# HG changeset patch # User Matti Hamalainen # Date 1250178955 -10800 # Node ID ee5f7b8dcdea7d13ea006cc8046f586b829dc86c # Parent 56612ebc16acc533ba36999f2fb01bc147170aed Features, yay. diff -r 56612ebc16ac -r ee5f7b8dcdea example.conf --- a/example.conf Thu Aug 13 18:17:26 2009 +0300 +++ b/example.conf Thu Aug 13 18:55:55 2009 +0300 @@ -49,8 +49,11 @@ # Full path to iptables binary IPTABLES = "/sbin/iptables" -# IP(s) NOT to be blocked under any circumstances, separated by pipes (|). -# You should set this if you wish to have a surefire open channel from -# somewhere, even in case someone tries to spoof IPs for denial of service. +# IP addresses that should NOT be blocked under any circumstances. You should +# set this if you wish to have a surefire open channel from some host, even in +# the case someone tries to spoof IPs for denial of service. +# # NOTICE! This setting supports only IPv4 addresses, no IPv6 or DNS names. -NOBLOCK_HOSTS = "127.0.0.1|74.125.45.100" +# You can have any number of NOBLOCK_IPS settings. +NOBLOCK_IPS = "127.0.0.1" +NOBLOCK_IPS = "74.125.45.100" diff -r 56612ebc16ac -r ee5f7b8dcdea maltfilter --- a/maltfilter Thu Aug 13 18:17:26 2009 +0300 +++ b/maltfilter Thu Aug 13 18:55:55 2009 +0300 @@ -26,7 +26,6 @@ "ACTION" => "DROP", "LOGFILE" => "/var/log/maltfilter", "IPTABLES" => "/sbin/iptables", - "NOBLOCK_HOSTS" => "127.0.0.1", "CHK_SSHD" => 1, "CHK_KNOWN_CGI" => 1, @@ -43,11 +42,15 @@ "/var/log/httpd/access.log" ); +my @noblock_ips_def = ( + "127.0.0.1", +); ############################################################################# ### Script code ############################################################################# my @scanfiles = (); +my @noblock_ips = (); my %filehandles = (); my %hitcount = (); my %iplist = (); @@ -127,17 +130,19 @@ } } -sub check_hosts($$) + +sub check_hosts_array(@$) { - my $host = $_[1]; - my $ip = new Net::IP($host); - foreach my $test (split(/\s*\|\s*/, $_[0])) { - my $test_ip = new Net::IP($test); - if ($host eq $test) { + my @hostlist = shift; + my $chk_host = shift; + my $chk_ip = new Net::IP($chk_host); + foreach my $host (@hostlist) { + my $ip = new Net::IP($host); + if ($chk_host eq $host) { return 1; } - if (defined($ip) && defined($test_ip)) { - if ($ip->binip() eq $test_ip->binip()) { + if (defined($chk_ip) && defined($ip)) { + if ($chk_ip->binip() eq $ip->binip()) { return 1; } } @@ -145,6 +150,12 @@ return 0; } +sub check_hosts($$) +{ + return check_hosts_array(split(/\s*\|\s*/, $_[0]), $_[1]); +} + + ### Execute iptables sub exec_iptables(@) { @@ -219,7 +230,7 @@ return; } if (!defined($iplist{$mip})) { - if (!check_hosts($settings{"NOBLOCK_HOSTS"}, $mip)) { + if (!check_hosts_array(@noblock_ips, $mip)) { # Add entry that has >= treshold hits and is not added yet mlog(1, "* Adding $mip ($mdate): $mreason\n"); exec_iptables("-I", "INPUT", "1", "-s", $mip, "-j", $settings{"ACTION"}); @@ -371,6 +382,8 @@ my $value = $2; if ($key eq "SCANFILE") { push(@scanfiles_def, $value); + elsif ($key eq "NOBLOCK_IPS") { + push(@noblock_ips_def, $value); } elsif (defined($settings{$key})) { $settings{$key} = $value; } else { @@ -386,10 +399,12 @@ die("Errors in configuration file '$config_file', bailing out.\n") unless ($errors == 0); } -# Clean up scanfiles from duplicate entries +# Clean up certain arrays duplicate entries my %saw = (); @scanfiles = grep(!$saw{$_}++, @scanfiles_def); +undef(%saw); +@noblock_ips = grep(!$saw{$_}++, @noblock_ips_def); # Open logfile if ($settings{"DRY_RUN"}) { @@ -403,6 +418,12 @@ mlog(-1, "Log started\n"); } +# Test existence of iptables +if (! -e $settings{"IPTABLES"} || ! -x $settings{"IPTABLES"}) { + my $msg = "iptables binary does not exist or is not executable: ".$settings{"IPTABLES"}."\n"; + mlog(-1, $msg); + die($msg); +} # Initialize update_iplist(-1);