Create firehol and white sets

bcdd843a · Ruzal Gimazov · 67c40fa5 · bcdd843a · bcdd843a · bcdd843a
Commit bcdd843a authored Apr 30, 2020 by Ruzal Gimazov
6 changed files
--- a/ban-server/etc/nginx/sites-enabled.d/eterban.conf
+++ b/ban-server/etc/nginx/sites-enabled.d/eterban.conf
 server {
-        listen 91.232.225.67:80;
+        listen 91.232.225.67:81;
        #server_name priv.etersoft.ru;
-<------>root /var/www/html/eterban/;
+		root /var/www/html/eterban/;
        location  / {
-<------>    # add_header Access-Control-Allow-Origin *;
+		    # add_header Access-Control-Allow-Origin *;
            # try_files $uri $uri/ /index.php?$query_string;
-............
-<------>    index index.html;
+		    index index.html;
-<------>    #include /etc/nginx/fastcgi_params;
+		    #include /etc/nginx/fastcgi_params;
-<------>    #fastcgi_pass unix:/var/run/php7-fpm/php7.fpm.sock;
+		    #fastcgi_pass unix:/var/run/php7-fpm/php7.fpm.sock;
-<------>}
+		}
-<------>location ~* \.php$ {
+		location ~* \.php$ {
-    <-->    #try_files $uri = 404;
+		    #try_files $uri = 404;
-    <-->    fastcgi_split_path_info ^(.+\.php)(/.+)$;
+		    fastcgi_split_path_info ^(.+\.php)(/.+)$;
-    <-->    fastcgi_pass unix:/var/run/php7-fpm/php7-fpm.sock; # подключаем сокет php-fpm
+		    fastcgi_pass unix:/var/run/php7-fpm/php7-fpm.sock; # подключаем сокет php-fpm
-    <-->    fastcgi_index index.php;
+		    fastcgi_index index.php;
-    <-->    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+		    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-    <-->    include fastcgi_params;
+		    include fastcgi_params;
-<------>}
+		}
        access_log  /var/log/nginx/eterban_access.log;
        error_log   /var/log/nginx/eterban_error.log;

--- a/common/etc/eterban/settings.ini
+++ b/common/etc/eterban/settings.ini
 [Settings]
 #redis_server = 10.20.30.101
-#ban-server = 192.168.0.0
+#ban_server = 192.168.0.0
 #i_interface = brlocal
 #hostname = localhost
--- a/eterban.spec
+++ b/eterban.spec
@@ -34,7 +34,7 @@ Etersoft ban service. Common files
 %package gateway
 Summary: Etersoft ban service: gateway
 Group: Development/Other
-Requires: eterban-common,iptables,ipset
+Requires: eterban-common,iptables,ipset,conntrack-tools,python3-module-redis
 %description gateway
 Etersoft ban service
@@ -50,7 +50,7 @@ Etersoft ban service.
 %package fail2ban
 Summary: Etersoft ban service: fail2ban
 Group: Development/Other
-Requires: eterban-common,fail2ban
+Requires: eterban-common,fail2ban-server
 %description fail2ban
 Etersoft ban service.
@@ -65,6 +65,7 @@ Etersoft ban service.
 #install -m644 include/limits/* %buildroot%_sysconfdir/nginx/include/limits/
 mkdir -p %buildroot%_datadir/%name/
 mkdir -p %buildroot/etc/%name/
+mkdir -p %buildroot/etc/cron.hourly/
 mkdir -p %buildroot/etc/fail2ban/action.d/
 mkdir -p %buildroot/etc/systemd/system/
 mkdir -p %buildroot/var/log/eterban/
@@ -76,6 +77,7 @@ cp -a gateway/usr/share/%name/* %buildroot%_datadir/%name/
 install -m 644 common/etc/eterban/* %buildroot/etc/%name/
 install -m 644 gateway/etc/systemd/system/* %buildroot/etc/systemd/system/
+install -m 644 gateway/etc/cron.hourly/* %buildroot/etc/cron.hourly/
 install -m 644 ban-server/data/www/* %buildroot%webserver_htdocsdir/%name/
 install -m 644 ban-server/etc/nginx/sites-enabled.d/* %buildroot/etc/nginx/sites-enabled.d/
@@ -91,6 +93,7 @@ cp -a prod-server/usr/share/%name/* %buildroot%_datadir/%name/
 %files gateway
 /etc/systemd/system/
 /var/log/eterban/
+/etc/cron.hourly/
 %_datadir/%name/eterban_switcher.py
 %files web

--- a/gateway/etc/cron.hourly/get_firehol_ip.sh
+++ b/gateway/etc/cron.hourly/get_firehol_ip.sh
+#!/bin/sh
+firehol_name="firehol_level1"
+firehol_tmp="firehol_tmp"
+wget https://iplists.firehol.org/files/firehol_level1.netset -O $firehol_name
+ipset create $firehol_tmp hash:net
+( echo "create $firehol_tmp hash:net family inet hashsize 1024 maxelem 65536" ;\
+	cat $firehol_name | grep -v "^#" | sed -e "s|^\([0-9].*\)|add $firehol_tmp \1|" ) | ipset -exist restore
