This package adds an ASNBL helper for detecting Fast Flux setups and selectively announced networks (i. e. FQDNs resolving to IP addresses not being announced by an Autonomous System) to the distribution. Afterwards, the helper script is located at /usr/bin/asnbl-helper.py .
The second version of this patch updates squid-asnbl to upstream version 0.2.2, improving logging in case of detected Fast Flux setups.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/rootfiles/common/squid-asnbl | 1 + lfs/squid-asnbl | 83 +++++++++++++++++++++++++++++ make.sh | 1 + 3 files changed, 85 insertions(+) create mode 100644 config/rootfiles/common/squid-asnbl create mode 100644 lfs/squid-asnbl
diff --git a/config/rootfiles/common/squid-asnbl b/config/rootfiles/common/squid-asnbl new file mode 100644 index 000000000..f129f441e --- /dev/null +++ b/config/rootfiles/common/squid-asnbl @@ -0,0 +1 @@ +usr/bin/asnbl-helper.py diff --git a/lfs/squid-asnbl b/lfs/squid-asnbl new file mode 100644 index 000000000..3fc001768 --- /dev/null +++ b/lfs/squid-asnbl @@ -0,0 +1,83 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 0.2.2 + +THISAPP = squid-asnbl-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE) + +DIR_APP = $(DIR_SRC)/$(THISAPP) + +TARGET = $(DIR_INFO)/$(THISAPP) + +DEPS = libloc squid python3 + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = d62be77baa30b16d1c2362460123d6c0 + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zvxf $(DIR_DL)/$(DL_FILE) + + # Install ASNBL helper script + cd $(DIR_APP) && install -o root -g root -m 0755 asnbl-helper.py /usr/bin/asnbl-helper.py + + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/make.sh b/make.sh index dabed5aa5..215e5c633 100755 --- a/make.sh +++ b/make.sh @@ -1613,6 +1613,7 @@ buildipfire() { lfsmake2 socat lfsmake2 libcdada lfsmake2 pmacct + lfsmake2 squid-asnbl }
buildinstaller() {
This patch adds two new features to IPFire's web proxy:
(a) Proactive Fast Flux detection FQDNs are resolved to their IP addresses, which are then resolved to corresponding Autonomous System Numbers using IPFire's location database. Most destinations will scatter across a very low number of ASNs (not to be confused with IP addresses!). FQDNs hosted on Fast Flux setups have a significantly higher ASN diversity (5 is usually a good threshold), so they can be proactively detected.
(b) Detection for selectively announced destinations Especially in targeted operations, miscreants host FQDNs for exfiltrating data or malware distributions on ASNs not announced globally, but only to the intended victim or it's upstream ISPs.
That way, security researchers located in other parts of the internet have no insights into these attacks, hence not being able to publish listings or send take down notices for the domains used.
While RPKI made this attack harder, it can still be observed every now and then.
This feature also protects against accessing FQDNs resolving to IP addresses not being globally routeable, hence providing a trivial mitigation for so-called "rebound attacks" - which we cannot filter at DNS level currently.
The second version of this patch consumes the user-defined whitelist for the URL filter (if present and populated) for the ASNBL helper as well, to make exceptions for funny destinations such as fedoraproject.org possible. In addition, the ASNBL helper's sanity tests no longer include publicly routable IP addresses, so failures on location01 cannot brick IPFire installations in the field.
Thanks to Michael Tremer and Adolf Belka for these suggestions.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- html/cgi-bin/proxy.cgi | 98 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 98 insertions(+)
diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi index 966593e4d..202a8f3bc 100644 --- a/html/cgi-bin/proxy.cgi +++ b/html/cgi-bin/proxy.cgi @@ -21,6 +21,7 @@
use strict; use Apache::Htpasswd; +use Scalar::Util qw(looks_like_number);
