crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

On durcit avec du lubrifiant un peu le parefeu pour le bruteforce ssh.

Browse source
This commit is contained in:
Pierre-Elliott Bécue 2015-06-06 01:03:26 +02:00
parent 2838a60501
commit a70205526f
2 changed files with 32 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

3
gestion/gen_confs/firewall4/komaz.py
View file

@ -94,6 +94,7 @@ class firewall(base.firewall_routeur):
self.add(table, chain, '-p icmp -j ACCEPT') self.add(table, chain, '-p icmp -j ACCEPT')
self.add(table, chain, '-m state --state RELATED,ESTABLISHED -j ACCEPT') self.add(table, chain, '-m state --state RELATED,ESTABLISHED -j ACCEPT')
self.add(table, chain, '-j %s' % blacklist_soft_chain) self.add(table, chain, '-j %s' % blacklist_soft_chain)
self.add(table, chain, '-j %s' % self.limit_ssh_connexion(table))
for net in base.config.NETs['all'] + base.config.NETs['adm'] + base.config.NETs['personnel-ens']: for net in base.config.NETs['all'] + base.config.NETs['adm'] + base.config.NETs['personnel-ens']:
self.add(table, chain, '-s %s -j %s' % (net, mac_ip_chain)) self.add(table, chain, '-s %s -j %s' % (net, mac_ip_chain))
self.add(table, chain, '-j %s' % blacklist_hard_chain) self.add(table, chain, '-j %s' % blacklist_hard_chain)
@ -156,7 +157,7 @@ class firewall(base.firewall_routeur):
if table == 'filter': if table == 'filter':
pretty_print(table, chain) pretty_print(table, chain)
self.add(table, chain, '-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH --set' % dev['out']) self.add(table, chain, '-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH --set' % dev['out'])
self.add(table, chain, '-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH --update --seconds 30 --hitcount 10 --rttl -j DROP' % dev['out']) self.add(table, chain, '-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH --update --seconds 120 --hitcount 10 --rttl -j DROP' % dev['out'])
print OK print OK
if apply: if apply:

17
gestion/gen_confs/firewall6.py
View file

@ -20,7 +20,10 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
import sys, re, os, pwd import sys
import re
import os
import pwd
sys.path.append('/usr/scripts/gestion') sys.path.append('/usr/scripts/gestion')
@ -57,13 +60,11 @@ def ports(dev_ip6, dev_list):
# Il semble qu'il faille un kernel >= .29 et iptables >= 1.4.3 # Il semble qu'il faille un kernel >= .29 et iptables >= 1.4.3
# http://netfilter.org/projects/iptables/files/changes-iptables-1.4.3.txt # http://netfilter.org/projects/iptables/files/changes-iptables-1.4.3.txt
# ip6tables.filter.forward('-i %s -p tcp --dport ssh -m state --state NEW -m \ ip6tables.filter.forward('-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH --set ' % dev_ip6)
#recent --name SSH --set ' % dev_ip6) ip6tables.filter.forward('-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH --update --seconds 120 --hitcount 10 --rttl -j DROP' % dev_ip6)
# ip6tables.filter.forward('-i %s -p tcp --dport ssh -m state --state NEW -m \ ip6tables.filter.input('-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH --set ' % dev_ip6)
#recent --name SSH --update --seconds 60 --hitcount 4 --rttl -j DROP' % ip6tables.filter.input('-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH --update --seconds 120 --hitcount 10 --rttl -j DROP' % dev_ip6)
# dev_ip6) #ip6tables.filter.forward('-i %s -p tcp --dport ssh -m state --state NEW -j ACCEPT' % dev_ip6)
# ip6tables.filter.forward('-i %s -p tcp --dport ssh -m state --state NEW \
#-j ACCEPT' % dev_ip6)
for proto in open_ports.keys(): for proto in open_ports.keys():
ip6tables.filter.forward('-i %s -p %s -m multiport --dports %s -j ACCEPT' % (dev_ip6, proto, open_ports[proto])) ip6tables.filter.forward('-i %s -p %s -m multiport --dports %s -j ACCEPT' % (dev_ip6, proto, open_ports[proto]))