user-interface index ea31a943a..37a62d357 100644 --- a/config/rootfiles/common/web-user-interface +++ b/config/rootfiles/common/web-user-interface @@ -45,9 +45,11 @@ srv/web/ipfire/cgi-bin/logs.cgi/firewalllogcountry.dat srv/web/ipfire/cgi-bin/logs.cgi/firewalllogip.dat srv/web/ipfire/cgi-bin/logs.cgi/firewalllogport.dat srv/web/ipfire/cgi-bin/logs.cgi/ids.dat +srv/web/ipfire/cgi-bin/logs.cgi/ipblacklists.dat srv/web/ipfire/cgi-bin/logs.cgi/log.dat srv/web/ipfire/cgi-bin/logs.cgi/ovpnclients.dat srv/web/ipfire/cgi-bin/logs.cgi/proxylog.dat +srv/web/ipfire/cgi-bin/logs.cgi/showrequestfromblacklist.dat srv/web/ipfire/cgi-bin/logs.cgi/showrequestfromcountry.dat srv/web/ipfire/cgi-bin/logs.cgi/showrequestfromip.dat srv/web/ipfire/cgi-bin/logs.cgi/showrequestfromport.dat diff --git a/html/cgi-bin/ipblacklist.cgi b/html/cgi-bin/ipblacklist.cgi index b2ccf7b3f..28b42edf2 100644 --- a/html/cgi-bin/ipblacklist.cgi +++ b/html/cgi-bin/ipblacklist.cgi @@ -17,13 +17,13 @@ # You should have received a copy of the GNU General Public License = # # along with this program. If not, see . = # # = # -# Copyright (C) 2018 - 2019 The IPFire Team = # +# Copyright (C) 2018 - 2020 The IPFire Team = # # = # ############################################################################= ### =20 use strict; use CGI qw/:standard/; -#enable only the following on debugging purpose +# enable the following only for debugging purposes #use warnings; #use CGI::Carp 'fatalsToBrowser'; use Sort::Naturally; @@ -34,41 +34,40 @@ require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl"; =20 ############################################################################= ### -# Initialize variables and hashes +# Configuration variables ############################################################################= ### =20 my $settings =3D "${General::swroot}/ipblacklist/settings"; -my $modified =3D "${General::swroot}/ipblacklist/modified"; my $sources =3D "${General::swroot}/ipblacklist/sources"; my $getipstat =3D '/usr/local/bin/getipstat'; my $getipsetstat =3D '/usr/local/bin/getipsetstat'; my $control =3D '/usr/local/bin/ipblacklistctrl'; my $lockfile =3D '/var/run/ipblacklist.pid'; -my $autoblacklist =3D 'AUTOBLACKLIST'; -my %cgiparams =3D ('ACTION' =3D> '', 'AUTOACTION' =3D> ''); +my %cgiparams =3D ('ACTION' =3D> ''); + +############################################################################= ### +# Variables +############################################################################= ### + my $errormessage =3D ''; my $updating =3D 0; my %mainsettings; my %color; -my %modified; my %sources; my %stats; -my %autoblock_addresses; + +# Default settings - normally overwritten by settings file =20 my %settings =3D ( 'DEBUG' =3D> 0, 'LOGGING' =3D> 'on', - 'RATE' =3D> 24, - 'ENABLE' =3D> 'off', - 'BLOCK_THRESHOLD' =3D> 10, - 'BLOCK_PERIOD' =3D> 3600, - $autoblacklist =3D> 'off' ); + 'ENABLE' =3D> 'off' ); + +# Read all parameters =20 -# Read all parameters for site Header::getcgihash( \%cgiparams); General::readhash( "${General::swroot}/main/settings", \%mainsettings ); General::readhash( "/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/i= nclude/colors.txt", \%color ); General::readhash( $settings, \%settings ) if (-r $settings); -General::readhash( $modified, \%modified) if (-r $modified); eval qx|/bin/cat $sources| if (-r $sources); =20 # Show Headers @@ -79,22 +78,11 @@ Header::showhttpheaders(); =20 if ($cgiparams{'ACTION'} eq "$Lang::tr{'save'}") { - #Save Button on configsite + # Save Button =20 my %new_settings =3D ( 'ENABLE' =3D> 'off', - 'RATE' =3D> 24, 'LOGGING' =3D> 'off', - 'DEBUG' =3D> 0, - 'BLOCK_THRESHOLD' =3D> $settings{'BLOCK_THRESHOLD'} |= | 10, - 'BLOCK_PERIOD' =3D> $settings{'BLOCK_PERIOD'} || 3= 600, - $autoblacklist =3D> $settings{$autoblacklist} ); - - $errormessage .=3D "$Lang::tr{'ipblacklist invalid check rate'}
" if ((= $cgiparams{'RATE'} !~ m/^\d+$/) or - ($c= giparams{'RATE'} < 1) or - ($c= giparams{'RATE'} > 1000)); - - $new_settings{'RATE'} =3D $cgiparams{'RATE'}; - delete $cgiparams{'RATE'}; + 'DEBUG' =3D> 0 ); =20 foreach my $item ('LOGGING', 'ENABLE', keys %sources) { @@ -107,16 +95,32 @@ if ($cgiparams{'ACTION'} eq "$Lang::tr{'save'}") =20 foreach my $list (keys %sources) { - if (exists $settings{$list} and - $settings{$list} eq 'on' and - exists $sources{$list}{'override'} and - $settings{$sources{$list}{'override'}} eq 'on') + if (exists $new_settings{$list} and + $new_settings{$list} eq 'on' and + exists $sources{$list}{'disable'}) { - $settings{$sources{$list}{'override'}} =3D 'off'; + my @disable; + + if ('ARRAY' eq ref $sources{$list}{'disable'}) + { + @disable =3D @{ $sources{$list}{'disable'} }; + } + else + { + @disable =3D ( $sources{$list}{'disable'} ); + } =20 - $updating =3D 1; - $errormessage .=3D "$Lang::tr{'ipblacklist disable pre'} $sources{$lis= t}{'override'} " . - "$Lang::tr{'ipblacklist disable mid'} $list $Lang::tr= {'ipblacklist disable post'}
\n"; + foreach my $disable (@disable) + { + if ($new_settings{$disable} eq 'on') + { + $new_settings{$disable} =3D 'off'; + + $updating =3D 1; + $errormessage .=3D "$Lang::tr{'ipblacklist disable pre'} $disable = " . + "$Lang::tr{'ipblacklist disable mid'} $list $Lan= g::tr{'ipblacklist disable post'}
\n"; + } + } } } =20 @@ -140,7 +144,6 @@ if ($cgiparams{'ACTION'} eq "$Lang::tr{'save'}") } else { - $settings{$autoblacklist} =3D 'off'; system( "$control disable" ); } =20 @@ -160,51 +163,11 @@ if ($cgiparams{'ACTION'} eq "$Lang::tr{'save'}") if ($updating) { system( "$control update &" ); - get_ipset_stats(); show_running(); exit 0; } } } -elsif ($cgiparams{'AUTOACTION'} eq "$Lang::tr{'save'}") -{ - $updating =3D 1 if ($settings{$autoblacklist} eq 'on' and not exists $cgip= arams{$autoblacklist}); - $updating =3D 1 if ($settings{$autoblacklist} eq 'off' and exists $cgipara= ms{$autoblacklist}); - - $settings{$autoblacklist} =3D (exists $cgiparams{$autoblacklist}) ? 'on= ' : 'off'; - $settings{'BLOCK_THRESHOLD'} =3D $cgiparams{'BLOCK_THRESHOLD'}; - $settings{'BLOCK_PERIOD'} =3D $cgiparams{'BLOCK_PERIOD'} ; - - if (($cgiparams{'BLOCK_THRESHOLD'} !~ m/^\d+$/) or - ($cgiparams{'BLOCK_THRESHOLD'} < 1) or - ($cgiparams{'BLOCK_THRESHOLD'} > 1000000)) - { - $errormessage .=3D "$Lang::tr{'ipblacklist invalid threshold'}: $cgipara= ms{'BLOCK_THRESHOLD'}
"; - } - - if (($cgiparams{'BLOCK_PERIOD'} !~ m/^\d+$/) or - ($cgiparams{'BLOCK_PERIOD'} < 1) or - ($cgiparams{'BLOCK_PERIOD'} > 86400)) - { - $errormessage .=3D "$Lang::tr{'ipblacklist invalid block time'}: $cgipar= ams{'BLOCK_PERIOD'}
"; - } - - if ($errormessage) - { - $updating =3D 0; - } - else - { - General::writehash($settings, \%settings); - system( "$control autoblacklist-update" ) if ($updating); - } -} -elsif ($cgiparams{'AUTOACTION'} eq "$Lang::tr{'unblock all'}") -{ - system( "$control autoblacklist-clear" ); -} - -get_ipset_stats(); =20 if (is_running()) { @@ -212,17 +175,12 @@ if (is_running()) exit 0; } =20 -# Get blacklist statistics - -get_iptables_stats(); - # Show site =20 Header::openpage($Lang::tr{'ipblacklist'}, 1, ''); Header::openbigbox('100%', 'left'); -error(); =20 -showstatus() if ($settings{ENABLE} eq 'on'); +error() if ($errormessage); =20 configsite(); =20 @@ -299,10 +257,6 @@ END $Lang::tr{'ipblacklist log'} - $Lang::tr{'ipblacklist check rate'} - - -

@@ -311,7 +265,7 @@ END $Lang::tr{'ipblacklist id'} $Lang::tr{'ipblacklist name'} - $Lang::tr{'ipblacklist safe'} + $Lang::tr{'ipblacklist category'} $Lang::tr{'ipblacklist enable'} END @@ -322,10 +276,10 @@ END =20 foreach my $list (sort keys %sources) { - my $name =3D escapeHTML( $sources{$list}{'name'} ); - my $safe =3D $Lang::tr{$sources{$list}{safe}}; - $enable =3D ''; - my $col =3D ($lines++ % 2) ? "bgcolor=3D'$color{'color20'}'" : "bgco= lor=3D'$color{'color22'}'"; + my $name =3D escapeHTML( $sources{$list}{'name'} ); + my $category =3D $Lang::tr{"ipblacklist category $sources{$list}{'catego= ry'}"}; + $enable =3D ''; + my $col =3D ($lines++ % 2) ? "bgcolor=3D'$color{'color20'}'" : "bgc= olor=3D'$color{'color22'}'"; =20 $enable =3D ' checked' if (exists $settings{$list} and $settings{$list} = eq 'on'); =20 @@ -346,7 +300,7 @@ END print < $name - $safe + $category \n END @@ -356,165 +310,18 @@ END =20 print < -