# enable only the following on debugging purpose #use warnings; @@ -229,6 +230,9 @@ $proxysettings{'THROTTLING_GREEN_TOTAL'} = 'unlimited'; $proxysettings{'THROTTLING_GREEN_HOST'} = 'unlimited'; $proxysettings{'THROTTLING_BLUE_TOTAL'} = 'unlimited'; $proxysettings{'THROTTLING_BLUE_HOST'} = 'unlimited'; +$proxysettings{'ASNBL_FASTFLUX_DETECTION'} = 'off'; +$proxysettings{'ASNBL_FASTFLUX_THRESHOLD'} = '5'; +$proxysettings{'ASNBL_SELECANN_DETECTION'} = 'off'; $proxysettings{'ENABLE_MIME_FILTER'} = 'off'; $proxysettings{'AUTH_METHOD'} = 'none'; $proxysettings{'AUTH_REALM'} = ''; @@ -418,6 +422,21 @@ if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) || ($proxysettings{'ACTION'} $errormessage = $Lang::tr{'invalid maximum incoming size'}; goto ERROR; } + if (($proxysettings{'ASNBL_FASTFLUX_DETECTION'} eq 'on') || ($proxysettings{'ASNBL_SELECANN_DETECTION'} eq 'on')) + { + if (-z $proxysettings{'ASNBL_FASTFLUX_THRESHOLD'}) { + $errormessage = $Lang::tr{'advproxy fastflux no threshold given'}; + goto ERROR; + } + if (! looks_like_number($proxysettings{'ASNBL_FASTFLUX_THRESHOLD'})) { + $errormessage = $Lang::tr{'advproxy fastflux threshold invalid'}; + goto ERROR; + } + if (($proxysettings{'ASNBL_FASTFLUX_THRESHOLD'} < 2) || ($proxysettings{'ASNBL_FASTFLUX_THRESHOLD'} > 10)) { + $errormessage = $Lang::tr{'advproxy fastflux threshold out of bounds'}; + goto ERROR; + } + } if (!($proxysettings{'AUTH_METHOD'} eq 'none')) { unless (($proxysettings{'AUTH_METHOD'} eq 'ident') && @@ -801,6 +820,14 @@ $selected{'THROTTLING_GREEN_HOST'}{$proxysettings{'THROTTLING_GREEN_HOST'}} = "s $selected{'THROTTLING_BLUE_TOTAL'}{$proxysettings{'THROTTLING_BLUE_TOTAL'}} = "selected='selected'"; $selected{'THROTTLING_BLUE_HOST'}{$proxysettings{'THROTTLING_BLUE_HOST'}} = "selected='selected'";
+$checked{'ASNBL_FASTFLUX_DETECTION'}{'off'} = ''; +$checked{'ASNBL_FASTFLUX_DETECTION'}{'on'} = ''; +$checked{'ASNBL_FASTFLUX_DETECTION'}{$proxysettings{'ASNBL_FASTFLUX_DETECTION'}} = "checked='checked'"; + +$checked{'ASNBL_SELECANN_DETECTION'}{'off'} = ''; +$checked{'ASNBL_SELECANN_DETECTION'}{'on'} = ''; +$checked{'ASNBL_SELECANN_DETECTION'}{$proxysettings{'ASNBL_SELECANN_DETECTION'}} = "checked='checked'"; + $checked{'ENABLE_MIME_FILTER'}{'off'} = ''; $checked{'ENABLE_MIME_FILTER'}{'on'} = ''; $checked{'ENABLE_MIME_FILTER'}{$proxysettings{'ENABLE_MIME_FILTER'}} = "checked='checked'"; @@ -1633,6 +1660,24 @@ END print <<END </table>
+<hr size='1'> + +<table width='100%'> +<tr> + <td><b>$Lang::tr{'advproxy asbased anomaly detection'}</b></td> +</tr> +<tr> + <td class='base'>$Lang::tr{'advproxy fastflux detection'}:</td> + <td><input type='checkbox' name='ASNBL_FASTFLUX_DETECTION' $checked{'ASNBL_FASTFLUX_DETECTION'}{'on'} /></td> + <td class='base'>$Lang::tr{'advproxy fastflux detection threshold'}:</td> + <td><input type='text' name='ASNBL_FASTFLUX_THRESHOLD' value='$proxysettings{'ASNBL_FASTFLUX_THRESHOLD'}' size=2 /></td> +</tr> +<tr> + <td class='base'>$Lang::tr{'advproxy selectively announcements detection'}:</td> + <td colspan='3'><input type='checkbox' name='ASNBL_SELECANN_DETECTION' $checked{'ASNBL_SELECANN_DETECTION'}{'on'} /></td> +</tr> +</table> + <hr size='1'> END ; @@ -3525,6 +3570,59 @@ if (@ssl_ports) { print FILE "http_access deny CONNECT !SSL_ports\n"; }
+ if ((($proxysettings{'ASNBL_FASTFLUX_DETECTION'} eq 'on') && (!-z $proxysettings{'ASNBL_FASTFLUX_THRESHOLD'})) || ($proxysettings{'ASNBL_SELECANN_DETECTION'} eq 'on')) { + print FILE "external_acl_type asnblhelper children-max=10 children-startup=2 ttl=86400 %DST /usr/bin/asnbl-helper.py ${General::swroot}/proxy/asnbl-helper.conf\n"; + print FILE "acl asnbl external asnblhelper\n"; + + # Use the user-defined URL filter whitelist (if present and populated) for the ASNBL helper as well + # Necessary for destinations such as fedoraproject.org, but we do not want to maintain a dedicated + # or hardcoded list for such FQDNs. + if ((-e "${General::swroot}/urlfilter/blacklists/custom/allowed/domains") && (!-z "${General::swroot}/urlfilter/blacklists/custom/allowed/domains")) { + print FILE "acl asnbl_whitelisted_destinations dstdomain "${General::swroot}/urlfilter/blacklists/custom/allowed/domains"\n"; + print FILE "http_access deny asnbl !asnbl_whitelisted_destinations\n\n"; + } else { + print FILE "http_access deny asnbl\n\n"; + } + + # Write ASNBL helper configuration file... + open(ASNBLFILE, ">${General::swroot}/proxy/asnbl-helper.conf"); + flock(ASNBLFILE, 2); + + print ASNBLFILE<<END +# +# This file has been automatically generated. Manual changes will be overwritten. +# + +[GENERAL] +LOGLEVEL = INFO +ASNDB_PATH = /var/lib/location/database.db +USE_REPLYMAP = no +END +; + + print ASNBLFILE "AS_DIVERSITY_THRESHOLD = $proxysettings{'ASNBL_FASTFLUX_THRESHOLD'}\n"; + + if ($proxysettings{'ASNBL_SELECANN_DETECTION'} eq 'on') { + print ASNBLFILE "BLOCK_SUSPECTED_SELECTIVE_ANNOUNCEMENTS = yes\n"; + } else { + print ASNBLFILE "BLOCK_SUSPECTED_SELECTIVE_ANNOUNCEMENTS = no\n"; + } + + if ($proxysettings{'ASNBL_FASTFLUX_DETECTION'} eq 'on') { + print ASNBLFILE "BLOCK_DIVERSITY_EXCEEDING_DESTINATIONS = yes\n"; + } else { + print ASNBLFILE "BLOCK_DIVERSITY_EXCEEDING_DESTINATIONS = no\n"; + } + + print ASNBLFILE<<END +TESTDATA = (10.0.0.1, 0) (127.0.0.1, 0) (fe80::1, 0) +ACTIVE_ASNBLS = +END +; + + close ASNBLFILE; + } + if ($proxysettings{'AUTH_METHOD'} eq 'ident') { print FILE "#Set ident ACLs\n";
