conf_server/configure_firewall.sh

133 lines
4.1 KiB
Bash
Executable File

#!/bin/sh
. ./myserver.conf
install_firewall_packages(){
pkg_add ssh_guard curl
useradd -s /sbin/nologin -d /var/empty _pfbadhost
ftp https://geoghegan.ca/pub/pf-badhost/0.5/pf-badhost.sh
install -m 755 -o root -g bin pf-badhost.sh /usr/local/bin/pf-badhost
install -m 640 -o _pfbadhost -g wheel /dev/null /etc/pf-badhost.txt
install -d -m 755 -o root -g wheel /var/log/pf-badhost
install -m 640 -o _pfbadhost -g wheel /dev/null /var/log/pf-badhost/pf-badhost.log
install -m 640 -o _pfbadhost -g wheel /dev/null /var/log/pf-badhost/pf-badhost.log.0.gz
cp -v /etc/doas.conf /etc/doas.conf.old
egrep -v "_pfbadhost" /etc/doas.conf > /tmp/doas.conf
cat >> /tmp/doas.conf <<EOF
# Pf badhost
permit nopass _pfbadhost as root cmd /sbin/pfctl args -nf /etc/pf.conf
permit nopass _pfbadhost as root cmd /sbin/pfctl args -t pfbadhost -T replace -f /etc/pf-badhost.txt
permit nopass _pfbadhost as root cmd /usr/bin/zcat args -f /var/log/authlog /var/log/authlog.0.gz
EOF
mv /tmp/doas.conf /etc/doas.conf
cat > /var/cron/tabs/_pfbadhost <<EOF
# (Cron version V5.0)
~ 0~1 * * * -s pf-badhost -O openbsd
EOF
chown _pfbadhost:crontab /var/cron/tabs/_pfbadhost
chmod 600 /var/cron/tabs/_pfbadhost
}
set_basic_configuration(){
cp -v default_configruation/pf.conf my_configuration/pf.conf
}
set_open_service(){
cat >> my_configuration/pf.conf <<EOF
#déclaration des variables
web_ports = "{ http https }"
#On évite les bruteforces
pass in quick on egress proto { tcp, udp } from <whitelist> to port $web_ports
pass in on egress proto tcp to port $web_ports flags S/SA keep state \
(max-src-conn 100, max-src-conn-rate 15/5, \
overload <http_abusive_hosts> flush)
EOF
cat >> my_configuration/pf.conf
EOF
[ "$SERVICE_MAIL" == "yes" ] &&
echo "mail_ports = \"{ smtp submission imap }\"" >> default_configuration/pf.conf
[ "$SERVICE_XMPP" == "yes" ] &&
echo "xmmp_ports = \"{ 5222 5269 }\"" >> default_configuration/pf.conf
echo "ssh_port = \"$SSH_PORT\"" >> default_configuration/pf.conf
[ "$SERVICE_TURN" == "yes" ] &&
echo "turn_port = \"TURN_PORT\"" >> default_configuration/pf.conf
cat >> my_configuration/pf.conf <<EOF
## Anti bruteforce
### SSH
#### Limit 5 connexions simultanne par IP source
#### Limit 15 tentatives de connexion toutes les 5 minutes
pass in on egress proto tcp to port \$ssh_port modulate state \\
(max-src-conn 5, max-src-conn-rate 15/5, overload <bruteforce> flush global)
pass in quick on egress proto { tcp, udp } from <whitelist> to port $web_ports
pass in on egress proto tcp to port $web_ports flags S/SA keep state \
(max-src-conn 100, max-src-conn-rate 15/5, \
overload <http_abusive_hosts> flush)
EOF
[ "$SERVICE_MAIL" == "yes" ] &&
cat >> my_configuration/pf.conf <<EOF
# mails
## antispam
pass in on egress proto tcp to port \$mail_ports modulate state \\
(max-src-conn-rate 20/5, overload <bruteforce> flush global)
pass out log on egress proto tcp to any port smtp
EOF
[ "$SERVICE_XMPP" == "yes" ] &&
cat >> my_configuration/pf.conf <<EOF
# XMPP
pass in on egress proto tcp to port \$xmpp_ports modulate state \\
(max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)
EOF
[ "$SERVICE_TURN" == "yes" ] &&
cat >> my_configuration/pf.conf <<EOF
pass in on egress proto tcp to port $turn_port modulate state \
(max-src-conn 20, max-src-conn-rate 30/1, overload <bruteforce> flush global)
pass in on egress proto udp to port $turn_port
EOF
}
install_conf_and_enable(){
pfctl -nf my_configuration/pf.conf
if [ $? == 0 ]; then
cp -v /etc/pf.conf /etc/pf.old
cp -v my_configuration/pf.conf /etc/pf.conf
pfctl -f /etc/pf.conf
else
echo "Il y a un problème dans la configuration du firewall"
fi
}
if [ "$1" == "gen-config-only" ];
then
set_basic_configuration
set_open_service
elif [ "$1" == "install" ];
then
install_firewall_packages
set_basic_configuration
set_open_service
install_conf_and_enable
fi