+ipset swap $firehol_tmp $firehol_name
+ipset destroy $firehol_tmp
--- a/gateway/usr/share/eterban/eterban_switcher.py
+++ b/gateway/usr/share/eterban/eterban_switcher.py
@@ -8,9 +8,11 @@ import os
 import signal
 import socket
-path_to_config = '/etc/eterban/settings.ini'
+path_to_config      = '/etc/eterban/settings.ini'
-path_to_eterban = '/usr/share/eterban/'
+path_to_eterban     = '/usr/share/eterban/'
-ipset_eterban_1 = 'eterban_1'
+ipset_eterban_1     = 'eterban_1'
+ipset_firehol       = 'firehol_level1'
+ipset_eterban_white = 'eterban_white'
 try:
    path_to_log = '/var/log/eterban/eterban.log'
@@ -53,29 +55,44 @@ def parse_config (path_to_config, path_to_log):
        return (redis_server, ban_server, i_interface)
 def save_ipset_eterban_1():
-    global ipset_eterban_1, path_to_eterban
+    global ipset_eterban_1, ipset_firehol, ipset_eterban_white, path_to_eterban
-    command = 'ipset save ' + ipset_eterban_1 + ' --file ' + path_to_eterban + ipset_eterban_1
+    name_list = [ipset_eterban_1, ipset_firehol, ipset_eterban_white]
-    subprocess.call (command, shell = True)
+    for name in name_list:
+        command = 'ipset save ' + name + ' --file ' + path_to_eterban + name
+        subprocess.call (command, shell = True)
-def restore_ipset_eterban_1(path_to_eterban, ipset_eterban_1):
+def restore_ipset_eterban_1():
-    command='ipset restore --file ' + path_to_eterban + ipset_eterban_1
+    global ipset_eterban_1, ipset_firehol, ipset_eterban_white, path_to_eterban
-    subprocess.call (command, shell = True)
+    name_list = [ipset_eterban_1, ipset_firehol, ipset_eterban_white]
+    for name in name_list:
+        command='ipset restore --file ' + path_to_eterban + name
+        subprocess.call (command, shell = True)
 def create_iptables_rules():
-    global ban_server, ipset_eterban_1, i_interface
+    global ban_server, ipset_eterban_1, ipset_firehol, ipset_eterban_white, i_interface
-    commands=['ipset --create ' + ipset_eterban_1 + ' iphash',
+    commands=['ipset create ' + ipset_eterban_1 + ' iphash',
+        'ipset create ' + ipset_firehol + ' hash:net',
+        'ipset create ' + ipset_eterban_white + ' iphash',
+        'iptables -t nat -I PREROUTING -i ' + i_interface + ' -m set --match-set ' + ipset_firehol + ' src -j DNAT --to-destination ' + ban_server,
        'iptables -t nat -I PREROUTING -i ' + i_interface + ' -m set --match-set ' + ipset_eterban_1 + ' src -j DNAT --to-destination ' + ban_server,
-        'iptables -t nat -I PREROUTING -i ' + i_interface + ' -m set ! --match-set ' + ipset_eterban_1 + ' src -d ' + ban_server + ' -p tcp -m multiport --destination-port 80,443 -j DNAT --to-destination ' + ban_server + ':81',
+        'iptables -t nat -I PREROUTING -i ' + i_interface + ' -m set --match-set ' + ipset_eterban_white + ' src -j ACCEPT',
+        #'iptables -t nat -I PREROUTING -i ' + i_interface + ' -m set ! --match-set ' + ipset_eterban_1 + ' src -d ' + ban_server + ' -p tcp -m multiport --destination-port 80,443 -j DNAT --to-destination ' + ban_server + ':81',
+        #'iptables -t nat -I PREROUTING -i ' + i_interface + ' -m set --match-set ' + ipset_eterban_1 + ' src  -p tcp --dport 443 -j DNAT --to-destination ' + ban_server + ':80',
        'iptables -I FORWARD -i ' + i_interface + ' -p tcp -m multiport ! --dport 80,81,443 -m set --match-set ' + ipset_eterban_1 + ' src -j REJECT']
    for command in commands:
        subprocess.call (command, shell = True)
 def destroy_iptables_rules ():
-    global ban_server, ipset_eterban_1, i_interface
+    global ban_server, ipset_eterban_1, ipset_firehol, ipset_eterban_white, i_interface
-    commands=['ipset destroy ' + ipset_eterban_1,
+    commands=['iptables -t nat -D PREROUTING -i ' + i_interface + ' -m set --match-set ' + ipset_firehol + ' src -j DNAT --to-destination ' + ban_server,
        'iptables -t nat -D PREROUTING -i ' + i_interface + ' -m set --match-set ' + ipset_eterban_1 + ' src -j DNAT --to-destination ' + ban_server,