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- langs/de/cgi-bin/de.pl | 7 +++++++ langs/en/cgi-bin/en.pl | 7 +++++++ 2 files changed, 14 insertions(+)
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 70dcb10a6..d8254c698 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -255,6 +255,7 @@ 'advproxy advanced web proxy configuration' => 'Proxy-Konfiguration', 'advproxy allowed subnets' => 'Erlaubte Subnetze (eins pro Zeile)', 'advproxy allowed web browsers' => 'Zulässige Clients für Web-Zugriffe', +'advproxy asbased anomaly detection' => 'Anomalieerkennungen auf Basis Autonomer Systeme', 'advproxy back to main page' => 'Zurück zur Hauptseite', 'advproxy banned ip clients' => 'Gesperrte IP-Adressen (eine pro Zeile)', 'advproxy banned mac clients' => 'Gesperrte MAC-Adressen (eine pro Zeile)', @@ -326,6 +327,11 @@ 'advproxy errmsg wpad invalid ip or mask' => 'WPAD: Ungültige IP oder Subnetz für ausgenommenes IP-Subnetz', 'advproxy error design' => 'Design der Fehlermeldungen', 'advproxy error language' => 'Sprache der Fehlermeldungen', +'advproxy fastflux detection' => 'Verbindungen zu auf Fast Flux-Setups gehosteten Zielen verweigern', +'advproxy fastflux no threshold given' => 'Kein Schwellwert für Fast Flux-Erkennung angegeben', +'advproxy fastflux detection threshold' => 'Schwellwert', +'advproxy fastflux threshold invalid' => 'Eingegebener Schwellwert für Fast Flux-Erkennung ist ungültig', +'advproxy fastflux threshold out of bounds' => 'Eingegebener Schwellwert für Fast Flux-Erkennung befindet sich außerhalb zulässiger Grenzwerte', 'advproxy friday' => 'Fr', 'advproxy from' => 'Von', 'advproxy group access control' => 'Gruppenbasierte Zugriffskontrolle', @@ -362,6 +368,7 @@ 'advproxy reset' => 'Zurücksetzen', 'advproxy saturday' => 'Sa', 'advproxy save and restart' => 'Speichern und Neustart', +'advproxy selectively announcements detection' => 'Verbindungen zu Zielen in selektiv propagierten Netzen verweigern', 'advproxy squid version' => 'Squid Versionsnummer', 'advproxy squidclamav' => 'SquidClamav', 'advproxy ssadvanced proxy' => 'advanced proxy', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 679588940..644d348ea 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -252,6 +252,7 @@ 'advproxy advanced web proxy configuration' => 'Advanced web proxy configuration', 'advproxy allowed subnets' => 'Allowed subnets (one per line)', 'advproxy allowed web browsers' => 'Allowed clients for web access', +'advproxy asbased anomaly detection' => 'Anomaly detections based on Autonomous Systems information', 'advproxy back to main page' => 'Back to main page', 'advproxy banned ip clients' => 'Banned IP addresses (one per line)', 'advproxy banned mac clients' => 'Banned MAC addresses (one per line)', @@ -323,6 +324,11 @@ 'advproxy errmsg wpad invalid ip or mask' => 'WPAD: Invalid IP or subnet for excluded IP subnet', 'advproxy error design' => 'Error messages design', 'advproxy error language' => 'Error messages language', +'advproxy fastflux detection' => 'Deny access to destinations hosted on fast flux setups', +'advproxy fastflux no threshold given' => 'No threshold was given for fast flux detection', +'advproxy fastflux detection threshold' => 'Threshold', +'advproxy fastflux threshold invalid' => 'Supplied fast flux detection threshold is invalid', +'advproxy fastflux threshold out of bounds' => 'Supplied fast flux detection threshold is out of bounds', 'advproxy friday' => 'Fri', 'advproxy from' => 'From', 'advproxy group access control' => 'Group based access control', @@ -359,6 +365,7 @@ 'advproxy reset' => 'Reset', 'advproxy saturday' => 'Sat', 'advproxy save and restart' => 'Save and Restart', +'advproxy selectively announcements detection' => 'Deny access to destinations hosted on selectively announced networks', 'advproxy squid version' => 'Squid cache version', 'advproxy squidclamav' => 'SquidClamav', 'advproxy ssadvanced proxy' => 'advanced proxy',