$Lang::tr{'ipblacklist safe note'}

-
-
-END - - $enable =3D $settings{$autoblacklist} eq 'on' ? ' checked' : ''; - - print <
-

$Lang::tr{'ipblacklist auto list'}

- - - - - - - - - - - - - - -
- $Lang::tr{'ipblacklist autoblacklist enable'} - - - -   -
- $Lang::tr{'ipblacklist autoblacklist threshold'} - - - -
- $Lang::tr{'ipblacklist autoblacklist block time'} - - - -
- - - - -
- -
END =20 Header::closebox(); } =20 =20 -#---------------------------------------------------------------------------= --- -# sub showstatus() -# -# Displays current blacklist status -#---------------------------------------------------------------------------= --- - -sub showstatus -{ - Header::openbox('100%', 'center', $Lang::tr{'status'}); - - print < - - $Lang::tr{'ipblacklist id'} - $Lang::tr{'ipblacklist entries'} - $Lang::tr{'ipblacklist pkts in'} - $Lang::tr{'ipblacklist bytes in'} - $Lang::tr{'ipblacklist pkts out'} - $Lang::tr{'ipblacklist bytes out'} - $Lang::tr{'ipblacklist updated'} - -END - - # Iterate through the list of sources - - foreach my $list ($autoblacklist, sort keys %sources) - { - next unless ($settings{$list} eq 'on'); - - my $size =3D ' '; - my $pkts_in =3D ' '; - my $bytes_in =3D ' '; - my $pkts_out =3D ' '; - my $bytes_out =3D ' '; - my $updated =3D ' '; - - if (exists $stats{$list}) - { - ($pkts_in, $bytes_in) =3D @{ $stats{$list}{IPBLACKLISTREDIN} } if (= exists $stats{$list}{IPBLACKLISTREDIN}); - ($pkts_out, $bytes_out) =3D @{ $stats{$list}{IPBLACKLISTREDOUT} } if (= exists $stats{$list}{IPBLACKLISTREDOUT}); - $size =3D $stats{$list}{size} if (= exists $stats{$list}{size}); - } - - if (exists $modified{$list} and $modified{$list} > 0) - { - $updated =3D localtime( $modified{$list} ); - } - - print < - $list - $size - $pkts_in - $bytes_in - $pkts_out - $bytes_out - $updated - \n -END - - } - - print < -END - - if ($settings{$autoblacklist} eq 'on') - { - print <
-

$Lang::tr{'ipblacklist auto list'}

- - - - - -END - - foreach my $address (nsort keys %autoblock_addresses ) - { - print "\n"; - } - - print < -
$Lang::tr{'ip address'}$Lang::tr{'ipblacklist block time remaining'}
$address$autoblock_addresses{= $address}
- - - - - -
-END - } - - Header::closebox(); -} - - #---------------------------------------------------------------------------= --- # sub get_ipset_stats() # @@ -527,8 +334,6 @@ sub get_ipset_stats =20 system( $getipsetstat ); =20 - # Get the number of entries in each IP set - if (-r '/var/tmp/ipsets.txt') { open STATS, '<', '/var/tmp/ipsets.txt' or die "Can't open IP Sets stats = file: $!"; @@ -551,66 +356,6 @@ sub get_ipset_stats =20 unlink( '/var/tmp/ipsets.txt' ); } - - # Get the IP addresses in the autoblacklist - - if (-r '/var/tmp/autoblacklist.txt') - { - open HASHTABLE, '<', '/var/tmp/autoblacklist.txt' or die "Can't open aut= oblacklist address file: $!"; - - # Iterate through the blocked addresses - - foreach my $line () - { - next unless ($line =3D~ m/(\d+\.\d+\.\d+\.\d+) timeout (\d+)/); - - $autoblock_addresses{$1} =3D format_time( $2 ); - } - - close HASHTABLE; - - unlink( '/var/tmp/autoblacklist.txt' ); - } - -} - - -#---------------------------------------------------------------------------= --- -# sub get_iptables_stats() -# -# Gets information on the number of packets and bytes rejected by each -# blacklist -#---------------------------------------------------------------------------= --- - -sub get_iptables_stats -{ - system( $getipstat ); - unlink( '/var/tmp/iptablesmangle.txt' ); - unlink( '/var/tmp/iptablesnat.txt' ); - - return unless (-r '/var/tmp/iptables.txt'); - - open STATS, '<', '/var/tmp/iptables.txt' or die "Can't open IP Tables stat= s file: $!"; - - my $table =3D 'Unknown'; - - foreach my $line () - { - if ($line =3D~ m/^Chain (\w+)/) - { - $table =3D $1; - next; - } - - next unless ($line =3D~ m/_BLOCK/); - - my ($pkts, $bytes, $chain) =3D $line =3D~ m/^\s*(\d+\w?)\s+(\d+\w?)\s+(\= w+)_BLOCK/; - $stats{$chain}{$table} =3D [ $pkts, $bytes ]; - } - - close STATS; - - unlink( '/var/tmp/iptables.txt' ); } =20 =20 @@ -637,7 +382,8 @@ sub is_running #---------------------------------------------------------------------------= --- # sub show_running # -# Displayed when update is running +# Displayed when update is running. +# Shows a 'working' message plus some information about the IPSets. #---------------------------------------------------------------------------= --- =20 sub show_running @@ -662,12 +408,7 @@ sub show_running $Lang::tr{'ipblacklist id'}$Lang::tr{'ipblacklist entri= es'} END =20 - foreach my $name (keys %sources) - { - $stats{$name}{'size'} =3D ' ' if (not exists ($stats{$name}) and - exists $settings{$name} and - $settings{$name} eq 'on'); - } + get_ipset_stats(); =20 foreach my $name (sort keys %stats) { @@ -693,13 +434,10 @@ END =20 sub error { - if ($errormessage) - { - Header::openbox('100%', 'left', $Lang::tr{'error messages'}); - print "$errormessage\n"; - print " \n"; - Header::closebox(); - } + Header::openbox('100%', 'left', $Lang::tr{'error messages'}); + print "$errormessage\n"; + print " \n"; + Header::closebox(); } =20 =20 diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index b10fbdbf2..ab590cc1b 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1,4 +1,4 @@ -%tr =3D (=20 +%tr =3D ( %tr, =20 '24 hours' =3D> '24 Hours', @@ -1538,37 +1538,31 @@ 'ip alias changed' =3D> 'External IP alias changed', 'ip alias removed' =3D> 'External IP alias removed', 'ip info' =3D> 'IP Information', -'ipblacklist auto list' =3D> 'Automatic blacklist', -'ipblacklist autoblacklist enable' =3D> 'Enable automatically updating local= blacklist', -'ipblacklist autoblacklist threshold' =3D> 'Threshold (packets/hour)', -'ipblacklist autoblacklist block time' =3D> 'Block time (seconds)', +'ipblacklist' =3D> 'IP Address Blacklists', 'ipblacklist blacklist settings' =3D> 'Blacklist settings', -'ipblacklist bytes in' =3D> 'bytes in', -'ipblacklist bytes out' =3D> 'bytes out', -'ipblacklist check rate' =3D> 'Update check rate (hours)', -'ipblacklist day' =3D> 'day', -'ipblacklist disable pre' =3D> 'Disabling', +'ipblacklist category' =3D> 'Category', +'ipblacklist category application' =3D> 'Application', +'ipblacklist category attacker' =3D> 'Attacker', +'ipblacklist category c and c' =3D> 'Malware C&C', +'ipblacklist category composite' =3D> 'Composite', +'ipblacklist category invalid' =3D> 'Invalid Address', +'ipblacklist category reputation' =3D> 'Reputation', +'ipblacklist category scanner' =3D> 'Scanner', 'ipblacklist disable mid' =3D> 'because it is included in', -'ipblacklist disable port' =3D> '', +'ipblacklist disable post' =3D> '', +'ipblacklist disable pre' =3D> 'Disabling', 'ipblacklist enable' =3D> 'Enable', 'ipblacklist entries' =3D> 'Entries', -'ipblacklist hour' =3D> 'hour', +'ipblacklist hits' =3D> 'Total number of blacklist hits for', 'ipblacklist id' =3D> 'Blacklist', -'ipblacklist invalid block time' =3D> 'Invalid automatic blacklist block tim= e', -'ipblacklist invalid check rate' =3D> 'Invalid update check rate', -'ipblacklist invalid threshold' =3D> 'Invalid automatic blacklist threshold', +'ipblacklist input' =3D> 'Packets Dropped In', +'ipblacklist log list' =3D> 'Firewall log (blacklist)', 'ipblacklist log' =3D> 'Log dropped packets', +'ipblacklist logs' =3D> 'IP Address Blacklist Logs', 'ipblacklist name' =3D> 'Name', -'ipblacklist pkts in' =3D> 'pkts in', -'ipblacklist pkts out' =3D> 'pkts out', -'ipblacklist safe note' =3D> 'Note: safe blacklists block addresses that onl= y generate malicious traffic and therefore will not block any wanted sites.', -'ipblacklist safe' =3D> 'Safe', -'ipblacklist sixhour' =3D> 'six hours', -'ipblacklist updated' =3D> 'Last updated', +'ipblacklist output' =3D> 'Packets Dropped Out', 'ipblacklist use ipblacklists' =3D> 'Enable IP Blacklists', -'ipblacklist week' =3D> 'week', 'ipblacklist working' =3D> 'Updating IP address blacklists...', -'ipblacklist' =3D> 'IP Address Blacklists', 'ipfire has now rebooted' =3D> 'IPFire is rebooting now.', 'ipfire has now shutdown' =3D> 'IPFire is shutting down now.', 'ipfire side' =3D> 'IPFire side:', diff --git a/lfs/configroot b/lfs/configroot index ba87debb1..90b90eb3c 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -65,7 +65,7 @@ $(TARGET) : captive/settings captive/agb.txt captive/clients captive/voucher_out ce= rts/index.txt certs/index.txt.attr ddns/config ddns/settings ddns/ipcache dhc= p/settings \ dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dns/s= ervers dnsforward/config ethernet/aliases ethernet/settings ethernet/known_ni= cs ethernet/scanned_nics \ ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extra= hd/settings firewall/settings firewall/config firewall/geoipblock firewall/in= put firewall/outgoing \ - fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts= /customservicegrp fwhosts/customgeoipgrp fwlogs/ipsettings fwlogs/portsetting= s ipblacklist/settings\ + fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts= /customservicegrp fwhosts/customgeoipgrp fwlogs/ipsettings fwlogs/portsetting= s ipblacklist/settings \ isdn/settings mac/settings main/hosts main/routing main/security main/s= ettings optionsfw/settings \ ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/conf= ig ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \ ppp/settings-5 ppp/settings proxy/settings proxy/squid.conf proxy/advan= ced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/class= es qos/subclasses qos/level7config qos/portconfig \ diff --git a/make.sh b/make.sh index 3d111dbab..25b8b1d59 100755 --- a/make.sh +++ b/make.sh @@ -1665,7 +1665,7 @@ buildpackages() { export LOGFILE echo "... see detailed log in _build.*.log files" >> $LOGFILE =20 - + =20 # Generating list of packages used print_line "Generating packages list from logs" rm -f $BASEDIR/doc/packages-list @@ -1680,7 +1680,7 @@ buildpackages() { rm -f $BASEDIR/doc/packages-list # packages-list.txt is ready to be displayed for wiki page print_status DONE - + =20 # Update changelog cd $BASEDIR [ -z $GIT_TAG ] || LAST_TAG=3D$GIT_TAG @@ -1755,7 +1755,7 @@ while [ $# -gt 0 ]; do done =20 # See what we're supposed to do -case "$1" in +case "$1" in=20 build) START_TIME=3D$(now) =20 @@ -1794,7 +1794,7 @@ build) =20 print_build_stage "Building packages" buildpackages - +=09 print_build_stage "Checking Logfiles for new Files" =20 cd $BASEDIR @@ -1859,7 +1859,7 @@ downloadsrc) FINISHED=3D0 cd $BASEDIR/lfs for c in `seq $MAX_RETRIES`; do - if (( FINISHED=3D=3D1 )); then + if (( FINISHED=3D=3D1 )); then=20 break fi FINISHED=3D1 diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index ebb73062d..08c434440 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -180,17 +180,7 @@ iptables_init() { iptables -A FORWARD -j P2PBLOCK iptables -A OUTPUT -j P2PBLOCK =09 - # IP Address Blacklist chains - iptables -N IPBLACKLISTIN - iptables -N IPBLACKLISTOUT - iptables -N IPBLACKLISTREDIN - iptables -N IPBLACKLISTREDOUT - iptables -A INPUT ! -p icmp -j IPBLACKLISTIN - iptables -A FORWARD ! -p icmp -j IPBLACKLISTIN - iptables -A FORWARD ! -p icmp -j IPBLACKLISTOUT - iptables -A OUTPUT ! -p icmp -j IPBLACKLISTOUT - - # Guardian (IPS) chains + # IPS (Guardian) chains iptables -N GUARDIAN iptables -A INPUT -j GUARDIAN iptables -A FORWARD -j GUARDIAN @@ -206,7 +196,15 @@ iptables_init() { iptables -A FORWARD -i tun+ -j OVPNBLOCK iptables -A FORWARD -o tun+ -j OVPNBLOCK =20 - # IPS (Suricata) chains + # IP Address Blacklist chains + iptables -N BLACKLISTIN + iptables -N BLACKLISTOUT + iptables -A INPUT ! -p icmp -j BLACKLISTIN + iptables -A FORWARD ! -p icmp -j BLACKLISTIN + iptables -A FORWARD ! -p icmp -j BLACKLISTOUT + iptables -A OUTPUT ! -p icmp -j BLACKLISTOUT + + # IPS (suricata) chains iptables -N IPS_INPUT iptables -N IPS_FORWARD iptables -N IPS_OUTPUT @@ -420,8 +418,6 @@ iptables_red_up() { iptables -F REDINPUT iptables -F REDFORWARD iptables -t nat -F REDNAT - iptables -F IPBLACKLISTIN - iptables -F IPBLACKLISTOUT =20 # PPPoE / PPTP Device if [ "$IFACE" !=3D "" ]; then @@ -479,10 +475,6 @@ iptables_red_up() { iptables -t nat -A REDNAT -s "${network}" -o "${IFACE}" -j RETURN done =20 - # IP Address Blacklists - iptables -A IPBLACKLISTIN -i $IFACE -j IPBLACKLISTREDIN - iptables -A IPBLACKLISTOUT -o $IFACE -j IPBLACKLISTREDOUT - # Masquerade everything else iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE fi diff --git a/src/misc-progs/getipsetstat.c b/src/misc-progs/getipsetstat.c index aee79542a..781bfc55b 100644 --- a/src/misc-progs/getipsetstat.c +++ b/src/misc-progs/getipsetstat.c @@ -21,8 +21,5 @@ int main(void) safe_system("/usr/sbin/ipset list -t -f /var/tmp/ipsets.txt"); safe_system("chown nobody:nobody /var/tmp/ipsets.txt"); =20 - safe_system("/usr/sbin/ipset list AUTOBLACKLIST -q -f /var/tmp/autoblacklis= t.txt"); - safe_system("chown -f nobody:nobody /var/tmp/autoblacklist.txt"); - return 0; } diff --git a/src/misc-progs/ipblacklistctrl.c b/src/misc-progs/ipblacklistctr= l.c index 506fa2f46..7536b1e97 100644 --- a/src/misc-progs/ipblacklistctrl.c +++ b/src/misc-progs/ipblacklistctrl.c @@ -21,7 +21,7 @@ int main(int argc, char *argv[]) { if (argc < 2) { fprintf(stderr, "\nNo argument given.\n" "ipblacklistctrl (update|restore|log-on|log-off|" - "enable|disable|autoblacklist-update|autoblacklist-clear)\n\= n"); + "enable|disable)\n\n"); exit(1); } =20 @@ -37,14 +37,10 @@ int main(int argc, char *argv[]) { safe_system("/usr/local/bin/ipblacklist enable >/dev/null 2>&1 &"); } else if (strcmp(argv[1], "disable") =3D=3D 0) { safe_system("/usr/local/bin/ipblacklist disable >/dev/null 2>&1 &"); - } else if (strcmp(argv[1], "autoblacklist-update") =3D=3D 0) { - safe_system("/usr/local/bin/ipblacklist autoblacklist-update >/dev/n= ull 2>&1 &"); - } else if (strcmp(argv[1], "autoblacklist-clear") =3D=3D 0) { - safe_system("/usr/local/bin/ipblacklist autoblacklist-clear >/dev/nu= ll 2>&1 &"); } else { fprintf(stderr, "\nBad argument given.\n" "ipblacklistctrl (update|restore|log-on|log-off|" - "enable|disable|autoblacklist-update|autoblacklist-clear)\n\= n"); + "enable|disable)\n\n"); exit(1); } =20 diff --git a/src/scripts/ipblacklist b/src/scripts/ipblacklist index b3f8048d9..6f950214c 100755 --- a/src/scripts/ipblacklist +++ b/src/scripts/ipblacklist @@ -18,25 +18,26 @@ # along with IPFire; if not, write to the Free Software # # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # # -# Copyright (C) 2018 - 2019 The IPFire team # +# Copyright (C) 2018 - 2020 The IPFire team # # # ############################################################################ # # -# This script use a file containing blacklist details in # +# This script uses a file containing blacklist details in # # /var/ipfire/ipblacklist/sources as well as # # /var/ipfire/ipblacklistsettings containing an enable/disable flag for # # each source. # # # -# Two IPTables chains are used, IPBLACKLISTREDIN and IPBLACKLISTREDOUT, # -# which are inserted into the main INPUT, OUTPUT and FORWARD chains. # +# Two IPTables chains are used: BLACKLISTIN and BLACKLISTOUT are inserted # +# inserted into the main INPUT, OUTPUT and FORWARD chains; they capture # +# packets other than for the ICMP protocol. # # # # For each blacklist that is loaded, a chain is created to optionally log # # and then to drop matching packets. An IPSet is created containing the # # addresses or networks blocked by the blacklist, and then rules are added # -# to the IPBLACKLISTREDIN and IPBLACKLISTREDOUT chains to jump to this # -# chain if appropriate packet list matches in the set. # +# to the BLACKLISTIN and BLACKLISTOUT chains to jump to this chain if a # +# packet list matches the set. # # # -# When checking for updates, the modification time is read for each source # +# When checking for updates, the modification time is used for each source # # and if necessary the list is downloaded. The downloaded list is # # compared to the existing IPSet contents and entries created or deleted # # as necessary. # @@ -44,7 +45,7 @@ ############################################################################ =20 use strict; -use warnings; +#use warnings; =20 use Carp; use