conf_server/configure_firewall.sh

139 lines
4.0 KiB
Bash
Raw Normal View History

2023-01-11 01:03:34 +01:00
#!/bin/sh
. ./myserver.conf
install_package(){
pkg_add ssh_guard curl
useradd -s /sbin/nologin -d /var/empty _pfbadhost
ftp https://geoghegan.ca/pub/pf-badhost/0.5/pf-badhost.sh
install -m 755 -o root -g bin pf-badhost.sh /usr/local/bin/pf-badhost
install -m 640 -o _pfbadhost -g wheel /dev/null /etc/pf-badhost.txt
install -d -m 755 -o root -g wheel /var/log/pf-badhost
install -m 640 -o _pfbadhost -g wheel /dev/null /var/log/pf-badhost/pf-badhost.log
install -m 640 -o _pfbadhost -g wheel /dev/null /var/log/pf-badhost/pf-badhost.log.0.gz
cp -v /etc/doas.conf /etc/doas.conf.old
egrep -v "_pfbadhost" /etc/doas.conf > /tmp/doas.conf
cat >> /tmp/doas.conf <<EOF
# Pf badhost
permit nopass _pfbadhost as root cmd /sbin/pfctl args -nf /etc/pf.conf
permit nopass _pfbadhost as root cmd /sbin/pfctl args -t pfbadhost -T replace -f /etc/pf-badhost.txt
permit nopass _pfbadhost as root cmd /usr/bin/zcat args -f /var/log/authlog /var/log/authlog.0.gz
EOF
mv /tmp/doas.conf /etc/doas.conf
cat > /var/cron/tabs/_pfbadhost <<EOF
# (Cron version V5.0)
~ 0~1 * * * -s pf-badhost -O openbsd
EOF
chown _pfbadhost:crontab /var/cron/tabs/_pfbadhost
chmod 600 /var/cron/tabs/_pfbadhost
}
set_basic_configuration(){
cat > my_configuration/pf.conf <<EOF
#Filtres badhosts et sshguard
table <pfbadhost> persist file "/etc/pf-badhost.txt"
table <sshguard> persist
## Table pour les batards de bruteforceurs
table <bruteforce> persist
set block-policy drop # bloque silencieusement
set skip on lo # En local on s'en fou on surveille rien
set limit table-entries 400000
set limit states 100000
## Traitement des paquets ##
# Paquets partiels on vire
match all scrub (max-mss 1440 no-df random-id reassemble tcp)
antispoof quick for egress # Protection vol d'ip
antispoof quick for lo0 # Protection vol d'ip
# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
# On bloque tout par défault
block
block quick on egress from <pfbadhost>
block in from <sshguard>
block log quick from <bruteforce> label "brutes"
pass out on egress proto { tcp udp icmp ipv6-icmp } modulate state
EOF
}
set_open_service(){
cat >> my_configuration/pf.conf <<EOF
#déclaration des variables
web_ports = "{ http https }"
EOF
if [ "$SERVICE_MAIL" == "yes" ]; then
echo "mail_ports = \"{ smtp submission imap }\"" >> default_configuration/pf.conf
fi
if [ "$SERVICE_XMPP" == "yes" ]; then
echo "xmmp_ports = \"{ 5222 5269 }\"" >> default_configuration/pf.conf
fi
echo "ssh_port = \"$SSH_PORT\"" >> default_configuration/pf.conf
cat >> my_configuration/pf.conf <<EOF
## Anti bruteforce
### SSH
#### Limit 5 connexions simultanne par IP source
#### Limit 15 tentatives de connexion toutes les 5 minutes
pass in on egress proto tcp to port \$ssh_port modulate state \\
(max-src-conn 5, max-src-conn-rate 15/5, overload <bruteforce> flush global)
#web
pass in on egress proto tcp to port \$web_ports modulate state \\
(max-src-conn 60, max-src-conn-rate 60/1, overload <bruteforce> flush global)
EOF
if [ "$SERVICE_MAIL" == "yes" ]; then
cat >> my_configuration/pf.conf <<EOF
# mails
## antispam
pass in on egress proto tcp to port \$mail_ports modulate state \\
(max-src-conn-rate 20/5, overload <bruteforce> flush global)
pass out log on egress proto tcp to any port smtp
EOF
fi
if [ "$SERVICE_XMPP" == "yes" ]; then
cat >> my_configuration/pf.conf <<EOF
# XMPP
pass in on egress proto tcp to port \$xmpp_ports modulate state \\
(max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)
EOF
fi
}
install_pf_and_enable(){
pfctl -nf my_configuration/pf.conf
if [ $? == 0 ]; then
cp -v /etc/pf.conf /etc/pf.old
cp -v my_configuration/pf.conf /etc/pf.conf
pfctl -f /etc/pf.conf
else
echo "Il y a un problème dans la configuration du firewall"
fi
}
set_basic_configuration
set_open_service