-        'iptables -t nat -D PREROUTING -i ' + i_interface + ' -m set ! --match-set ' + ipset_eterban_1 + ' src -d ' + ban_server + ' -p tcp -m multiport --destination-port 80,443 -j DNAT --to-destination ' + ban_server + ':81',
+        'iptables -t nat -D PREROUTING -i ' + i_interface + ' -m set --match-set ' + ipset_eterban_white + ' src -j ACCEPT',
-        'iptables -D FORWARD -i ' + i_interface + ' -p tcp -m multiport ! --dport 80,81,443 -m set --match-set ' + ipset_eterban_1 + ' src -j REJECT',]
+        #'iptables -t nat -D PREROUTING -i ' + i_interface + ' -m set ! --match-set ' + ipset_eterban_1 + ' src -d ' + ban_server + ' -p tcp -m multiport --destination-port 80,443 -j DNAT --to-destination ' + ban_server + ':81',
+        #'iptables -t nat -D PREROUTING -i ' + i_interface + ' -m set --match-set ' + ipset_eterban_1 + ' src -p tcp --dport 443 -j DNAT --to-destination ' + ban_server + ':80',
+        'iptables -D FORWARD -i ' + i_interface + ' -p tcp -m multiport ! --dport 80,81,443 -m set --match-set ' + ipset_eterban_1 + ' src -j REJECT'
+        'ipset destroy ' + ipset_eterban_1,
+        'ipset destroy ' + ipset_firehol,
+        'ipset destroy ' + ipset_eterban_white]
    for command in commands:
        subprocess.call (command, shell = True)
@@ -92,11 +109,12 @@ signal.signal(signal.SIGQUIT, exit_gracefully)
 signal.signal(signal.SIGTERM, exit_gracefully)
-print ('1')
+#print ('1')
 redis_server, ban_server, i_interface = parse_config (path_to_config, path_to_log)
 #destroy_iptables_rules ()
-print ("done!")
+#sys.exit()
+#print ("done!")
 #print (time.strftime( "%Y-%m-%d %H:%M:%S", time.localtime()))
 #subprocess.call ('ipset create blacklist hash:ip', stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell = True)
@@ -109,7 +127,7 @@ except:
    print ("Enable to connect redes")
    sys.exit()
-restore_ipset_eterban_1(path_to_eterban, ipset_eterban_1)
+restore_ipset_eterban_1()
 create_iptables_rules()
@@ -118,24 +136,23 @@ for message in p.listen():
        ip = message['data'].decode('utf-8')
        ip = message['data'].decode('utf-8')
        ban = 'ipset -A ' + ipset_eterban_1 + ' ' + ip
+        remove = 'ipset -D ' + ipset_eterban_white + ' ' + ip
        print (ban)
        print (message)
-        #ban = 'fail2ban-client set blacklist  banip ' + ip
-        #subprocess.call (ban, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell = True)
        subprocess.call (ban, shell = True)
+        subprocess.call (remove, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell = True)
        tcp_drop = 'conntrack -D -s ' + ip
        subprocess.Popen(tcp_drop, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell = True)
-        #subprocess.Popen(tcp_drop, shell = True)
    elif message is not None and message['type'] =='message' and message['channel'] == b'unban' :
        print (message)
        ip = message['data'].decode('utf-8')
        unban = 'ipset -D ' + ipset_eterban_1 + ' ' + ip
-        #unban = 'fail2ban-client set blacklist unbanip ' + ip
+        add   = 'ipset -A ' + ipset_eterban_white + ' ' + ip
        subprocess.call (unban, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell = True)
-        #subprocess.call (unban, shell = True)
+        subprocess.call (add, shell = True)
        tcp_drop = 'conntrack -D -s ' + ip
        subprocess.Popen(tcp_drop, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell = True)
-        #subprocess.Popen(tcp_drop, shell = True)
    elif message is not None and message['type'] =='message' and message['channel'] == b'by':
        info = time.strftime( "%Y-%m-%d %H:%M:%S", time.localtime())
        info += " " + message['data'].decode('utf-8') + "\n"
@@ -150,4 +167,4 @@ for message in p.listen():
        log.write(info)
        log.flush()
    else:
        pass
\ No newline at end of file
--- a/prod-server/etc/fail2ban/action.d/eterban.conf
+++ b/prod-server/etc/fail2ban/action.d/eterban.conf
 [Definition]
-actionban = /usr/share/eterban/ban.py <ip> <name> 
+actionban = /usr/share/eterban/ban.py <ip> <name>
\ No newline at end of file