Skip to content

GitLab

Commit 19d782c0 authored by Valentin Samir's avatar Valentin Samir
Browse files

[config, firewall4] Bridage upload long et limitation des connexion ssh

parent c37b3b0f
Hide whitespace changes
Inline Side-by-side
gestion/config/config.py
View file @ 19d782c0
......@@ -277,12 +277,12 @@ file_pickle = { 4 : '/tmp/ipt_pickle',
6 : '/tmp/ip6t_pickle'
}
blacklist_sanctions = ['upload', 'warez', 'p2p', 'autodisc_p2p','autodisc_virus','virus', 'bloq']
blacklist_sanctions = ['warez', 'p2p', 'autodisc_p2p','autodisc_virus','virus', 'bloq']
if bl_carte_et_definitif:
blacklist_sanctions.append('carte_etudiant')
blacklist_sanctions_soft = ['autodisc_virus','ipv6_ra','mail_invalide','virus',
'upload', 'warez', 'p2p', 'autodisc_p2p', 'bloq','carte_etudiant','chambre_invalide']
blacklist_bridage_upload = ['autodisc_upload']
'warez', 'p2p', 'autodisc_p2p', 'bloq','carte_etudiant','chambre_invalide']
blacklist_bridage_upload = ['autodisc_upload', 'upload']
adm_users = [ 'root', 'identd', 'daemon', 'postfix', 'freerad', 'amavis',
'nut', 'respbats', 'list', 'sqlgrey', 'ntpd', 'lp' ]
......
gestion/gen_confs/firewall4.py
View file @ 19d782c0
......@@ -463,6 +463,7 @@ class firewall_komaz(firewall_base_routeur):
'reseaux_non_routable' : self.reseaux_non_routable,
'filtrage_ports' : self.filtrage_ports,
'limitation_debit' : self.limitation_debit,
'limit_ssh_connexion' : self.limit_ssh_connexion,
})
self.use_ipset.extend([self.blacklist_soft, self.reseaux_non_routable])
......@@ -522,6 +523,7 @@ class firewall_komaz(firewall_base_routeur):
self.add(table, chain, '-j %s' % self.connexion_secours(table))
self.add(table, chain, '-j %s' % self.connexion_appartement(table))
self.add(table, chain, '-j %s' % self.ingress_filtering(table))
self.add(table, chain, '-j %s' % self.limit_ssh_connexion(table))
self.add(table, chain, '-j %s' % self.filtrage_ports(table))
return
......@@ -538,6 +540,19 @@ class firewall_komaz(firewall_base_routeur):
self.add(table, chain, '-j %s' % self.connexion_appartement(table))
return
def limit_ssh_connexion(self, table=None, apply=False):
chain = 'LIMIT-SSH-CONNEXION'
if table == 'filter':
pretty_print(table, chain)
self.add(table, chain, '-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH --set' % dev['out'])
self.add(table, chain, '-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH --update --seconds 30 --hitcount 10 --rttl -j DROP' % dev['out'])
print OK
if apply:
self.apply(table, chain)
return chain
def test_mac_ip(self, table=None, fill_ipset=False, apply=False):
chain = super(self.__class__, self).test_mac_ip()
......@@ -679,16 +694,18 @@ class firewall_komaz(firewall_base_routeur):
for ip in ip_list:
machine = conn.search("ipHostNumber=%s" % ip)
# Est-ce qu'il y a des blacklists soft parmis les blacklists de la machine
if machine:
if set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_sanctions_soft):
try: self.ipset['blacklist']['soft'].add(ip)
except IpsetError: pass
if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_bridage_upload):
try: self.ipset['blacklist']['upload'].add(ip)
except IpsetError: pass
if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_sanctions_soft):
try: self.ipset['blacklist']['soft'].add(ip)
except IpsetError: pass
else:
try: self.ipset['blacklist']['soft'].delete(ip)
except IpsetError: pass
# Est-ce qu'il y a des blacklists pour upload parmis les blacklists de la machine
if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_bridage_upload):
try: self.ipset['blacklist']['upload'].add(ip)
except IpsetError: pass
else:
try: self.ipset['blacklist']['upload'].delete(ip)
except IpsetError: pass
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment