139 lines
4.0 KiB
Bash
139 lines
4.0 KiB
Bash
|
#!/bin/sh
|
||
|
|
||
|
. ./myserver.conf
|
||
|
|
||
|
install_package(){
|
||
|
pkg_add ssh_guard curl
|
||
|
useradd -s /sbin/nologin -d /var/empty _pfbadhost
|
||
|
ftp https://geoghegan.ca/pub/pf-badhost/0.5/pf-badhost.sh
|
||
|
install -m 755 -o root -g bin pf-badhost.sh /usr/local/bin/pf-badhost
|
||
|
install -m 640 -o _pfbadhost -g wheel /dev/null /etc/pf-badhost.txt
|
||
|
install -d -m 755 -o root -g wheel /var/log/pf-badhost
|
||
|
install -m 640 -o _pfbadhost -g wheel /dev/null /var/log/pf-badhost/pf-badhost.log
|
||
|
install -m 640 -o _pfbadhost -g wheel /dev/null /var/log/pf-badhost/pf-badhost.log.0.gz
|
||
|
cp -v /etc/doas.conf /etc/doas.conf.old
|
||
|
egrep -v "_pfbadhost" /etc/doas.conf > /tmp/doas.conf
|
||
|
cat >> /tmp/doas.conf <<EOF
|
||
|
|
||
|
# Pf badhost
|
||
|
permit nopass _pfbadhost as root cmd /sbin/pfctl args -nf /etc/pf.conf
|
||
|
permit nopass _pfbadhost as root cmd /sbin/pfctl args -t pfbadhost -T replace -f /etc/pf-badhost.txt
|
||
|
permit nopass _pfbadhost as root cmd /usr/bin/zcat args -f /var/log/authlog /var/log/authlog.0.gz
|
||
|
|
||
|
EOF
|
||
|
mv /tmp/doas.conf /etc/doas.conf
|
||
|
cat > /var/cron/tabs/_pfbadhost <<EOF
|
||
|
# (Cron version V5.0)
|
||
|
~ 0~1 * * * -s pf-badhost -O openbsd
|
||
|
EOF
|
||
|
chown _pfbadhost:crontab /var/cron/tabs/_pfbadhost
|
||
|
chmod 600 /var/cron/tabs/_pfbadhost
|
||
|
}
|
||
|
|
||
|
|
||
|
set_basic_configuration(){
|
||
|
cat > my_configuration/pf.conf <<EOF
|
||
|
#Filtres badhosts et sshguard
|
||
|
table <pfbadhost> persist file "/etc/pf-badhost.txt"
|
||
|
table <sshguard> persist
|
||
|
|
||
|
## Table pour les batards de bruteforceurs
|
||
|
table <bruteforce> persist
|
||
|
|
||
|
|
||
|
set block-policy drop # bloque silencieusement
|
||
|
set skip on lo # En local on s'en fou on surveille rien
|
||
|
set limit table-entries 400000
|
||
|
set limit states 100000
|
||
|
|
||
|
|
||
|
|
||
|
## Traitement des paquets ##
|
||
|
# Paquets partiels on vire
|
||
|
match all scrub (max-mss 1440 no-df random-id reassemble tcp)
|
||
|
antispoof quick for egress # Protection vol d'ip
|
||
|
antispoof quick for lo0 # Protection vol d'ip
|
||
|
|
||
|
# Port build user does not need network
|
||
|
block return out log proto {tcp udp} user _pbuild
|
||
|
|
||
|
# On bloque tout par défault
|
||
|
block
|
||
|
|
||
|
block quick on egress from <pfbadhost>
|
||
|
block in from <sshguard>
|
||
|
block log quick from <bruteforce> label "brutes"
|
||
|
|
||
|
pass out on egress proto { tcp udp icmp ipv6-icmp } modulate state
|
||
|
|
||
|
EOF
|
||
|
|
||
|
}
|
||
|
|
||
|
set_open_service(){
|
||
|
cat >> my_configuration/pf.conf <<EOF
|
||
|
#déclaration des variables
|
||
|
web_ports = "{ http https }"
|
||
|
EOF
|
||
|
|
||
|
if [ "$SERVICE_MAIL" == "yes" ]; then
|
||
|
echo "mail_ports = \"{ smtp submission imap }\"" >> default_configuration/pf.conf
|
||
|
fi
|
||
|
|
||
|
if [ "$SERVICE_XMPP" == "yes" ]; then
|
||
|
echo "xmmp_ports = \"{ 5222 5269 }\"" >> default_configuration/pf.conf
|
||
|
fi
|
||
|
|
||
|
echo "ssh_port = \"$SSH_PORT\"" >> default_configuration/pf.conf
|
||
|
|
||
|
cat >> my_configuration/pf.conf <<EOF
|
||
|
|
||
|
## Anti bruteforce
|
||
|
### SSH
|
||
|
#### Limit 5 connexions simultanne par IP source
|
||
|
#### Limit 15 tentatives de connexion toutes les 5 minutes
|
||
|
pass in on egress proto tcp to port \$ssh_port modulate state \\
|
||
|
(max-src-conn 5, max-src-conn-rate 15/5, overload <bruteforce> flush global)
|
||
|
|
||
|
#web
|
||
|
pass in on egress proto tcp to port \$web_ports modulate state \\
|
||
|
(max-src-conn 60, max-src-conn-rate 60/1, overload <bruteforce> flush global)
|
||
|
|
||
|
EOF
|
||
|
|
||
|
if [ "$SERVICE_MAIL" == "yes" ]; then
|
||
|
cat >> my_configuration/pf.conf <<EOF
|
||
|
# mails
|
||
|
## antispam
|
||
|
pass in on egress proto tcp to port \$mail_ports modulate state \\
|
||
|
(max-src-conn-rate 20/5, overload <bruteforce> flush global)
|
||
|
pass out log on egress proto tcp to any port smtp
|
||
|
|
||
|
EOF
|
||
|
fi
|
||
|
|
||
|
if [ "$SERVICE_XMPP" == "yes" ]; then
|
||
|
cat >> my_configuration/pf.conf <<EOF
|
||
|
# XMPP
|
||
|
pass in on egress proto tcp to port \$xmpp_ports modulate state \\
|
||
|
(max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)
|
||
|
EOF
|
||
|
fi
|
||
|
|
||
|
}
|
||
|
|
||
|
install_pf_and_enable(){
|
||
|
pfctl -nf my_configuration/pf.conf
|
||
|
if [ $? == 0 ]; then
|
||
|
cp -v /etc/pf.conf /etc/pf.old
|
||
|
cp -v my_configuration/pf.conf /etc/pf.conf
|
||
|
pfctl -f /etc/pf.conf
|
||
|
else
|
||
|
echo "Il y a un problème dans la configuration du firewall"
|
||
|
fi
|
||
|
|
||
|
}
|
||
|
|
||
|
set_basic_configuration
|
||
|
set_open_service
|