Mercurial > hg > maltfilter

comparison maltfilter @ 93:55670dabda5a maltfilter-0.19.2

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add support for FILTER_CHAIN and FILTER_TABLE settings.
author Matti Hamalainen <ccr@tnsp.org>
date Sun, 30 Aug 2009 23:06:58 +0300
parents 3bcc17b754bf
children b1f9df8bb084
comparison
equal deleted inserted replaced
92:6e47a5c97538 93:55670dabda5a
11 use Net::IP; 11 use Net::IP;
12 use Net::DNS; 12 use Net::DNS;
13 use LWP::UserAgent; 13 use LWP::UserAgent;
14 use IO::Seekable; 14 use IO::Seekable;
15 15
16 my $progversion = "0.19.1"; 16 my $progversion = "0.19.2";
17 my $progbanner = 17 my $progbanner =
18 "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n". 18 "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n".
19 "Programmed by Matti 'ccr' Hamalainen <ccr\@tnsp.org>\n". 19 "Programmed by Matti 'ccr' Hamalainen <ccr\@tnsp.org>\n".
20 "(C) Copyright 2009 Tecnic Software productions (TNSP)\n"; 20 "(C) Copyright 2009 Tecnic Software productions (TNSP)\n";
21 21
35 35
36 "FILTER" => 0, 36 "FILTER" => 0,
37 "FILTER_THRESHOLD" => 3, 37 "FILTER_THRESHOLD" => 3,
38 "FILTER_MAX_AGE" => 168, # in hours 38 "FILTER_MAX_AGE" => 168, # in hours
39 "FILTER_TARGET" => "DROP", 39 "FILTER_TARGET" => "DROP",
40 "FILTER_CHAIN" => "INPUT",
41 "FILTER_TABLE" => "filter",
40 "IPTABLES" => "/sbin/iptables", 42 "IPTABLES" => "/sbin/iptables",
41 43
42 "FULL_TIME" => 1, 44 "FULL_TIME" => 1,
43 "STATUS_FILE_PLAIN" => "", 45 "STATUS_FILE_PLAIN" => "",
44 "STATUS_FILE_HTML" => "", 46 "STATUS_FILE_HTML" => "",
70 "127.0.0.0/8", 72 "127.0.0.0/8",
71 "10.0.0.0/8", 73 "10.0.0.0/8",
72 "172.16.0.0/12", 74 "172.16.0.0/12",
73 "192.168.0.0/16" 75 "192.168.0.0/16"
74 ); 76 );
77
78 # Valid target tables for FILTER_TABLE
79 my %filter_valid_tables = ("filter", "nat", "mangle", "raw");
75 80
76 my %systemacct = (); 81 my %systemacct = ();
77 sub check_add_hit($$$$$$); 82 sub check_add_hit($$$$$$);
78 83
79 84
798 } else { 803 } else {
799 system(@args) == 0 or print join(" ", @args)." failed: $?\n"; 804 system(@args) == 0 or print join(" ", @args)." failed: $?\n";
800 } 805 }
801 } 806 }
802 807
803 ### Get current Netfilter INPUT table entries that match 808 ### Get current Netfilter table entries that match entry types we
804 ### entry types we manage, e.g. filterlist 809 ### manage, e.g. filterlist
805 sub update_filterlist($) 810 sub update_filterlist($)
806 { 811 {
807 my $first = $_[0]; 812 my $first = $_[0];
808 return unless ($settings{"FILTER"} > 0); 813 return unless ($settings{"FILTER"} > 0);
809 814
810 $ENV{"PATH"} = ""; 815 $ENV{"PATH"} = "";
811 open(STATUS, $settings{"IPTABLES"}." -v -n -L INPUT |") or 816 open(STATUS, $settings{"IPTABLES"}." -v -n -t ".$settings{"FILTER_TABLE"}." -L ".$settings{"FILTER_CHAIN"}." |") or
812 mdie("Could not execute ".$settings{"IPTABLES"}."\n"); 817 mdie("Could not execute ".$settings{"IPTABLES"}."\n");
813 my %newlist = (); 818 my %newlist = ();
814 undef(%newlist); 819 undef(%newlist);
