Mercurial > hg > maltfilter
comparison maltfilter @ 93:55670dabda5a maltfilter-0.19.2
Add support for FILTER_CHAIN and FILTER_TABLE settings.
author | Matti Hamalainen <ccr@tnsp.org> |
---|---|
date | Sun, 30 Aug 2009 23:06:58 +0300 |
parents | 3bcc17b754bf |
children | b1f9df8bb084 |
comparison
equal
deleted
inserted
replaced
92:6e47a5c97538 | 93:55670dabda5a |
---|---|
11 use Net::IP; | 11 use Net::IP; |
12 use Net::DNS; | 12 use Net::DNS; |
13 use LWP::UserAgent; | 13 use LWP::UserAgent; |
14 use IO::Seekable; | 14 use IO::Seekable; |
15 | 15 |
16 my $progversion = "0.19.1"; | 16 my $progversion = "0.19.2"; |
17 my $progbanner = | 17 my $progbanner = |
18 "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n". | 18 "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n". |
19 "Programmed by Matti 'ccr' Hamalainen <ccr\@tnsp.org>\n". | 19 "Programmed by Matti 'ccr' Hamalainen <ccr\@tnsp.org>\n". |
20 "(C) Copyright 2009 Tecnic Software productions (TNSP)\n"; | 20 "(C) Copyright 2009 Tecnic Software productions (TNSP)\n"; |
21 | 21 |
35 | 35 |
36 "FILTER" => 0, | 36 "FILTER" => 0, |
37 "FILTER_THRESHOLD" => 3, | 37 "FILTER_THRESHOLD" => 3, |
38 "FILTER_MAX_AGE" => 168, # in hours | 38 "FILTER_MAX_AGE" => 168, # in hours |
39 "FILTER_TARGET" => "DROP", | 39 "FILTER_TARGET" => "DROP", |
40 "FILTER_CHAIN" => "INPUT", | |
41 "FILTER_TABLE" => "filter", | |
40 "IPTABLES" => "/sbin/iptables", | 42 "IPTABLES" => "/sbin/iptables", |
41 | 43 |
42 "FULL_TIME" => 1, | 44 "FULL_TIME" => 1, |
43 "STATUS_FILE_PLAIN" => "", | 45 "STATUS_FILE_PLAIN" => "", |
44 "STATUS_FILE_HTML" => "", | 46 "STATUS_FILE_HTML" => "", |
70 "127.0.0.0/8", | 72 "127.0.0.0/8", |
71 "10.0.0.0/8", | 73 "10.0.0.0/8", |
72 "172.16.0.0/12", | 74 "172.16.0.0/12", |
73 "192.168.0.0/16" | 75 "192.168.0.0/16" |
74 ); | 76 ); |
77 | |
78 # Valid target tables for FILTER_TABLE | |
79 my %filter_valid_tables = ("filter", "nat", "mangle", "raw"); | |
75 | 80 |
76 my %systemacct = (); | 81 my %systemacct = (); |
77 sub check_add_hit($$$$$$); | 82 sub check_add_hit($$$$$$); |
78 | 83 |
79 | 84 |
798 } else { | 803 } else { |
799 system(@args) == 0 or print join(" ", @args)." failed: $?\n"; | 804 system(@args) == 0 or print join(" ", @args)." failed: $?\n"; |
800 } | 805 } |
801 } | 806 } |
802 | 807 |
803 ### Get current Netfilter INPUT table entries that match | 808 ### Get current Netfilter table entries that match entry types we |
804 ### entry types we manage, e.g. filterlist | 809 ### manage, e.g. filterlist |
805 sub update_filterlist($) | 810 sub update_filterlist($) |
806 { | 811 { |
807 my $first = $_[0]; | 812 my $first = $_[0]; |
808 return unless ($settings{"FILTER"} > 0); | 813 return unless ($settings{"FILTER"} > 0); |
809 | 814 |
810 $ENV{"PATH"} = ""; | 815 $ENV{"PATH"} = ""; |
811 open(STATUS, $settings{"IPTABLES"}." -v -n -L INPUT |") or | 816 open(STATUS, $settings{"IPTABLES"}." -v -n -t ".$settings{"FILTER_TABLE"}." -L ".$settings{"FILTER_CHAIN"}." |") or |
812 mdie("Could not execute ".$settings{"IPTABLES"}."\n"); | 817 mdie("Could not execute ".$settings{"IPTABLES"}."\n"); |
813 my %newlist = (); | 818 my %newlist = (); |
814 undef(%newlist); | 819 undef(%newlist); |