Sys::Syslog qw(:standard :macros); @@ -76,23 +77,29 @@ my $lockfile =3D "/var/run/ipblacklist.pid"; my $proxy_settings =3D "${General::swroot}/proxy/settings"; my $red_setting =3D "/var/ipfire/red/iface"; my $detailed_log =3D "$tmpdir/ipblacklist_log.txt"; -my $autoblacklist =3D 'AUTOBLACKLIST'; +my $active =3D "/var/ipfire/red/active"; =20 -my %parsers =3D ( 'text-with-hash-comments' =3D> \&parse_text_with_has= h_comments, - 'text-with-semicolon-comments' =3D> \&parse_text_with_semic= olon_comments, - 'dshield' =3D> \&parse_dshield ); +# Other configuration items + +my $margin =3D 30; # Scheduling allowance for run time et= c in seconds +my $count =3D 30; # Maximum time to wait for another ins= tance (300s) +my $max_dl_fails =3D 3; # Ignore check rate limit for this num= ber of failures +my $max_size_fraction =3D 0.7; # Maximum fill fraction of IPSet befor= e enlarging. +my $min_ipset_entries =3D 1024; # The minimum size of an IPSet. +my $max_dl_bytes =3D 10_485_760; # Maximum number of bytes to download. +my %parsers =3D ( 'ip-or-net-list' =3D> \&parse_ip_or_net_list, + 'dshield' =3D> \&parse_dshield ); =20 ############################################################################ # Default settings # Should be overwritten by reading settings files ############################################################################ =20 -my %sources =3D ( ); +my %sources =3D ( ); =20 -my %settings =3D ( 'DEBUG' =3D> 0, - 'LOGGING' =3D> 'on', - 'RATE' =3D> 24, - 'ENABLE' =3D> 'off' ); +my %settings =3D ( 'DEBUG' =3D> 0, + 'LOGGING' =3D> 'on', + 'ENABLE' =3D> 'off' ); =20 my %proxy_settings =3D ( 'UPSTREAM_PROXY' =3D> '' ); # No Proxy in u= se =20 @@ -101,13 +108,9 @@ my %proxy_settings =3D ( 'UPSTREAM_PROXY' =3D> '' ); = # No Proxy in use ############################################################################ =20 sub abort( $ ); -sub autoblacklist_update(); -sub autoblacklist_clear(); -sub create_autoblacklist(); sub create_list( $ ); sub create_ipset( $$$ ); sub debug( $$ ); -sub delete_autoblacklist(); sub delete_list( $ ); sub disable_logging(); sub disable_updates(); @@ -121,15 +124,15 @@ sub download_wget( $$$ ); sub enable_logging(); sub enable_updates(); sub get_ipsets(); +sub get_rate_seconds( $ ); sub iptables( $ ); sub ipset( $ ); sub stop_ipset(); sub is_connected(); sub log_message( $$ ); sub parse_dshield( $ ); -sub parse_text_with_hash_comments( $ ); -sub parse_text_with_semicolon_comments( $ ); -sub read_ipset( $$$ ); +sub parse_ip_or_net_list( $ ); +sub read_ipset( $$$$ ); sub update_list( $$$ ); =20 ############################################################################ @@ -144,25 +147,18 @@ my $ipset_running =3D 0; # Set to 1 if IPSet proces= s is running my %status; # Status information my %checked; # Time blacklists last changed my %modified; # Time blacklists last modified -my $red_iface; # Name of red interface -my $hours =3D 3600; # One hour in seconds -my $margin =3D 600; # Allowance for run time etc -my $count =3D 30; # Maximum time to wait for another instance (30= 0s) -my @wget_status =3D ( 'Success', 'Error', 'Parse Error', 'File I/O Error', - 'Network Error', 'SSL Verification Error', - 'Authentication Error', 'Protocol Error', 'Server Err= or' ); - +my $red_iface; # The name of the red interface =20 ############################################################################ # Synchronise runs ############################################################################ =20 # This script can be triggered either by cron or the WUI. If another -# instance is running, wait for it to finish. +# instance is running, wait for it to finish or timeout. =20 while (-r $lockfile and $count > 0) { - open LOCKFILE, '<', $lockfile or die "Can't open lockfile"; + open LOCKFILE, '<', $lockfile or (abort "Can't open lockfile", last); my $pid =3D ; close LOCKFILE; =20 @@ -176,7 +172,7 @@ while (-r $lockfile and $count > 0) =20 # Create pid file before starting main processing =20 -open LOCKFILE, '>', '/var/run/ipblacklist.pid' or die "Can't open PID file: = $!"; +open LOCKFILE, '>', '/var/run/ipblacklist.pid' or abort "Can't open PID file= : $!"; print LOCKFILE "$$\n"; close LOCKFILE; =20 @@ -205,16 +201,12 @@ if (-r $sources) eval qx|/bin/cat $sources|; } =20 -# Find out the red interface name - if (-r $red_setting) { - open IN, '<', $red_setting or die "Can't open red interface name file: $!"; - - $red_iface =3D ; + open REDIF, '<', $red_setting or (abort "Can't open red interface file", e= xit); + $red_iface =3D ; chomp $red_iface; - - close IN; + close REDIF; } =20 if (@ARGV) @@ -235,7 +227,7 @@ if (@ARGV) { # Called during system startup. # Restore saved blacklists. - # Don't do an update since that takes too long. + # Don't do an update since can take too long. =20 do_start() if ($settings{'ENABLE'} eq 'on'); } @@ -300,25 +292,13 @@ if (@ARGV) disable_updates(); do_delete(); } - elsif ('autoblacklist-update' =3D~ m/^$cmd/i) - { - # Updates AUTOBLACKLIST options - - autoblacklist_update(); - } - elsif ('autoblacklist-clear' =3D~ m/^$cmd/i) - { - # Clears AUTOBLACKLIST contents - - autoblacklist_clear(); - } else { - print "Usage: $0 [update|start|stop|restart|log-on|log-off|enable|disa= ble|autoblacklist-update|autoblacklist-clear]\n"; + print "Usage: $0 [update|start|stop|restart|log-on|log-off|enable|disa= ble]\n"; } } } -elsif ($settings{'ENABLE'} eq 'on') +elsif ($settings{'ENABLE'} eq 'on') # Default action if none specified { do_update(); } @@ -353,12 +333,9 @@ sub do_stop() =20 log_message LOG_NOTICE, "Stopping IP Blacklists"; =20 - foreach my $list ( $autoblacklist, sort keys %sources ) + foreach my $list ( sort keys %sources ) { - if (exists $chains{$list}) - { - delete_list( $list ); - } + delete_list( $list ) if (exists $chains{$list}); } } =20 @@ -375,19 +352,17 @@ sub do_start() =20 foreach my $list ( sort keys %sources ) { - if (-e "$savedir/$list.conf") + delete_list( $list ) if (exists $chains{$list}); # Make sure OK to s= tart + + if ((-e "$savedir/$list.conf") and ($red_iface)) { log_message LOG_INFO, "Restoring blacklist $list"; - system( "$ipset restore -f $savedir/$list.conf" ); + system( "$ipset restore -f $savedir/$list.conf" ); # Can't use the ips= et + # function to do th= is =20 create_list( $list ); } } - - if ($settings{$autoblacklist} eq 'on') - { - create_autoblacklist(); - } } =20 =20 @@ -418,10 +393,8 @@ sub do_delete() } } =20 - if ($settings{$autoblacklist} eq 'on') - { - delete_autoblacklist(); - } + %modified =3D (); + $update_status =3D 1; } =20 =20 @@ -430,14 +403,14 @@ sub do_delete() # # Updates all the blacklists. # Creates or deletes the blacklist firewall rules as necessary and checks for -# updates to the blacklists. +# updates to the blacklists. Each blacklist has its own minimum elapsed time +# between updates, which is specified in the sources file, so the time of ea= ch +# check is stored. #---------------------------------------------------------------------------= --- =20 sub do_update() { - return unless (is_connected()); - - my $type =3D 'hash:ip'; + return unless ($red_iface); =20 # Get the list of current ipsets =20 @@ -447,38 +420,39 @@ sub do_update() =20 debug 1, "Checking blacklist sources"; =20 + LIST: foreach my $list ( sort keys %sources ) { my @new_blacklist =3D (); my $name =3D $sources{$list}{'name'}; - my $rate =3D $sources{$list}{'rate'}; my $last_checked =3D $checked{$list} || 0; + my $failures =3D $checked{"${list}_failures"} || 0; my $enabled =3D 0; =20 - if (exists $modified{$list}) - { - # Limit the check rate to the minimum defined in the WUI, unless we're - # creating the list - - $rate =3D $settings{'RATE'} if ($settings{'RATE'} > $rate); - } - if (exists $settings{$list}) { $enabled =3D $settings{$list} eq 'on'; } =20 - debug 1, "Checking blacklist source: $name"; - - if ($enabled) + if ($enabled and is_connected()) { + debug 1, "Checking blacklist source: $name"; + + # Calculate the per list rate + + my $rate =3D get_rate_seconds( $sources{$list}{'rate'} ); + # Has enough time passed since the last time we checked the list? + # Ignore the limit if the last download failed =20 - if (($last_checked + $rate * $hours) < (time() + $margin)) + if (($last_checked + $rate) < (time() + $margin) or + ($failures > 0 and $failures < $max_dl_fails)) { + my $type =3D 'hash:ip'; + download_list( $list, \@new_blacklist, \$type ); =20 - next unless (@new_blacklist); + next LIST unless (@new_blacklist); =20 if (not exists $chains{$list}) { @@ -504,76 +478,81 @@ sub do_update() =20 unlink "$savedir/$list.conf" if (-e "$savedir/$list.conf"); =20 - delete $modified{$list} if (exists $modified{$list}); + delete $modified{$list} if (exists $modified{$list}); + delete $checked{"${list}_failures"} if (exists $checked{"${list}_failu= res"}); $update_status =3D 1; } } =20 - # Check for any deleted lists + # Check for any lists that don't exist any more =20 - foreach my $list (keys %sources) + foreach my $list (keys %modified) { - if (not exists $sources{$list}) - { - delete_list( $list ); + next if (exists $sources{$list}); =20 - # Delete the save file + delete_list( $list ); =20 - unlink "$savedir/$list.conf" if (-e "$savedir/$list.conf"); + # Delete the save file =20 - # Delete from the status + unlink "$savedir/$list.conf" if (-e "$savedir/$list.conf"); =20 - delete $modified{$list} if (exists $modified{$list}); - delete $checked{$list} if (exists $checked{$list}); - $update_status =3D 1; - } - } + # Delete from the status =20 - if ($settings{$autoblacklist} eq 'on') - { - create_autoblacklist() if (not exists $chains{$autoblacklist}); + delete $modified{$list} if (exists $modified{$list}); + $update_status =3D 1; } - else + + foreach my $list (keys %checked) { - delete_autoblacklist() if (exists $chains{$autoblacklist}); - } + next if ($list =3D~ m/_failures/); + next if (exists $sources{$list}); =20 - log_message LOG_INFO, "Completed IP Blacklist update"; + delete $checked{$list}; + delete $checked{"${list}_failures"}; + delete $settings{$list} if (exists $settings{$list}); + $update_status =3D 1; + } } =20 =20 #---------------------------------------------------------------------------= --- -# sub autoblacklist_update() +# sub get_rate_seconds( text ) +# +# Converts a check rate into seconds. A sanity check is made on the coverted +# value. # -# Updates the settings for the AUTOBLACKLIST +# Parameters: +# text The value to convert in the form nnnu, where nnn is a number and u +# is either m (minutes), h (hours) or d (days). Hours is assumed if +# not specified and everything after the first letter is ignored. #---------------------------------------------------------------------------= --- =20 -sub autoblacklist_update() +sub get_rate_seconds( $ ) { - # Get the list of current ipsets - - get_ipsets(); + my ($text) =3D @_; =20 - # Delete the existing AUTOBLACKLIST, if it currently exists. + my ($value, $unit) =3D (uc $text) =3D~ m/(\d+)([DHM]?)/; =20 - delete_autoblacklist() if (exists $chains{$autoblacklist}); - - # Re-create the AUTOBLACKLIST with the correct parameters. - - create_autoblacklist() if ($settings{$autoblacklist} eq 'on'); -} + if ($unit eq 'D') # Days + { + $value *=3D 60 * 60 * 24; + } + elsif ($unit eq 'M') # Minutes + { + $value *=3D 60; + } + else # Everything else - assume hours + { + $value *=3D 60 * 60; + } =20 + # Sanity check - limit to range 5 min .. 1 week =20 -#---------------------------------------------------------------------------= --- -# sub autoblacklist_clear() -# -# Clears the contents of the AUTOBLACKLIST -#---------------------------------------------------------------------------= --- + # d h m s + $value =3D 5 * 60 if ($value < 5 * 60); + $value =3D 7 * 24 * 60 * 60 if ($value > 7 * 24 * 60 * 60); =20 -sub autoblacklist_clear() -{ - log_message LOG_INFO, "Flush Automatic blacklist"; - ipset( "flush $autoblacklist" ); + return $value; } =20 =20 @@ -587,7 +566,7 @@ sub autoblacklist_clear() =20 sub is_connected() { - return (-e "${General::swroot}/red/active"); + return (-e $active); } =20 =20 @@ -595,7 +574,16 @@ sub is_connected() # sub create_list( list ) # # Creates a new IPTables chain for a blacklist source. -# The set must be created before calling this function. +# The set must be created before calling this function. Two rules are added= to +# the chain: +# (optional) 1 Log the packet +# 2 Drop the packet +# +# The log rule is only added when logging is enabled by the WUI. +# +# Rules are then added to the BLACKLISTIN and BLACKLISTOUT chains that check +# the packet's IP address against the IPSet and then jump to the newly creat= ed +# chain. # # Parameters: # list The name of the blacklist @@ -609,56 +597,24 @@ sub create_list( $ ) =20 # Create new chain in filter table =20 - iptables( " -N ${list}_BLOCK" ) =3D=3D 0 or - ( abort "Could not create IPTables chain ${list}_BLOCK", return ); + iptables( "-N ${list}_DROP" ) =3D=3D 0 or + ( abort "Could not create IPTables chain ${list}_DROP", return ); =20 # Add the logging and drop rules =20 if ($settings{'LOGGING'} eq 'on') { - iptables( "-A ${list}_BLOCK -j LOG -m limit --limit 10/second --log-pref= ix 'DROP_$list'" ) =3D=3D 0 or + iptables( "-A ${list}_DROP -j LOG -m limit --limit 10/second --log-prefi= x 'BLKLST_$list'" ) =3D=3D 0 or ( abort "Could not create IPTables chain $list LOG rule", return ); } =20 - iptables( "-A ${list}_BLOCK -j DROP" ) =3D=3D 0 or + iptables( "-A ${list}_DROP -j DROP" ) =3D=3D 0 or ( abort "Could not create IPTables chain $list drop rule", return ); =20 # Add the rules to check against the set =20 - iptables( "-A IPBLACKLISTREDIN -p ALL -m set --match-set $list src -j ${li= st}_BLOCK" ); - iptables( "-A IPBLACKLISTREDOUT -p ALL -m set --match-set $list dst -j ${l= ist}_BLOCK" ); -} - - -#---------------------------------------------------------------------------= --- -# sub create_autoblacklist() -# -# Creates a new IPTables chain for the AUTOBLACKLIST. This also creates the -# IPSet with the correct timeout. -#---------------------------------------------------------------------------= --- - -sub create_autoblacklist() -{ - return unless ($red_iface); # Can't add rule to policy unless this is set - - # Create the set for the AUTOBLACKLIST - - ipset( "create $autoblacklist hash:ip timeout $settings{BLOCK_PERIOD}" ); - - # Create new chain in filter table - - create_list( $autoblacklist ); - - # For the AUTOBLACKLIST there are extra rules to reset the timeout on the - # blockled addresses - - iptables( "-I ${autoblacklist}_BLOCK -m set --match-set $autoblacklist src= -j SET --add-set $autoblacklist src --exist" ); - iptables( "-I ${autoblacklist}_BLOCK -m set --match-set $autoblacklist dst= -j SET --add-set $autoblacklist dst --exist" ); - - # For the AUTOBLACKLIST there is an extra rule to add an entry to the list - # of blocked addresses. This is added to the input policy chain. - - iptables( "-I POLICYIN 1 -i $red_iface -m hashlimit --hashlimit-mode srcip= --hashlimit-above $settings{BLOCK_THRESHOLD}/hour --hashlimit-name $autoblac= klist -j SET --add-set $autoblacklist src" ); + iptables( "-A BLACKLISTIN -p ALL -i $red_iface -m set --match-set $list sr= c -j ${list}_DROP" ); + iptables( "-A BLACKLISTOUT -p ALL -o $red_iface -m set --match-set $list d= st -j ${list}_DROP" ); } =20 =20 @@ -680,60 +636,25 @@ sub delete_list( $ ) =20 # Remove the blacklist chains from the main INPUT and OUTPUT chains =20 - iptables( "-D IPBLACKLISTREDIN -p ALL -m set --match-set $list src -j ${li= st}_BLOCK" ) =3D=3D 0 or - log_message LOG_ERR, "Could not remove IPSet $list from IPBLACKLISTREDIN= chain"; - - iptables( "-D IPBLACKLISTREDOUT -p ALL -m set --match-set $list dst -j ${l= ist}_BLOCK" ) =3D=3D 0 or - log_message LOG_ERR, "Could not remove IPSet $list from IPBLACKLISTREDOU= T chain"; + iptables( "-D BLACKLISTIN -p ALL -i $red_iface -m set --match-set $list sr= c -j ${list}_DROP" ); + iptables( "-D BLACKLISTOUT -p ALL -o $red_iface -m set --match-set $list d= st -j ${list}_DROP" ); =20 # Flush and delete the chain =20 - iptables( "-F ${list}_BLOCK" ) =3D=3D 0 or - log_message LOG_ERR, "Could not flush IPTables chain ${list}_BLOCK"; - - iptables( "-X ${list}_BLOCK" ) =3D=3D 0 or - log_message LOG_ERR, "Could not delete IPTables chain ${list}_BLOCK"; + iptables( "-F ${list}_DROP" ); + iptables( "-X ${list}_DROP" ); =20 # Flush and delete the set =20 ipset( "flush $list" ); - ipset( "destroy $list" ); } =20 =20 #---------------------------------------------------------------------------= --- -# sub delete_autoblacklist() +# sub download_list( list, ref_list, ref_type ) # -# Deletes the autoblacklist IPTables chain when it is disabled. Also flushes -# and destroys the IPSet. -#---------------------------------------------------------------------------= --- - -sub delete_autoblacklist() -{ - # For the AUTOBLACKLIST there is an extra rule to remove - - unless ($red_iface) - { - iptables( "-D POLICYIN -i $red_iface -m hashlimit --hashlimit-mode srcip= --hashlimit-above $settings{BLOCK_THRESHOLD}/hour --hashlimit-name $autoblac= klist -j SET --add-set $autoblacklist src" ); - } - - # Now do a normal delete - - delete_list( $autoblacklist ); -} - - -#---------------------------------------------------------------------------= --- -# sub download_list( chain, ref_list, ref_type ) -# -# Updates the IP Addresses for a blacklist. Depending on the blacklist one = of -# two methods are used: -# -# - For some lists the header is downloaded and the modification date checke= d. -# If newer than the existing list, the update is downloaded. -# - For other lists this is not supported,so the whole file has to be -# downloaded regardless. +# Downloads the IP Addresses for a blacklist. # # Once downloaded the list is parsed to get the IP addresses and/or networks. # @@ -747,8 +668,8 @@ sub download_list( $$$ ) { my ($list, $new_blacklist, $type) =3D @_; =20 - $checked{$list} =3D time(); - $update_status =3D 1; + $checked{$list} =3D time(); # Record that the list has been checked + $update_status =3D 1; =20 # Check the parser for the blacklist =20 @@ -758,23 +679,18 @@ sub download_list( $$$ ) return; } =20 - if ($sources{$list}{'method'} eq 'check-header-time') - { - download_check_header_time( $list, $new_blacklist, $type ); - } - else - { - download_wget( $list, $new_blacklist, $type ); - } + # Add alternative download mechanisms here + + download_check_header_time( $list, $new_blacklist, $type ); } =20 =20 #---------------------------------------------------------------------------= --- -# sub download_check_header_time( chain, ref_list, ref_type ) +# sub download_check_header_time( list, ref_list, ref_type ) # -# Updates the IP Addresses for a blacklist. The header is downloaded and the -# modification date checked. If newer than the existing list, the update is -# downloaded. +# Updates the IP Addresses for a blacklist. The If-Modified-Since header is +# specified in the request so that only updated lists are downloaded (provid= ing +# that the server supports this functionality). # # Once downloaded the list is parsed to get the IP addresses and/or networks. # @@ -782,6 +698,9 @@ sub download_list( $$$ ) # list The name of the blacklist # ref_list A reference to an array to store the downloaded blacklist # ref_type A reference to store the type of the blacklist +# +# Returns: +# The list type: 'hash:ip' or 'hash:net' #---------------------------------------------------------------------------= --- =20 sub download_check_header_time( $$$ ) @@ -794,12 +713,12 @@ sub download_check_header_time( $$$ ) =20 my $parser =3D $parsers{ $sources{$list}{'parser'} }; =20 - log_message LOG_INFO, "Checking modification time for blacklist $list upda= te with LWP"; + debug 1, "Checking for blacklist $list updates with LWP"; =20 # Create a user agent for downloading the blacklist - # Limit the download size for safety (10 MiB) + # Limit the download size for safety =20 - my $ua =3D LWP::UserAgent->new( max_size =3D> 10485760 ); + my $ua =3D LWP::UserAgent->new( max_size =3D> $max_dl_bytes ); =20 # Get the Proxy settings =20 @@ -807,55 +726,42 @@ sub download_check_header_time( $$$ ) { if ($proxy_settings{'UPSTREAM_USER'}) { - $ua->proxy("http" =3D> "http://$proxy_settings{'UPSTREAM_USER'}:$prox= y_settings{'UPSTREAM_PASSWORD'}\@$proxy_settings{'UPSTREAM_PROXY'}/"); - $ua->proxy("https" =3D> "http://$proxy_settings{'UPSTREAM_USER'}:$prox= y_settings{'UPSTREAM_PASSWORD'}\@$proxy_settings{'UPSTREAM_PROXY'}/"); + $ua->proxy( [["http", "https"] =3D> "http://$proxy_settings{'UPSTREAM_= USER'}:$proxy_settings{'UPSTREAM_PASSWORD'}\@$proxy_settings{'UPSTREAM_PROXY'= }/"] ); } else { - $ua->proxy("http" =3D> "http://$proxy_settings{'UPSTREAM_PROXY'}/"); - $ua->proxy("https" =3D> "http://$proxy_settings{'UPSTREAM_PROXY'}/"); + $ua->proxy( [["http", "https"] =3D> "http://$proxy_settings{'UPSTREAM= _PROXY'}/"] ); } } =20 - # Get the blacklist modification time from the internet - - my $request =3D HTTP::Request->new( HEAD =3D> $sources{$list}{'url'} ); - - my $response =3D $ua->request( $request ); + # Get the last modified time =20 - if (not $response->is_success) - { - log_message LOG_WARNING, "Failed to download $list header $sources{$list= }{'url'}: ". $response->status_line; - - return; - } - - # Has the blacklist been modified since we last read it? - - if (exists $modified{$list} and $modified{$list} >=3D $response->last_modi= fied) - { - # We've already got this version of the blacklist - - debug 1, "Blacklist $list not modified"; - return; - } - - debug 1, "Blacklist $list Modification times: old " . $modified{$list} . "= , new " . $response->last_modified if (exists $modified{$list}); - log_message LOG_INFO, "Downloading blacklist $list with LWP"; + my $modified =3D gmtime( $modified{$list} || 0 ); =20 # Download the blacklist =20 - $request =3D HTTP::Request->new( GET =3D> $sources{$list}{'url'} ); - $response =3D $ua->request($request); + my $response =3D $ua->get( $sources{$list}{'url'}, 'If-Modified-Since' =3D= > $modified ); =20 if (not $response->is_success) { + if ($response->code =3D=3D 304) + { + # Not an error - list has not been modified + debug 1, "Blacklist $list not modified"; + + return; + } + log_message LOG_WARNING, "Failed to download $list blacklist $sources{$l= ist}{'url'}: ". $response->status_line; + $checked{"${list}_failures"}++; =20 return; } =20 - $modified{$list} =3D $response->last_modified; + $modified{$list} =3D $response->last_modified; + $checked{"${list}_failures"} =3D 0; + + # Parse the downloaded list, checking if it's a list of addresses or nets =20 foreach my $line (split /[\r\n]+/, $response->content) { @@ -865,108 +771,12 @@ sub download_check_header_time( $$$ ) =20 next unless ($address and $address =3D~ m/\d+\.\d+\.\d+\.\d+/); =20 - if ($address =3D~ m|/\d+|) - { - $found_net =3D 1; - } - else + if ($address =3D~ m|/32|) { + $address =3D~ s|/32||; $found_ip =3D 1; } - - push @{ $new_blacklist }, $address; - } - - if ($found_net and $found_ip) - { - # Convert mixed address and network set to all network - - foreach my $address (@{ $new_blacklist }) - { - $address .=3D '/32' unless ($address =3D~ m|/\d+|); - } - - $found_ip =3D 0; - } - - $$type =3D $found_net ? 'hash:net' : 'hash:ip'; -} - - -#---------------------------------------------------------------------------= --- -# sub download_wget( chain, ref_list, ref_type ) -# -# Updates the IP Addresses for a blacklist. The whole file is download with -# wget and then the modification time compared with the stored modification -# time. If the update is newer then the downloaded list is parsed. -# -# Once downloaded the list is parsed to get the IP addresses and/or networks. -# -# Parameters: -# list The name of the blacklist -# ref_list A reference to an array to store the downloaded blacklist -# ref_type A reference to store the type of the blacklist -#---------------------------------------------------------------------------= --- - -sub download_wget( $$$ ) -{ - my ($list, $new_blacklist, $type) =3D @_; - my $wget_proxy =3D ''; - my $found_ip =3D 0; - my $found_net =3D 0; - - my $parser =3D $parsers{ $sources{$list}{'parser'} }; - - log_message LOG_INFO, "Downloading blacklist $list update with wget"; - - # Get the Proxy settings - - if ($proxy_settings{'UPSTREAM_PROXY'}) - { - if ($proxy_settings{'UPSTREAM_USER'}) - { - $wget_proxy =3D "--proxy=3Don --proxy-user=3D$proxy_settings{'UPSTREAM= _USER'} --proxy-passwd=3D$proxy_settings{'UPSTREAM_PASSWORD'} -e http_proxy= =3Dhttp://$proxy_settings{'UPSTREAM_PROXY'}/"; - } - else - { - $wget_proxy =3D "--proxy=3Don -e http_proxy=3Dhttp://$proxy_settings{'= UPSTREAM_PROXY'}/"; - } - } - - my $retv =3D system( "wget $wget_proxy --no-show-progress -o $detailed_log= -O $tmpdir/ipblacklist_$list $sources{$list}{'url'}" ); - - if ($retv !