Reviewed-by: Michael Tremer michael.tremer@ipfire.org
On 10 Oct 2021, at 18:44, Peter Müller peter.mueller@ipfire.org wrote:
Signed-off-by: Peter Müller peter.mueller@ipfire.org
langs/de/cgi-bin/de.pl | 7 +++++++ langs/en/cgi-bin/en.pl | 7 +++++++ 2 files changed, 14 insertions(+)
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 70dcb10a6..d8254c698 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -255,6 +255,7 @@ 'advproxy advanced web proxy configuration' => 'Proxy-Konfiguration', 'advproxy allowed subnets' => 'Erlaubte Subnetze (eins pro Zeile)', 'advproxy allowed web browsers' => 'Zulässige Clients für Web-Zugriffe', +'advproxy asbased anomaly detection' => 'Anomalieerkennungen auf Basis Autonomer Systeme', 'advproxy back to main page' => 'Zurück zur Hauptseite', 'advproxy banned ip clients' => 'Gesperrte IP-Adressen (eine pro Zeile)', 'advproxy banned mac clients' => 'Gesperrte MAC-Adressen (eine pro Zeile)', @@ -326,6 +327,11 @@ 'advproxy errmsg wpad invalid ip or mask' => 'WPAD: Ungültige IP oder Subnetz für ausgenommenes IP-Subnetz', 'advproxy error design' => 'Design der Fehlermeldungen', 'advproxy error language' => 'Sprache der Fehlermeldungen', +'advproxy fastflux detection' => 'Verbindungen zu auf Fast Flux-Setups gehosteten Zielen verweigern', +'advproxy fastflux no threshold given' => 'Kein Schwellwert für Fast Flux-Erkennung angegeben', +'advproxy fastflux detection threshold' => 'Schwellwert', +'advproxy fastflux threshold invalid' => 'Eingegebener Schwellwert für Fast Flux-Erkennung ist ungültig', +'advproxy fastflux threshold out of bounds' => 'Eingegebener Schwellwert für Fast Flux-Erkennung befindet sich außerhalb zulässiger Grenzwerte', 'advproxy friday' => 'Fr', 'advproxy from' => 'Von', 'advproxy group access control' => 'Gruppenbasierte Zugriffskontrolle', @@ -362,6 +368,7 @@ 'advproxy reset' => 'Zurücksetzen', 'advproxy saturday' => 'Sa', 'advproxy save and restart' => 'Speichern und Neustart', +'advproxy selectively announcements detection' => 'Verbindungen zu Zielen in selektiv propagierten Netzen verweigern', 'advproxy squid version' => 'Squid Versionsnummer', 'advproxy squidclamav' => 'SquidClamav', 'advproxy ssadvanced proxy' => 'advanced proxy', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 679588940..644d348ea 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -252,6 +252,7 @@ 'advproxy advanced web proxy configuration' => 'Advanced web proxy configuration', 'advproxy allowed subnets' => 'Allowed subnets (one per line)', 'advproxy allowed web browsers' => 'Allowed clients for web access', +'advproxy asbased anomaly detection' => 'Anomaly detections based on Autonomous Systems information', 'advproxy back to main page' => 'Back to main page', 'advproxy banned ip clients' => 'Banned IP addresses (one per line)', 'advproxy banned mac clients' => 'Banned MAC addresses (one per line)', @@ -323,6 +324,11 @@ 'advproxy errmsg wpad invalid ip or mask' => 'WPAD: Invalid IP or subnet for excluded IP subnet', 'advproxy error design' => 'Error messages design', 'advproxy error language' => 'Error messages language', +'advproxy fastflux detection' => 'Deny access to destinations hosted on fast flux setups', +'advproxy fastflux no threshold given' => 'No threshold was given for fast flux detection', +'advproxy fastflux detection threshold' => 'Threshold', +'advproxy fastflux threshold invalid' => 'Supplied fast flux detection threshold is invalid', +'advproxy fastflux threshold out of bounds' => 'Supplied fast flux detection threshold is out of bounds', 'advproxy friday' => 'Fri', 'advproxy from' => 'From', 'advproxy group access control' => 'Group based access control', @@ -359,6 +365,7 @@ 'advproxy reset' => 'Reset', 'advproxy saturday' => 'Sat', 'advproxy save and restart' => 'Save and Restart', +'advproxy selectively announcements detection' => 'Deny access to destinations hosted on selectively announced networks', 'advproxy squid version' => 'Squid cache version', 'advproxy squidclamav' => 'SquidClamav', 'advproxy ssadvanced proxy' => 'advanced proxy', -- 2.26.2
Looks okay to me now. Thank you for working on this.
