backup.pl Restart when restoring backup ipblacklist ) Adds ipblacklist stats, events and errors ipblacklist.conf ) to the daily log summary include Add blacklists and settings to backups firewall Add main IPTables used to invoke IPSet
Signed-off-by: Tim FitzGeorge ipfr@tfitzgeorge.me.uk --- config/backup/backup.pl | 1 + config/backup/include | 2 + config/logwatch/ipblacklist | 105 +++++++++++++++++++++++++++++++++++++++ config/logwatch/ipblacklist.conf | 34 +++++++++++++ src/initscripts/system/firewall | 12 +++++ 5 files changed, 154 insertions(+) create mode 100644 config/logwatch/ipblacklist create mode 100644 config/logwatch/ipblacklist.conf
diff --git a/config/backup/backup.pl b/config/backup/backup.pl index 5b5734044..d253bd90f 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -141,6 +141,7 @@ restore_backup() {
# Reload firewall firewallctrl + /usr/local/bin/ipblacklistctrl restore
# Convert old OpenVPN CCD files (CN change, Core Update 75) convert-ovpn diff --git a/config/backup/include b/config/backup/include index 5db452cda..1a63ef1b1 100644 --- a/config/backup/include +++ b/config/backup/include @@ -39,6 +39,7 @@ /var/ipfire/ethernet/wireless /var/ipfire/firewall /var/ipfire/fwhosts +/var/ipfire/ipblacklist/modified /var/ipfire/main/* /var/ipfire/ovpn /var/ipfire/ovpn/collectd.vpn @@ -54,6 +55,7 @@ /var/ipfire/time/ /var/ipfire/urlfilter /var/ipfire/vpn +/var/lib/ipblacklist /var/lib/suricata /var/log/ip-acct/* /var/log/rrd/* diff --git a/config/logwatch/ipblacklist b/config/logwatch/ipblacklist new file mode 100644 index 000000000..6d6c46188 --- /dev/null +++ b/config/logwatch/ipblacklist @@ -0,0 +1,105 @@ +########################################################################### +# ipblacklist script for Logwatch +# Analyzes the IPFire IP Blacklist log +# +######################################################################### + +######################################################## +## Copyright (c) 2008 Lars Skj�rlund +## Covered under the included MIT/X-Consortium License: +## http://www.opensource.org/licenses/mit-license.php +## All modifications and contributions by other persons to +## this script are assumed to have been donated to the +## Logwatch project and thus assume the above copyright +## and licensing terms. If you want to make contributions +## under your own copyright or a different license this +## must be explicitly stated in the contribution and the +## Logwatch project reserves the right to not accept such +## contributions. If you have made significant +## contributions to this script and want to claim +## copyright please contact logwatch-devel@lists.sourceforge.net. +######################################################### + +######################################################################### +# Files - all shown with default paths: +# +# /usr/share/logwatch/default.conf/logfiles/messages.conf +# /usr/share/logwatch/dist.conf/services/blacklist.conf +# /usr/share/logwatch/scripts/services/ipblacklist (this file) +# +# ... and of course +# +# /var/log/messages +######################################################################### + +use Logwatch ':dates'; + +my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'}; + +my $SearchDate; + +my %Updates; +my %Errors; + +$SearchDate = TimeFilter("%b %e"); + +while (defined(my $ThisLine = <STDIN>)) +{ + next unless ($ThisLine =~ m/^\s*\w+\s+\w+\s+(..:..:..) .* ipblacklist: (.*)/); + + my $text = $2; + + if ($text =~ m/Updated (\w+) blacklist with (\d+) changes/) + { + $Updates{$1}{updates}++; + $Updates{$1}{changes} += $2; + } + elsif ($text !~ m/Starting IP Blacklists/ and + $text !~ m/Starting IP Blacklist processing/ and + $text !~ m/Stopping IP Blacklists/ and + $text !~ m/Deleting IP Blacklists/ and + $text !~ m/Finished IP Blacklist processing/ and + $text !~ m/Create IPTables chains for blacklist/ and + $text !~ m/Delete IPTables chains for blacklist/ and + $text !~ m/Add IP Address Blacklist update to crontab/ and + $text !~ m/Enable IP Address Blacklist update in crontab/ and + $text !~ m/Disable IP Address Blacklist updates/ and + $text !~ m/Restoring blacklist / and + $text !~ m/Blacklist \w+ changed type/ and + $text !~ m/Blacklist \w+ changed size/ and + $text !~ m/Enabling IP Blacklist logging/ and + $text !~ m/Disabling IP Blacklist logging/ ) + { + $Errors{$text}++; + } +} + +##################################################################### + +if (keys %Updates) +{ + print "\nThe following block lists were updated:\n"; + foreach my $Lists (sort keys %Updates) + { + print " $Lists: $Updates{$Lists}{updates} Time(s) - $Updates{$Lists}{changes} change(s)\n"; + } +} + +if (keys %Errors) +{ + print "\nThe following errors were detected:\n"; + + foreach my $Text (keys %Errors) + { + print " $Text: $Errors{$Text} Time(s)\n"; + } +} + +exit(0); + +# vi: shiftwidth=3 tabstop=3 syntax=perl et +# Local Variables: +# mode: perl +# perl-indent-level: 3 +# indent-tabs-mode: nil +# End: diff --git a/config/logwatch/ipblacklist.conf b/config/logwatch/ipblacklist.conf new file mode 100644 index 000000000..ed0ecc5f1 --- /dev/null +++ b/config/logwatch/ipblacklist.conf @@ -0,0 +1,34 @@ +######################################################################### +# ids-update script for Logwatch +# Analyzes the IPFire IP Blacklist update log +# +# Version: 1.0.0 +# Initial release +# +######################################################################### + +######################################################################### +# This script is subject to the same copyright as Logwatch itself +######################################################################### + +######################################################################### +# Files - all shown with default paths: +# +# /usr/share/logwatch/default.conf/logfiles/messages.conf +# /usr/share/logwatch/dist.conf/services/blacklist.conf (this file) +# /usr/share/logwatch/scripts/services/blacklist +# +# ... and of course +# +# /var/log/messages +######################################################################### + + +Title = "IP Blacklist" + +# Which logfile group... +LogFile = messages + +*applystddate + +# vi: shiftwidth=3 tabstop=3 et diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index ab144ea18..8e7c1c7ef 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -196,6 +196,14 @@ iptables_init() { iptables -A FORWARD -i tun+ -j OVPNBLOCK iptables -A FORWARD -o tun+ -j OVPNBLOCK
+ # IP Address Blacklist chains + iptables -N BLACKLISTIN + iptables -N BLACKLISTOUT + iptables -A INPUT ! -p icmp -j BLACKLISTIN + iptables -A FORWARD ! -p icmp -j BLACKLISTIN + iptables -A FORWARD ! -p icmp -j BLACKLISTOUT + iptables -A OUTPUT ! -p icmp -j BLACKLISTOUT + # IPS (suricata) chains iptables -N IPS_INPUT iptables -N IPS_FORWARD @@ -382,6 +390,9 @@ iptables_init() { # run captivectrl /usr/local/bin/captivectrl
+ # run IP Blacklist start + /usr/local/bin/ipblacklist start + # POLICY CHAIN iptables -N POLICYIN iptables -A INPUT -j POLICYIN @@ -504,6 +515,7 @@ case "$1" in evaluate_retval ;; restart) + /usr/local/bin/ipblacklist stop $0 start ;; *)