=3D 0) - { - my $error =3D $wget_status[ $retv/256 ]; - log_message LOG_WARNING, "Failed to download $list blacklist $sources{$l= ist}{'url'}: $error"; - return; - } - - my @file_info =3D stat( "$tmpdir/ipblacklist_$list" ); - - if (exists $modified{$list} and $modified{$list} >=3D $file_info[9]) - { - # We've already got this version of the blocklist - - debug 1, "Blacklist $list not modified"; - unlink "$tmpdir/ipblacklist_$list"; - return; - } - - open LIST, '<', "$tmpdir/ipblacklist_$list" or (abort "Can't open download= ed blacklist for $list: $!", return); - - $modified{$list} =3D $file_info[9]; - - foreach my $line () - { - chomp $line; - - my $address =3D &$parser( $line ); - - next unless ($address); - next unless ($address =3D~ m|\d+\.\d+\.\d+\.\d+|); - - if ($address =3D~ m|/\d+|) + elsif ($address =3D~ m|/\d+|) { $found_net =3D 1; } @@ -978,13 +788,9 @@ sub download_wget( $$$ ) push @{ $new_blacklist }, $address; } =20 - close LIST; - - unlink "$tmpdir/ipblacklist_$list"; - if ($found_net and $found_ip) { - # Convert mixed address and network set to all network + # Convert mixed addresses and networks to all networks =20 foreach my $address (@{ $new_blacklist }) { @@ -999,38 +805,49 @@ sub download_wget( $$$ ) =20 =20 #---------------------------------------------------------------------------= --- -# sub read_ipset( list, old, type ) +# sub read_ipset( list, old, type, maxelem ) # -# Reads the existing contents of the set +# Reads the existing contents and type of the set. # # Parameters: -# chain The name of the blacklist -# old Reference to array to contain blacklist -# type Reference to type +# list The name of the blacklist +# old Reference to array to contain blacklist +# type Reference to type +# maxelem Reference to maximum number of elements #---------------------------------------------------------------------------= --- =20 -sub read_ipset( $$$ ) +sub read_ipset( $$$$ ) { - my ($list, $old, $type) =3D @_; - my $found_net =3D 0; - my $found_ip =3D 0; + my ($list, $old, $type, $maxelem) =3D @_; + my $found_net =3D 0; + my $found_ip =3D 0; =20 debug 2, "Reading existing ipset for blacklist $list"; =20 foreach my $line (qx/$ipset list $list/) { + if ($line =3D~ m|Header:.*maxelem (\d+)|) + { + $$maxelem =3D $1; + next; + } + next unless ($line =3D~ m|(\d+\.\d+\.\d+\.\d+(?:/\d+)?)|); =20 my $address =3D $1; =20 - if (($address =3D~ m|/\d+$|) and ($address !~ m|/32$|)) + if ($address =3D~ m|/32|) + { + $found_ip =3D 1; + $address =3D~ s|/32$||; + } + elsif ($address =3D~ m|/\d+$|) { $found_net =3D 1; } else { $found_ip =3D 1; - $address =3D~ s|/32$||; } =20 $$old{$address} =3D 1; @@ -1038,7 +855,7 @@ sub read_ipset( $$$ ) =20 if ($found_ip and $found_net) { - # Convert mixed address and network set to all network + # Convert mixed addresses and networks to all networks =20 my @ads_list =3D keys %{ $old }; =20 @@ -1059,12 +876,13 @@ sub read_ipset( $$$ ) =20 =20 #---------------------------------------------------------------------------= --- -# sub update_list( chain, new, new_type ) +# sub update_list( list, new, new_type ) # # Updates the IP Addresses for a blacklist # # The new list is compared to the existing list and new entries added or old -# entries deleted as necessary. +# entries deleted as necessary. If the list type ('hash:ip' or 'hash:net') = has +# changed then the IPSet is deleted and re-created with the new type. # # Parameters: # list The name of the blacklist @@ -1078,49 +896,63 @@ sub update_list( $$$ ) my %old; my $old_type; my $changes =3D 0; + my $maxelem =3D 0; =20 - debug 2, "Checking for $list blacklist update from $sources{$list}{'url'}"; + debug 1, "Checking for $list blacklist update from $sources{$list}{'url'}"; =20 - log_message LOG_INFO, "Updating $list blacklist"; + if (exists $chains{$list} ) + { + my $recreate_ipset =3D 0; =20 - read_ipset( $list, \%old, \$old_type ); + read_ipset( $list, \%old, \$old_type, \$maxelem ); =20 - # Check the IPSet type hasn't changed + # Check the IPSet type hasn't changed =20 - if ($new_type ne $old_type) - { - # Change the IPSet type. This requires removing references to it first. - # We could delete and then create the chain, but doing it like this keeps - # the statistics. + if ($new_type ne $old_type) + { + log_message LOG_NOTICE, "Blacklist $list changed type from $old_type t= o $new_type"; + $recreate_ipset =3D 1; + } =20 - log_message LOG_NOTICE, "Blacklist $list changed type from $old_type to = $new_type"; + if ($max_size_fraction * $maxelem < scalar @{ $new } ) + { + log_message LOG_NOTICE, "Blacklist $list changed size from $maxelem"; + $recreate_ipset =3D 1; + } + + if ($recreate_ipset) + { + # Change the IPSet type and/or size. This requires removing references + # to it first. We could delete and then create the chain, but doing it + # like this keeps the statistics. =20 - # Remove the IPSet from the IPTables chains + # Remove the IPSet from the IPTables chains =20 - iptables( "-D 'IPBLACKLISTREDIN' -p ALL -m set --match-set $list src -j = ${list}_BLOCK" ) =3D=3D 0 or - log_message LOG_ERR, "Could not remove ${list} from IPBLACKLISTREDIN c= hain"; + iptables( "-D 'BLACKLISTIN' -p ALL -i $red_iface -m set --match-set $l= ist src -j ${list}_DROP" ) =3D=3D 0 or + log_message LOG_ERR, "Could not remove ${list} from BLACKLISTIN chai= n"; =20 - iptables( "-D 'IPBLACKLISTREDOUT' -p ALL -m set --match-set $list dst -j= ${list}_BLOCK" ) =3D=3D 0 or - log_message LOG_ERR, "Could not remove ${list} from IPBLACKLISTREDOUT = chain"; + iptables( "-D 'BLACKLISTOUT' -p ALL -o $red_iface -m set --match-set $= list dst -j ${list}_DROP" ) =3D=3D 0 or + log_message LOG_ERR, "Could not remove ${list} from BLACKLISTOUT cha= in"; =20 - # Flush and delete the old set + # Flush and delete the old set =20 - ipset( "flush $list" ); - ipset( "destroy $list" ); + ipset( "flush $list" ); + ipset( "destroy $list" ); =20 - %old =3D (); + %old =3D (); # Since we've deleted the old set it can't have any entr= ies. =20 - # Create the new ipset + # Create the new ipset =20 - create_ipset( $list, $new_type, scalar @{ $new } ); + create_ipset( $list, $new_type, scalar @{ $new } ); =20 - # Add the rules to check against the set + # Add the rules to check against the set =20 - iptables( "-A 'IPBLACKLISTREDIN' -p ALL -m set --match-set $list src -j = ${list}_BLOCK" ) =3D=3D 0 or - log_message LOG_ERR, "Could not add IPSet $list to IPBLACKLISTREDIN ch= ain"; + iptables( "-A 'BLACKLISTIN' -p ALL -i $red_iface -m set --match-set $l= ist src -j ${list}_DROP" ) =3D=3D 0 or + log_message LOG_ERR, "Could not add IPSet $list to BLACKLISTIN chain= "; =20 - iptables( "-A 'IPBLACKLISTREDOUT' -p ALL -m set --match-set $list dst -j= ${list}_BLOCK" ) =3D=3D 0 or - log_message LOG_ERR, "Could not add IPSet $list to IPBLACKLISTREDOUT c= hain"; + iptables( "-A 'BLACKLISTOUT' -p ALL -o $red_iface -m set --match-set $= list dst -j ${list}_DROP" ) =3D=3D 0 or + log_message LOG_ERR, "Could not add IPSet $list to BLACKLISTOUT chai= n"; + } } =20 # Process the blacklist @@ -1131,11 +963,11 @@ sub update_list( $$$ ) =20 if (exists $old{$address}) { - delete $old{$address}; # Not new + delete $old{$address}; # Not new - don't delete from chain later } else { - ipset( "add $list $address -exist" ); + ipset( "add $list $address -exist" ); # New - add it =20 $changes++; } @@ -1156,14 +988,13 @@ sub update_list( $$$ ) debug 3, "Delete old net $address from blacklist $list"; } =20 - - log_message LOG_INFO, "Finished updating $list blacklist with $changes cha= nges"; + log_message LOG_INFO, "Updated $list blacklist with $changes changes"; =20 # Save the blacklist for the next reboot =20 mkdir "$savedir" unless (-d "$savedir" ); =20 - ipset( "save $list -file $savedir/$list.conf" ); + ipset( "save $list -file $savedir/$list.conf" ) if ($changes > 0); =20 stop_ipset(); } @@ -1195,28 +1026,29 @@ sub get_ipsets( ) =20 =20 #---------------------------------------------------------------------------= --- -# sub create_ipset( name, type, size ) +# sub create_ipset( list, type, size ) # -# Creates a new IPSet. The current and maximum size of the set are determin= ed -# by taking the next power of two greater than the numer of entries, subject= to -# a minimum size. This allows for future expansion. +# Creates a new IPSet. The current size of the set is determined by taking = the +# next power of two greater than the number of entries; the maximum size is = set +# to double this, subject to a minimum size. This allows for future expansi= on. # # Parameters: -# name The name of the blacklist +# list The name of the blacklist # type The type of the blacklist (hash:ip or hash:net) # size The number of entries in the lsit #---------------------------------------------------------------------------= --- =20 sub create_ipset( $$$ ) { - my ($name, $type, $size) =3D @_; + my ($list, $type, $size) =3D @_; =20 my $hashsize =3D 1; $hashsize <<=3D 1 while ($hashsize < $size); - my $maxsize =3D ($hashsize < 16384) ? 32768 : $hashsize * 2; + my $maxsize =3D $hashsize * 2; + $maxsize =3D $min_ipset_entries if ($maxsize < $min_ipset_entries); =20 # Create the new ipset - ipset( "create $name $type hashsize $hashsize maxelem $maxsize" ); + ipset( "create $list $type hashsize $hashsize maxelem $maxsize" ); stop_ipset(); # Need to do this to action the IPSet commands } =20 @@ -1225,6 +1057,7 @@ sub create_ipset( $$$ ) # sub enable_logging() # # Enable logging of packets dropped by IP Blacklist rules. +# This adds a rule to log the packet to each lists' IPTables chain. #---------------------------------------------------------------------------= --- =20 sub enable_logging() @@ -1237,7 +1070,7 @@ sub enable_logging() { if (exists $chains{$list}) { - iptables( "-I ${list}_BLOCK 1 -j LOG -m limit --limit 10/second --log-= prefix 'DROP_$list'" ); + iptables( "-I ${list}_DROP 1 -j LOG -m limit --limit 10/second --log-p= refix 'BLKLST_$list'" ); } } } @@ -1247,6 +1080,7 @@ sub enable_logging() # sub disable_logging() # # Disable logging of packets dropped by IP Blacklist rules. +# This deletes a rule to log the packet from each lists' IPTables chain. #---------------------------------------------------------------------------= --- =20 sub disable_logging() @@ -1259,7 +1093,7 @@ sub disable_logging() { if (exists $chains{$list}) { - iptables( "-D ${list}_BLOCK -j LOG -m limit --limit 10/second --log-pr= efix 'DROP_$list'" ); + iptables( "-D ${list}_DROP -j LOG -m limit --limit 10/second --log-pre= fix 'BLKLST_$list'" ); } } } @@ -1269,9 +1103,14 @@ sub disable_logging() # sub enable_updates() # # Adds a command to the fcrontab to run the update hourly. +# If there is a command already in the fcrontab to do this it will be +# uncommented, otherwise a new line is added. +# # The update is executed at an offset from the hour so that all the users do= n't # try to download the updates at exactly the same time - the blacklists are -# provided free, so it's good manners to spread the load on the servers. +# provided free, so it's good manners to spread the load on the servers. The +# offset is initialised to a random number that avoids running on the hour +# (when a lot of other things happen), and every fifteen minutes thereafter. #---------------------------------------------------------------------------= --- =20 sub enable_updates() @@ -1285,9 +1124,9 @@ sub enable_updates() { if ($line =3D~ m|/usr/local/bin/ipblacklist|) { - return if ($line !~ m/^#/); # Already enabled + return if ($line !~ m/^#/); # Already enabled - do nothing =20 - # Found - uncomment the line + # Already in fcrontab - uncomment the line =20 $line =3D~ s/^#+//; $found =3D 1; @@ -1298,13 +1137,20 @@ sub enable_updates() =20 if (not $found) { - # Add a new entry + # Add a new entry to fcrontab =20 - my $start =3D int( rand(50) ) + 5; + my $start =3D int( rand(13) ) + 1; + + my $times =3D $start; + + for (my $offset =3D $times+15 ; $offset < 60 ; $offset +=3D 15) + { + $times .=3D ",$offset"; + } =20 push @lines, "\n"; push @lines, "# IP Blacklist update\n"; - push @lines, "\%hourly,nice(1),random,serial $start /usr/local/bin/ipbla= cklist\n"; + push @lines, "\%nice(1) $times * * * * /usr/local/bin/ipblacklist\n"; log_message LOG_INFO, "Add IP Address Blacklist update to crontab"; } =20 @@ -1329,9 +1175,9 @@ sub disable_updates() { if ($line =3D~ m|/usr/local/bin/ipblacklist|) { - return if ($line =3D~ m/^#/); # Already disabled + return if ($line =3D~ m/^#/); # Already disabled - do nothing =20 - # Found - comment the line + # In fcrontab - comment the line =20 $line =3D~ s/^#*/#/; $found =3D 1; @@ -1349,9 +1195,10 @@ sub disable_updates() =20 =20 #---------------------------------------------------------------------------= --- -# sub parse_text_with_hash_comments( line ) +# sub parse_ip_or_net_list( line ) # -# Parses an input line removing comments. +# Parses an input line, looking for lines starting with an IP Address or +# Network specification. # # Parameters: # line The line to parse @@ -1360,41 +1207,11 @@ sub disable_updates() # Either an IP Address or a null string #---------------------------------------------------------------------------= --- =20 -sub parse_text_with_hash_comments( $ ) +sub parse_ip_or_net_list( $ ) { my ($line) =3D @_; =20 - return "" if ($line =3D~ m/^\s*#/); - - $line =3D~ s/#.*$//; - - $line =3D~ m|(\d+\.\d+\.\d+\.\d+(?:/\d+)?)|; - - return $1; -} - - -#---------------------------------------------------------------------------= --- -# sub parse_text_with_semicolon_comments( line ) -# -# Parses an input line removing comments. -# -# Parameters: -# line The line to parse -# -# Returns: -# Either and IP Address or a null string -#---------------------------------------------------------------------------= --- - -sub parse_text_with_semicolon_comments( $ ) -{ - my ($line) =3D @_; - - return "" if ($line =3D~ m/^\s*;/); - - $line =3D~ s/;.*$//; - - $line =3D~ m|(\d+\.\d+\.\d+\.\d+(?:/\d+)?)|; + $line =3D~ m|^(\d+\.\d+\.\d+\.\d+(?:/\d+)?)|; =20 return $1; } @@ -1424,6 +1241,7 @@ sub parse_dshield( $ ) =20 $line =3D~ s/#.*$//; =20 + # |Start addrs | |End Addrs | |= Mask $line =3D~ m|(\d+\.\d+\.\d+\.\d+(?:/\d+)?)\s+\d+\.\d+\.\d+\.\d+(?:/\d+)?\s= +(\d+)|; =20 return unless ($1); @@ -1436,8 +1254,8 @@ sub parse_dshield( $ ) #---------------------------------------------------------------------------= --- # sub iptables( cmd ) # -# Executes an IPTables command, waiting for the lock to ensure only one chan= ge -# is made at a time. +# Executes an IPTables command, waiting for the internal lock to ensure only +# one change is made at a time. # # Parameters: # cmd The command to execute @@ -1462,6 +1280,11 @@ sub iptables( $ ) # new process for each command. The sub-process is started if it's not alre= ady # running. # +# Note that the pipe is buffered so commands are not necessarily executed +# immediately. Use ipset_stop() to force commands to be executed. This sho= uld +# be done before relying on anything that the ipset commands do, for example +# before referencing the IPSet in an IPTables command. +# # Parameters: # cmd The command to execute #---------------------------------------------------------------------------= --- @@ -1485,6 +1308,7 @@ sub ipset( $ ) # sub stop_ipset( ) # # Stops the ipset sub-process. +# This causes any pending ipset commands to be executed. #---------------------------------------------------------------------------= --- =20 sub stop_ipset( ) @@ -1500,7 +1324,7 @@ sub stop_ipset( ) #---------------------------------------------------------------------------= --- # sub abort( message, parameters... ) # -# Aborts the current activity, printing out an error message. +# Used when aborting the current activity, printing out an error message. # # Parameters: # message Message to be printed --===============3117259794951885925==--