#!/bin/sh . ./myserver.conf install_package(){ pkg_add ssh_guard curl useradd -s /sbin/nologin -d /var/empty _pfbadhost ftp https://geoghegan.ca/pub/pf-badhost/0.5/pf-badhost.sh install -m 755 -o root -g bin pf-badhost.sh /usr/local/bin/pf-badhost install -m 640 -o _pfbadhost -g wheel /dev/null /etc/pf-badhost.txt install -d -m 755 -o root -g wheel /var/log/pf-badhost install -m 640 -o _pfbadhost -g wheel /dev/null /var/log/pf-badhost/pf-badhost.log install -m 640 -o _pfbadhost -g wheel /dev/null /var/log/pf-badhost/pf-badhost.log.0.gz cp -v /etc/doas.conf /etc/doas.conf.old egrep -v "_pfbadhost" /etc/doas.conf > /tmp/doas.conf cat >> /tmp/doas.conf < /var/cron/tabs/_pfbadhost < my_configuration/pf.conf < persist file "/etc/pf-badhost.txt" table persist ## Table pour les batards de bruteforceurs table persist set block-policy drop # bloque silencieusement set skip on lo # En local on s'en fou on surveille rien set limit table-entries 400000 set limit states 100000 ## Traitement des paquets ## # Paquets partiels on vire match all scrub (max-mss 1440 no-df random-id reassemble tcp) antispoof quick for egress # Protection vol d'ip antispoof quick for lo0 # Protection vol d'ip # Port build user does not need network block return out log proto {tcp udp} user _pbuild # On bloque tout par défault block block quick on egress from block in from block log quick from label "brutes" pass out on egress proto { tcp udp icmp ipv6-icmp } modulate state EOF } set_open_service(){ cat >> my_configuration/pf.conf <> default_configuration/pf.conf fi if [ "$SERVICE_XMPP" == "yes" ]; then echo "xmmp_ports = \"{ 5222 5269 }\"" >> default_configuration/pf.conf fi echo "ssh_port = \"$SSH_PORT\"" >> default_configuration/pf.conf cat >> my_configuration/pf.conf < flush global) #web pass in on egress proto tcp to port \$web_ports modulate state \\ (max-src-conn 60, max-src-conn-rate 60/1, overload flush global) EOF if [ "$SERVICE_MAIL" == "yes" ]; then cat >> my_configuration/pf.conf < flush global) pass out log on egress proto tcp to any port smtp EOF fi if [ "$SERVICE_XMPP" == "yes" ]; then cat >> my_configuration/pf.conf < flush global) EOF fi } install_pf_and_enable(){ pfctl -nf my_configuration/pf.conf if [ $? == 0 ]; then cp -v /etc/pf.conf /etc/pf.old cp -v my_configuration/pf.conf /etc/pf.conf pfctl -f /etc/pf.conf else echo "Il y a un problème dans la configuration du firewall" fi } set_basic_configuration set_open_service