diff --git a/gestion/config/config.py b/gestion/config/config.py index a1f41b35..82e24d80 100644 --- a/gestion/config/config.py +++ b/gestion/config/config.py @@ -277,12 +277,12 @@ file_pickle = { 4 : '/tmp/ipt_pickle', 6 : '/tmp/ip6t_pickle' } -blacklist_sanctions = ['upload', 'warez', 'p2p', 'autodisc_p2p','autodisc_virus','virus', 'bloq'] +blacklist_sanctions = ['warez', 'p2p', 'autodisc_p2p','autodisc_virus','virus', 'bloq'] if bl_carte_et_definitif: blacklist_sanctions.append('carte_etudiant') blacklist_sanctions_soft = ['autodisc_virus','ipv6_ra','mail_invalide','virus', - 'upload', 'warez', 'p2p', 'autodisc_p2p', 'bloq','carte_etudiant','chambre_invalide'] -blacklist_bridage_upload = ['autodisc_upload'] + 'warez', 'p2p', 'autodisc_p2p', 'bloq','carte_etudiant','chambre_invalide'] +blacklist_bridage_upload = ['autodisc_upload', 'upload'] adm_users = [ 'root', 'identd', 'daemon', 'postfix', 'freerad', 'amavis', 'nut', 'respbats', 'list', 'sqlgrey', 'ntpd', 'lp' ] diff --git a/gestion/gen_confs/firewall4.py b/gestion/gen_confs/firewall4.py index 69d4156e..bd1e4277 100755 --- a/gestion/gen_confs/firewall4.py +++ b/gestion/gen_confs/firewall4.py @@ -463,6 +463,7 @@ class firewall_komaz(firewall_base_routeur): 'reseaux_non_routable' : self.reseaux_non_routable, 'filtrage_ports' : self.filtrage_ports, 'limitation_debit' : self.limitation_debit, + 'limit_ssh_connexion' : self.limit_ssh_connexion, }) self.use_ipset.extend([self.blacklist_soft, self.reseaux_non_routable]) @@ -522,6 +523,7 @@ class firewall_komaz(firewall_base_routeur): self.add(table, chain, '-j %s' % self.connexion_secours(table)) self.add(table, chain, '-j %s' % self.connexion_appartement(table)) self.add(table, chain, '-j %s' % self.ingress_filtering(table)) + self.add(table, chain, '-j %s' % self.limit_ssh_connexion(table)) self.add(table, chain, '-j %s' % self.filtrage_ports(table)) return @@ -538,6 +540,19 @@ class firewall_komaz(firewall_base_routeur): self.add(table, chain, '-j %s' % self.connexion_appartement(table)) return + def limit_ssh_connexion(self, table=None, apply=False): + chain = 'LIMIT-SSH-CONNEXION' + + if table == 'filter': + pretty_print(table, chain) + self.add(table, chain, '-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH --set' % dev['out']) + self.add(table, chain, '-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH --update --seconds 30 --hitcount 10 --rttl -j DROP' % dev['out']) + print OK + + if apply: + self.apply(table, chain) + return chain + def test_mac_ip(self, table=None, fill_ipset=False, apply=False): chain = super(self.__class__, self).test_mac_ip() @@ -679,16 +694,18 @@ class firewall_komaz(firewall_base_routeur): for ip in ip_list: machine = conn.search("ipHostNumber=%s" % ip) # Est-ce qu'il y a des blacklists soft parmis les blacklists de la machine - if machine: - if set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_sanctions_soft): - try: self.ipset['blacklist']['soft'].add(ip) - except IpsetError: pass - if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_bridage_upload): - try: self.ipset['blacklist']['upload'].add(ip) - except IpsetError: pass + if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_sanctions_soft): + try: self.ipset['blacklist']['soft'].add(ip) + except IpsetError: pass else: try: self.ipset['blacklist']['soft'].delete(ip) except IpsetError: pass + + # Est-ce qu'il y a des blacklists pour upload parmis les blacklists de la machine + if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_bridage_upload): + try: self.ipset['blacklist']['upload'].add(ip) + except IpsetError: pass + else: try: self.ipset['blacklist']['upload'].delete(ip) except IpsetError: pass