crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[config, firewall4] Bridage upload long et limitation des connexion ssh

Browse source
This commit is contained in:
Valentin Samir 2013-04-25 14:09:59 +02:00
parent c37b3b0f34
commit 19d782c0be
2 changed files with 27 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

6
gestion/config/config.py
View file

@ -277,12 +277,12 @@ file_pickle = { 4 : '/tmp/ipt_pickle',
6 : '/tmp/ip6t_pickle' 6 : '/tmp/ip6t_pickle'
} }
blacklist_sanctions = ['upload', 'warez', 'p2p', 'autodisc_p2p','autodisc_virus','virus', 'bloq'] blacklist_sanctions = ['warez', 'p2p', 'autodisc_p2p','autodisc_virus','virus', 'bloq']
if bl_carte_et_definitif: if bl_carte_et_definitif:
blacklist_sanctions.append('carte_etudiant') blacklist_sanctions.append('carte_etudiant')
blacklist_sanctions_soft = ['autodisc_virus','ipv6_ra','mail_invalide','virus', blacklist_sanctions_soft = ['autodisc_virus','ipv6_ra','mail_invalide','virus',
'upload', 'warez', 'p2p', 'autodisc_p2p', 'bloq','carte_etudiant','chambre_invalide'] 'warez', 'p2p', 'autodisc_p2p', 'bloq','carte_etudiant','chambre_invalide']
blacklist_bridage_upload = ['autodisc_upload'] blacklist_bridage_upload = ['autodisc_upload', 'upload']
adm_users = [ 'root', 'identd', 'daemon', 'postfix', 'freerad', 'amavis', adm_users = [ 'root', 'identd', 'daemon', 'postfix', 'freerad', 'amavis',
'nut', 'respbats', 'list', 'sqlgrey', 'ntpd', 'lp' ] 'nut', 'respbats', 'list', 'sqlgrey', 'ntpd', 'lp' ]

27
gestion/gen_confs/firewall4.py
View file

@ -463,6 +463,7 @@ class firewall_komaz(firewall_base_routeur):
'reseaux_non_routable' : self.reseaux_non_routable, 'reseaux_non_routable' : self.reseaux_non_routable,
'filtrage_ports' : self.filtrage_ports, 'filtrage_ports' : self.filtrage_ports,
'limitation_debit' : self.limitation_debit, 'limitation_debit' : self.limitation_debit,
'limit_ssh_connexion' : self.limit_ssh_connexion,
}) })
self.use_ipset.extend([self.blacklist_soft, self.reseaux_non_routable]) self.use_ipset.extend([self.blacklist_soft, self.reseaux_non_routable])
@ -522,6 +523,7 @@ class firewall_komaz(firewall_base_routeur):
self.add(table, chain, '-j %s' % self.connexion_secours(table)) self.add(table, chain, '-j %s' % self.connexion_secours(table))
self.add(table, chain, '-j %s' % self.connexion_appartement(table)) self.add(table, chain, '-j %s' % self.connexion_appartement(table))
self.add(table, chain, '-j %s' % self.ingress_filtering(table)) self.add(table, chain, '-j %s' % self.ingress_filtering(table))
self.add(table, chain, '-j %s' % self.limit_ssh_connexion(table))
self.add(table, chain, '-j %s' % self.filtrage_ports(table)) self.add(table, chain, '-j %s' % self.filtrage_ports(table))
return return
@ -538,6 +540,19 @@ class firewall_komaz(firewall_base_routeur):
self.add(table, chain, '-j %s' % self.connexion_appartement(table)) self.add(table, chain, '-j %s' % self.connexion_appartement(table))
return return
def limit_ssh_connexion(self, table=None, apply=False):
chain = 'LIMIT-SSH-CONNEXION'
if table == 'filter':
pretty_print(table, chain)
self.add(table, chain, '-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH --set' % dev['out'])
self.add(table, chain, '-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH --update --seconds 30 --hitcount 10 --rttl -j DROP' % dev['out'])
print OK
if apply:
self.apply(table, chain)
return chain
def test_mac_ip(self, table=None, fill_ipset=False, apply=False): def test_mac_ip(self, table=None, fill_ipset=False, apply=False):
chain = super(self.__class__, self).test_mac_ip() chain = super(self.__class__, self).test_mac_ip()
@ -679,16 +694,18 @@ class firewall_komaz(firewall_base_routeur):
for ip in ip_list: for ip in ip_list:
machine = conn.search("ipHostNumber=%s" % ip) machine = conn.search("ipHostNumber=%s" % ip)
# Est-ce qu'il y a des blacklists soft parmis les blacklists de la machine # Est-ce qu'il y a des blacklists soft parmis les blacklists de la machine
if machine: if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_sanctions_soft):
if set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_sanctions_soft):
try: self.ipset['blacklist']['soft'].add(ip) try: self.ipset['blacklist']['soft'].add(ip)
except IpsetError: pass except IpsetError: pass
if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_bridage_upload):
try: self.ipset['blacklist']['upload'].add(ip)
except IpsetError: pass
else: else:
try: self.ipset['blacklist']['soft'].delete(ip) try: self.ipset['blacklist']['soft'].delete(ip)
except IpsetError: pass except IpsetError: pass
# Est-ce qu'il y a des blacklists pour upload parmis les blacklists de la machine
if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_bridage_upload):
try: self.ipset['blacklist']['upload'].add(ip)
except IpsetError: pass
else:
try: self.ipset['blacklist']['upload'].delete(ip) try: self.ipset['blacklist']['upload'].delete(ip)
except IpsetError: pass except IpsetError: pass