Reviewed-by: Michael Tremer michael.tremer@ipfire.org
On 10 Oct 2021, at 18:43, Peter Müller peter.mueller@ipfire.org wrote:
This patch adds two new features to IPFire's web proxy:
(a) Proactive Fast Flux detection FQDNs are resolved to their IP addresses, which are then resolved to corresponding Autonomous System Numbers using IPFire's location database. Most destinations will scatter across a very low number of ASNs (not to be confused with IP addresses!). FQDNs hosted on Fast Flux setups have a significantly higher ASN diversity (5 is usually a good threshold), so they can be proactively detected.
(b) Detection for selectively announced destinations Especially in targeted operations, miscreants host FQDNs for exfiltrating data or malware distributions on ASNs not announced globally, but only to the intended victim or it's upstream ISPs.
That way, security researchers located in other parts of the internet have no insights into these attacks, hence not being able to publish listings or send take down notices for the domains used.
While RPKI made this attack harder, it can still be observed every now and then.
This feature also protects against accessing FQDNs resolving to IP addresses not being globally routeable, hence providing a trivial mitigation for so-called "rebound attacks" - which we cannot filter at DNS level currently.
The second version of this patch consumes the user-defined whitelist for the URL filter (if present and populated) for the ASNBL helper as well, to make exceptions for funny destinations such as fedoraproject.org possible. In addition, the ASNBL helper's sanity tests no longer include publicly routable IP addresses, so failures on location01 cannot brick IPFire installations in the field.
Thanks to Michael Tremer and Adolf Belka for these suggestions.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
html/cgi-bin/proxy.cgi | 98 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 98 insertions(+)
diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi index 966593e4d..202a8f3bc 100644 --- a/html/cgi-bin/proxy.cgi +++ b/html/cgi-bin/proxy.cgi @@ -21,6 +21,7 @@
use strict; use Apache::Htpasswd; +use Scalar::Util qw(looks_like_number);
# enable only the following on debugging purpose #use warnings; @@ -229,6 +230,9 @@ $proxysettings{'THROTTLING_GREEN_TOTAL'} = 'unlimited'; $proxysettings{'THROTTLING_GREEN_HOST'} = 'unlimited'; $proxysettings{'THROTTLING_BLUE_TOTAL'} = 'unlimited'; $proxysettings{'THROTTLING_BLUE_HOST'} = 'unlimited'; +$proxysettings{'ASNBL_FASTFLUX_DETECTION'} = 'off'; +$proxysettings{'ASNBL_FASTFLUX_THRESHOLD'} = '5'; +$proxysettings{'ASNBL_SELECANN_DETECTION'} = 'off'; $proxysettings{'ENABLE_MIME_FILTER'} = 'off'; $proxysettings{'AUTH_METHOD'} = 'none'; $proxysettings{'AUTH_REALM'} = ''; @@ -418,6 +422,21 @@ if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) || ($proxysettings{'ACTION'} $errormessage = $Lang::tr{'invalid maximum incoming size'}; goto ERROR; }
- if (($proxysettings{'ASNBL_FASTFLUX_DETECTION'} eq 'on') || ($proxysettings{'ASNBL_SELECANN_DETECTION'} eq 'on'))
- {
if (-z $proxysettings{'ASNBL_FASTFLUX_THRESHOLD'}) {$errormessage = $Lang::tr{'advproxy fastflux no threshold given'};goto ERROR;}if (! looks_like_number($proxysettings{'ASNBL_FASTFLUX_THRESHOLD'})) {$errormessage = $Lang::tr{'advproxy fastflux threshold invalid'};goto ERROR;}if (($proxysettings{'ASNBL_FASTFLUX_THRESHOLD'} < 2) || ($proxysettings{'ASNBL_FASTFLUX_THRESHOLD'} > 10)) {$errormessage = $Lang::tr{'advproxy fastflux threshold out of bounds'};goto ERROR;}- } if (!($proxysettings{'AUTH_METHOD'} eq 'none')) { unless (($proxysettings{'AUTH_METHOD'} eq 'ident') &&
@@ -801,6 +820,14 @@ $selected{'THROTTLING_GREEN_HOST'}{$proxysettings{'THROTTLING_GREEN_HOST'}} = "s $selected{'THROTTLING_BLUE_TOTAL'}{$proxysettings{'THROTTLING_BLUE_TOTAL'}} = "selected='selected'"; $selected{'THROTTLING_BLUE_HOST'}{$proxysettings{'THROTTLING_BLUE_HOST'}} = "selected='selected'";