815 while (<STATUS>) { 820 while (<STATUS>) {
816 chomp; 821 chomp;
854 ### Weed out old entries 859 ### Weed out old entries
855 sub weed_do($) 860 sub weed_do($)
856 { 861 {
857 my $mtime = $filterlist{$_[0]}; 862 my $mtime = $filterlist{$_[0]};
858 mlog(2, "* Weeding $_[0] (".get_time_str($mtime).")\n"); 863 mlog(2, "* Weeding $_[0] (".get_time_str($mtime).")\n");
859 exec_iptables("-D", "INPUT", "-s", $_[0], "-d", "0.0.0.0/0", "-j", $settings{"FILTER_TARGET"}); 864 exec_iptables("-t", $settings{"FILTER_TABLE"}, "-D", $settings{"FILTER_CHAIN"}, "-s", $_[0], "-d", "0.0.0.0/0", "-j", $settings{"FILTER_TARGET"});
860 delete($filterlist{$_[0]}); 865 delete($filterlist{$_[0]});
861 delete($statlist{$_[0]}); 866 delete($statlist{$_[0]});
862 delete($ignorelist{$_[0]}); 867 delete($ignorelist{$_[0]});
863 } 868 }
864 869
979 # Check if we have exceeded threshold etc. 984 # Check if we have exceeded threshold etc.
980 if ($settings{"FILTER"} > 0 && $cnt >= $settings{"FILTER_THRESHOLD"} && check_time1($mdate)) { 985 if ($settings{"FILTER"} > 0 && $cnt >= $settings{"FILTER_THRESHOLD"} && check_time1($mdate)) {
981 # Add to filterlist, unless already there. 986 # Add to filterlist, unless already there.
982 if (!defined($filterlist{$mip})) { 987 if (!defined($filterlist{$mip})) {
983 mlog(1, "* Adding $mip \@ ".get_time_str($mdate).": [$mclass] $mreason\n"); 988 mlog(1, "* Adding $mip \@ ".get_time_str($mdate).": [$mclass] $mreason\n");
984 exec_iptables("-I", "INPUT", "1", "-s", $mip, "-j", $settings{"FILTER_TARGET"}); 989 exec_iptables("-t", $settings{"FILTER_TABLE"}, "-I", $settings{"FILTER_CHAIN"}, "1", "-s", $mip, "-j", $settings{"FILTER_TARGET"});
985 } 990 }
986 # Update date of last hit 991 # Update date of last hit
987 $filterlist{$mip} = $mdate; 992 $filterlist{$mip} = $mdate;
988 } 993 }
989 994
1236 1241
1237 $val = $settings{"FILTER_THRESHOLD"}; 1242 $val = $settings{"FILTER_THRESHOLD"};
1238 mdie("Invalid FILTER_THRESHOLD value $val, must be >= 0.\n") unless ($val >= 0); 1243 mdie("Invalid FILTER_THRESHOLD value $val, must be >= 0.\n") unless ($val >= 0);
1239 1244
1240 $val = $settings{"IPTABLES"}; 1245 $val = $settings{"IPTABLES"};
1241 mdie("iptables binary does not exist or is not executable: $val\n") unless (-e $val && -x $val); 1246 mdie("Iptables binary does not exist or is not executable: $val\n") unless (-e $val && -x $val);
1247
1248 $val = $settings{"FILTER_TARGET"};
1249 mdie("Value of FILTER_TARGET must not be empty!\n") unless ($val ne "");
1250
1251 my $mtable = $settings{"FILTER_TABLE"};
1252 mdie("Value of FILTER_TABLE should be one of ".join(", ", keys %filter_valid_tables).".\n")
1253 unless defined($filter_valid_tables{$mtable});
1254
1255 $val = $settings{"FILTER_CHAIN"};
1256 mdie("Value of FILTER_CHAIN must not be empty!\n") unless ($val ne "");
1242 } else { 1257 } else {
1243 mlog(1, "Netfilter handling disabled.\n"); 1258 mlog(1, "Netfilter handling disabled.\n");
1244 } 1259 }
1245 1260
1246 # Check evidence settings 1261 # Check evidence settings