815 while (<STATUS>) { | 820 while (<STATUS>) { |
816 chomp; | 821 chomp; |
854 ### Weed out old entries | 859 ### Weed out old entries |
855 sub weed_do($) | 860 sub weed_do($) |
856 { | 861 { |
857 my $mtime = $filterlist{$_[0]}; | 862 my $mtime = $filterlist{$_[0]}; |
858 mlog(2, "* Weeding $_[0] (".get_time_str($mtime).")\n"); | 863 mlog(2, "* Weeding $_[0] (".get_time_str($mtime).")\n"); |
859 exec_iptables("-D", "INPUT", "-s", $_[0], "-d", "0.0.0.0/0", "-j", $settings{"FILTER_TARGET"}); | 864 exec_iptables("-t", $settings{"FILTER_TABLE"}, "-D", $settings{"FILTER_CHAIN"}, "-s", $_[0], "-d", "0.0.0.0/0", "-j", $settings{"FILTER_TARGET"}); |
860 delete($filterlist{$_[0]}); | 865 delete($filterlist{$_[0]}); |
861 delete($statlist{$_[0]}); | 866 delete($statlist{$_[0]}); |
862 delete($ignorelist{$_[0]}); | 867 delete($ignorelist{$_[0]}); |
863 } | 868 } |
864 | 869 |
979 # Check if we have exceeded threshold etc. | 984 # Check if we have exceeded threshold etc. |
980 if ($settings{"FILTER"} > 0 && $cnt >= $settings{"FILTER_THRESHOLD"} && check_time1($mdate)) { | 985 if ($settings{"FILTER"} > 0 && $cnt >= $settings{"FILTER_THRESHOLD"} && check_time1($mdate)) { |
981 # Add to filterlist, unless already there. | 986 # Add to filterlist, unless already there. |
982 if (!defined($filterlist{$mip})) { | 987 if (!defined($filterlist{$mip})) { |
983 mlog(1, "* Adding $mip \@ ".get_time_str($mdate).": [$mclass] $mreason\n"); | 988 mlog(1, "* Adding $mip \@ ".get_time_str($mdate).": [$mclass] $mreason\n"); |
984 exec_iptables("-I", "INPUT", "1", "-s", $mip, "-j", $settings{"FILTER_TARGET"}); | 989 exec_iptables("-t", $settings{"FILTER_TABLE"}, "-I", $settings{"FILTER_CHAIN"}, "1", "-s", $mip, "-j", $settings{"FILTER_TARGET"}); |
985 } | 990 } |
986 # Update date of last hit | 991 # Update date of last hit |
987 $filterlist{$mip} = $mdate; | 992 $filterlist{$mip} = $mdate; |
988 } | 993 } |
989 | 994 |
1236 | 1241 |
1237 $val = $settings{"FILTER_THRESHOLD"}; | 1242 $val = $settings{"FILTER_THRESHOLD"}; |
1238 mdie("Invalid FILTER_THRESHOLD value $val, must be >= 0.\n") unless ($val >= 0); | 1243 mdie("Invalid FILTER_THRESHOLD value $val, must be >= 0.\n") unless ($val >= 0); |
1239 | 1244 |
1240 $val = $settings{"IPTABLES"}; | 1245 $val = $settings{"IPTABLES"}; |
1241 mdie("iptables binary does not exist or is not executable: $val\n") unless (-e $val && -x $val); | 1246 mdie("Iptables binary does not exist or is not executable: $val\n") unless (-e $val && -x $val); |
1247 | |
1248 $val = $settings{"FILTER_TARGET"}; | |
1249 mdie("Value of FILTER_TARGET must not be empty!\n") unless ($val ne ""); | |
1250 | |
1251 my $mtable = $settings{"FILTER_TABLE"}; | |
1252 mdie("Value of FILTER_TABLE should be one of ".join(", ", keys %filter_valid_tables).".\n") | |
1253 unless defined($filter_valid_tables{$mtable}); | |
1254 | |
1255 $val = $settings{"FILTER_CHAIN"}; | |
1256 mdie("Value of FILTER_CHAIN must not be empty!\n") unless ($val ne ""); | |
1242 } else { | 1257 } else { |
1243 mlog(1, "Netfilter handling disabled.\n"); | 1258 mlog(1, "Netfilter handling disabled.\n"); |
1244 } | 1259 } |
1245 | 1260 |
1246 # Check evidence settings | 1261 # Check evidence settings |