+$checked{'ASNBL_FASTFLUX_DETECTION'}{'off'} = ''; +$checked{'ASNBL_FASTFLUX_DETECTION'}{'on'} = ''; +$checked{'ASNBL_FASTFLUX_DETECTION'}{$proxysettings{'ASNBL_FASTFLUX_DETECTION'}} = "checked='checked'";
+$checked{'ASNBL_SELECANN_DETECTION'}{'off'} = ''; +$checked{'ASNBL_SELECANN_DETECTION'}{'on'} = ''; +$checked{'ASNBL_SELECANN_DETECTION'}{$proxysettings{'ASNBL_SELECANN_DETECTION'}} = "checked='checked'";
$checked{'ENABLE_MIME_FILTER'}{'off'} = ''; $checked{'ENABLE_MIME_FILTER'}{'on'} = ''; $checked{'ENABLE_MIME_FILTER'}{$proxysettings{'ENABLE_MIME_FILTER'}} = "checked='checked'"; @@ -1633,6 +1660,24 @@ END print <<END
</table>
+<hr size='1'>
+<table width='100%'> +<tr>
<td><b>$Lang::tr{'advproxy asbased anomaly detection'}</b></td>+</tr> +<tr>
<td class='base'>$Lang::tr{'advproxy fastflux detection'}:</td><td><input type='checkbox' name='ASNBL_FASTFLUX_DETECTION' $checked{'ASNBL_FASTFLUX_DETECTION'}{'on'} /></td><td class='base'>$Lang::tr{'advproxy fastflux detection threshold'}:</td><td><input type='text' name='ASNBL_FASTFLUX_THRESHOLD' value='$proxysettings{'ASNBL_FASTFLUX_THRESHOLD'}' size=2 /></td>+</tr> +<tr>
<td class='base'>$Lang::tr{'advproxy selectively announcements detection'}:</td><td colspan='3'><input type='checkbox' name='ASNBL_SELECANN_DETECTION' $checked{'ASNBL_SELECANN_DETECTION'}{'on'} /></td>+</tr> +</table>
<hr size='1'> END ; @@ -3525,6 +3570,59 @@ if (@ssl_ports) { print FILE "http_access deny CONNECT !SSL_ports\n"; }
- if ((($proxysettings{'ASNBL_FASTFLUX_DETECTION'} eq 'on') && (!-z $proxysettings{'ASNBL_FASTFLUX_THRESHOLD'})) || ($proxysettings{'ASNBL_SELECANN_DETECTION'} eq 'on')) {
print FILE "external_acl_type asnblhelper children-max=10 children-startup=2 ttl=86400 %DST /usr/bin/asnbl-helper.py ${General::swroot}/proxy/asnbl-helper.conf\n";print FILE "acl asnbl external asnblhelper\n";# Use the user-defined URL filter whitelist (if present and populated) for the ASNBL helper as well# Necessary for destinations such as fedoraproject.org, but we do not want to maintain a dedicated# or hardcoded list for such FQDNs.if ((-e "${General::swroot}/urlfilter/blacklists/custom/allowed/domains") && (!-z "${General::swroot}/urlfilter/blacklists/custom/allowed/domains")) {print FILE "acl asnbl_whitelisted_destinations dstdomain \"${General::swroot}/urlfilter/blacklists/custom/allowed/domains\"\n";print FILE "http_access deny asnbl !asnbl_whitelisted_destinations\n\n";} else {print FILE "http_access deny asnbl\n\n";}# Write ASNBL helper configuration file...open(ASNBLFILE, ">${General::swroot}/proxy/asnbl-helper.conf");flock(ASNBLFILE, 2);print ASNBLFILE<<END+# +# This file has been automatically generated. Manual changes will be overwritten. +#
+[GENERAL] +LOGLEVEL = INFO +ASNDB_PATH = /var/lib/location/database.db +USE_REPLYMAP = no +END +;
print ASNBLFILE "AS_DIVERSITY_THRESHOLD = $proxysettings{'ASNBL_FASTFLUX_THRESHOLD'}\n";if ($proxysettings{'ASNBL_SELECANN_DETECTION'} eq 'on') {print ASNBLFILE "BLOCK_SUSPECTED_SELECTIVE_ANNOUNCEMENTS = yes\n";} else {print ASNBLFILE "BLOCK_SUSPECTED_SELECTIVE_ANNOUNCEMENTS = no\n";}if ($proxysettings{'ASNBL_FASTFLUX_DETECTION'} eq 'on') {print ASNBLFILE "BLOCK_DIVERSITY_EXCEEDING_DESTINATIONS = yes\n";} else {print ASNBLFILE "BLOCK_DIVERSITY_EXCEEDING_DESTINATIONS = no\n";}print ASNBLFILE<<END+TESTDATA = (10.0.0.1, 0) (127.0.0.1, 0) (fe80::1, 0) +ACTIVE_ASNBLS = +END +;
close ASNBLFILE;- }
if ($proxysettings{'AUTH_METHOD'} eq 'ident') { print FILE "#Set ident ACLs\n"; -- 2.26.2
Hello,
On 10 Oct 2021, at 18:43, Peter Müller peter.mueller@ipfire.org wrote:
This package adds an ASNBL helper for detecting Fast Flux setups and selectively announced networks (i. e. FQDNs resolving to IP addresses not being announced by an Autonomous System) to the distribution. Afterwards, the helper script is located at /usr/bin/asnbl-helper.py .
This is maybe purely aesthetic, but a helper script in /usr/bin feels wrong to me.
Neither am I a fan of having a file extension like this in /usr/bin. Something similar has caused us to ship our backup script which is written in shell as backup.pl. Implementations might change.
The second version of this patch updates squid-asnbl to upstream version 0.2.2, improving logging in case of detected Fast Flux setups.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/rootfiles/common/squid-asnbl | 1 + lfs/squid-asnbl | 83 +++++++++++++++++++++++++++++ make.sh | 1 + 3 files changed, 85 insertions(+) create mode 100644 config/rootfiles/common/squid-asnbl create mode 100644 lfs/squid-asnbl
diff --git a/config/rootfiles/common/squid-asnbl b/config/rootfiles/common/squid-asnbl new file mode 100644 index 000000000..f129f441e --- /dev/null +++ b/config/rootfiles/common/squid-asnbl @@ -0,0 +1 @@ +usr/bin/asnbl-helper.py diff --git a/lfs/squid-asnbl b/lfs/squid-asnbl new file mode 100644 index 000000000..3fc001768 --- /dev/null +++ b/lfs/squid-asnbl @@ -0,0 +1,83 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +###############################################################################
+############################################################################### +# Definitions +###############################################################################
+include Config
+VER = 0.2.2
+THISAPP = squid-asnbl-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE)
+DIR_APP = $(DIR_SRC)/$(THISAPP)
+TARGET = $(DIR_INFO)/$(THISAPP)
+DEPS = libloc squid python3
+############################################################################### +# Top-level Rules +###############################################################################
+objects = $(DL_FILE)
+$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
+$(DL_FILE)_MD5 = d62be77baa30b16d1c2362460123d6c0
+install : $(TARGET)
+check : $(patsubst %,$(DIR_CHK)/%,$(objects))
+download :$(patsubst %,$(DIR_DL)/%,$(objects))
+md5 : $(subst %,%_MD5,$(objects))
+############################################################################### +# Downloading, checking, md5sum +###############################################################################
+$(patsubst %,$(DIR_CHK)/%,$(objects)) :
- @$(CHECK)
+$(patsubst %,$(DIR_DL)/%,$(objects)) :
- @$(LOAD)
+$(subst %,%_MD5,$(objects)) :
- @$(MD5)
+############################################################################### +# Installation Details +###############################################################################
+$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
- @$(PREBUILD)
- @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zvxf $(DIR_DL)/$(DL_FILE)
- # Install ASNBL helper script
- cd $(DIR_APP) && install -o root -g root -m 0755 asnbl-helper.py /usr/bin/asnbl-helper.py
- @rm -rf $(DIR_APP)
- @$(POSTBUILD)
diff --git a/make.sh b/make.sh index dabed5aa5..215e5c633 100755 --- a/make.sh +++ b/make.sh @@ -1613,6 +1613,7 @@ buildipfire() { lfsmake2 socat lfsmake2 libcdada lfsmake2 pmacct
- lfsmake2 squid-asnbl
}
buildinstaller() {
2.26.2
Hello Michael,
thanks for your reply.
Hello,
On 10 Oct 2021, at 18:43, Peter Müller peter.mueller@ipfire.org wrote:
This package adds an ASNBL helper for detecting Fast Flux setups and selectively announced networks (i. e. FQDNs resolving to IP addresses not being announced by an Autonomous System) to the distribution. Afterwards, the helper script is located at /usr/bin/asnbl-helper.py .
This is maybe purely aesthetic, but a helper script in /usr/bin feels wrong to me.
Where would you place it instead?
Neither am I a fan of having a file extension like this in /usr/bin. Something similar has caused us to ship our backup script which is written in shell as backup.pl. Implementations might change.
True. Is this a show-stopper to you? If so, I will hand in a third version of this patch series to correct this.
Aside from that, I can assure you (if this is what you desire) this won't cause the problem you described. I doubt any other application within IPFire will ever need this script. :-)
Thanks, and best regards, Peter Müller
The second version of this patch updates squid-asnbl to upstream version 0.2.2, improving logging in case of detected Fast Flux setups.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/rootfiles/common/squid-asnbl | 1 + lfs/squid-asnbl | 83 +++++++++++++++++++++++++++++ make.sh | 1 + 3 files changed, 85 insertions(+) create mode 100644 config/rootfiles/common/squid-asnbl create mode 100644 lfs/squid-asnbl
diff --git a/config/rootfiles/common/squid-asnbl b/config/rootfiles/common/squid-asnbl new file mode 100644 index 000000000..f129f441e --- /dev/null +++ b/config/rootfiles/common/squid-asnbl @@ -0,0 +1 @@ +usr/bin/asnbl-helper.py diff --git a/lfs/squid-asnbl b/lfs/squid-asnbl new file mode 100644 index 000000000..3fc001768 --- /dev/null +++ b/lfs/squid-asnbl @@ -0,0 +1,83 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +###############################################################################
+############################################################################### +# Definitions +###############################################################################
+include Config
+VER = 0.2.2
+THISAPP = squid-asnbl-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE)
+DIR_APP = $(DIR_SRC)/$(THISAPP)
+TARGET = $(DIR_INFO)/$(THISAPP)
+DEPS = libloc squid python3
+############################################################################### +# Top-level Rules +###############################################################################
+objects = $(DL_FILE)
+$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
+$(DL_FILE)_MD5 = d62be77baa30b16d1c2362460123d6c0
+install : $(TARGET)
+check : $(patsubst %,$(DIR_CHK)/%,$(objects))
+download :$(patsubst %,$(DIR_DL)/%,$(objects))
+md5 : $(subst %,%_MD5,$(objects))
+############################################################################### +# Downloading, checking, md5sum +###############################################################################
+$(patsubst %,$(DIR_CHK)/%,$(objects)) :
- @$(CHECK)
+$(patsubst %,$(DIR_DL)/%,$(objects)) :
- @$(LOAD)
+$(subst %,%_MD5,$(objects)) :
- @$(MD5)
+############################################################################### +# Installation Details +###############################################################################
+$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
- @$(PREBUILD)
- @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zvxf $(DIR_DL)/$(DL_FILE)
- # Install ASNBL helper script
- cd $(DIR_APP) && install -o root -g root -m 0755 asnbl-helper.py /usr/bin/asnbl-helper.py
- @rm -rf $(DIR_APP)
- @$(POSTBUILD)
diff --git a/make.sh b/make.sh index dabed5aa5..215e5c633 100755 --- a/make.sh +++ b/make.sh @@ -1613,6 +1613,7 @@ buildipfire() { lfsmake2 socat lfsmake2 libcdada lfsmake2 pmacct
- lfsmake2 squid-asnbl
}
buildinstaller() {
2.26.2
Hello,
On 13 Oct 2021, at 17:25, Peter Müller peter.mueller@ipfire.org wrote:
Hello Michael,
thanks for your reply.
Hello,
On 10 Oct 2021, at 18:43, Peter Müller peter.mueller@ipfire.org wrote:
This package adds an ASNBL helper for detecting Fast Flux setups and selectively announced networks (i. e. FQDNs resolving to IP addresses not being announced by an Autonomous System) to the distribution. Afterwards, the helper script is located at /usr/bin/asnbl-helper.py .
This is maybe purely aesthetic, but a helper script in /usr/bin feels wrong to me.
Where would you place it instead?
/usr/lib/squid/helpers/asnbl
Neither am I a fan of having a file extension like this in /usr/bin. Something similar has caused us to ship our backup script which is written in shell as backup.pl. Implementations might change.
True. Is this a show-stopper to you? If so, I will hand in a third version of this patch series to correct this.
Aside from that, I can assure you (if this is what you desire) this won't cause the problem you described. I doubt any other application within IPFire will ever need this script. :-)
Not really a showstopper. I just want to make things look sleek. It will help us to name things in a more meaningful manner and to type less.
-Michael
Thanks, and best regards, Peter Müller
The second version of this patch updates squid-asnbl to upstream version 0.2.2, improving logging in case of detected Fast Flux setups.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/rootfiles/common/squid-asnbl | 1 + lfs/squid-asnbl | 83 +++++++++++++++++++++++++++++ make.sh | 1 + 3 files changed, 85 insertions(+) create mode 100644 config/rootfiles/common/squid-asnbl create mode 100644 lfs/squid-asnbl
diff --git a/config/rootfiles/common/squid-asnbl b/config/rootfiles/common/squid-asnbl new file mode 100644 index 000000000..f129f441e --- /dev/null +++ b/config/rootfiles/common/squid-asnbl @@ -0,0 +1 @@ +usr/bin/asnbl-helper.py diff --git a/lfs/squid-asnbl b/lfs/squid-asnbl new file mode 100644 index 000000000..3fc001768 --- /dev/null +++ b/lfs/squid-asnbl @@ -0,0 +1,83 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +###############################################################################
+############################################################################### +# Definitions +###############################################################################
+include Config
+VER = 0.2.2
+THISAPP = squid-asnbl-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE)
+DIR_APP = $(DIR_SRC)/$(THISAPP)
+TARGET = $(DIR_INFO)/$(THISAPP)
+DEPS = libloc squid python3
+############################################################################### +# Top-level Rules +###############################################################################
+objects = $(DL_FILE)
+$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
+$(DL_FILE)_MD5 = d62be77baa30b16d1c2362460123d6c0
+install : $(TARGET)
+check : $(patsubst %,$(DIR_CHK)/%,$(objects))
+download :$(patsubst %,$(DIR_DL)/%,$(objects))
+md5 : $(subst %,%_MD5,$(objects))
+############################################################################### +# Downloading, checking, md5sum +###############################################################################
+$(patsubst %,$(DIR_CHK)/%,$(objects)) :
- @$(CHECK)
+$(patsubst %,$(DIR_DL)/%,$(objects)) :
- @$(LOAD)
+$(subst %,%_MD5,$(objects)) :
- @$(MD5)
+############################################################################### +# Installation Details +###############################################################################
+$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
- @$(PREBUILD)
- @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zvxf $(DIR_DL)/$(DL_FILE)
- # Install ASNBL helper script
- cd $(DIR_APP) && install -o root -g root -m 0755 asnbl-helper.py /usr/bin/asnbl-helper.py
- @rm -rf $(DIR_APP)
- @$(POSTBUILD)
diff --git a/make.sh b/make.sh index dabed5aa5..215e5c633 100755 --- a/make.sh +++ b/make.sh @@ -1613,6 +1613,7 @@ buildipfire() { lfsmake2 socat lfsmake2 libcdada lfsmake2 pmacct
- lfsmake2 squid-asnbl
}
buildinstaller() {
2.26.2
-
Michael Tremer -
Peter Müller