Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
What's new
7
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Open sidebar
Thomas Blanc
scripts
Commits
19d782c0
Commit
19d782c0
authored
Apr 25, 2013
by
Valentin Samir
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
[config, firewall4] Bridage upload long et limitation des connexion ssh
parent
c37b3b0f
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
27 additions
and
10 deletions
+27
-10
gestion/config/config.py
gestion/config/config.py
+3
-3
gestion/gen_confs/firewall4.py
gestion/gen_confs/firewall4.py
+24
-7
No files found.
gestion/config/config.py
View file @
19d782c0
...
...
@@ -277,12 +277,12 @@ file_pickle = { 4 : '/tmp/ipt_pickle',
6
:
'/tmp/ip6t_pickle'
}
blacklist_sanctions
=
[
'upload'
,
'warez'
,
'p2p'
,
'autodisc_p2p'
,
'autodisc_virus'
,
'virus'
,
'bloq'
]
blacklist_sanctions
=
[
'warez'
,
'p2p'
,
'autodisc_p2p'
,
'autodisc_virus'
,
'virus'
,
'bloq'
]
if
bl_carte_et_definitif
:
blacklist_sanctions
.
append
(
'carte_etudiant'
)
blacklist_sanctions_soft
=
[
'autodisc_virus'
,
'ipv6_ra'
,
'mail_invalide'
,
'virus'
,
'upload'
,
'warez'
,
'p2p'
,
'autodisc_p2p'
,
'bloq'
,
'carte_etudiant'
,
'chambre_invalide'
]
blacklist_bridage_upload
=
[
'autodisc_upload'
]
'warez'
,
'p2p'
,
'autodisc_p2p'
,
'bloq'
,
'carte_etudiant'
,
'chambre_invalide'
]
blacklist_bridage_upload
=
[
'autodisc_upload'
,
'upload'
]
adm_users
=
[
'root'
,
'identd'
,
'daemon'
,
'postfix'
,
'freerad'
,
'amavis'
,
'nut'
,
'respbats'
,
'list'
,
'sqlgrey'
,
'ntpd'
,
'lp'
]
...
...
gestion/gen_confs/firewall4.py
View file @
19d782c0
...
...
@@ -463,6 +463,7 @@ class firewall_komaz(firewall_base_routeur):
'reseaux_non_routable'
:
self
.
reseaux_non_routable
,
'filtrage_ports'
:
self
.
filtrage_ports
,
'limitation_debit'
:
self
.
limitation_debit
,
'limit_ssh_connexion'
:
self
.
limit_ssh_connexion
,
})
self
.
use_ipset
.
extend
([
self
.
blacklist_soft
,
self
.
reseaux_non_routable
])
...
...
@@ -522,6 +523,7 @@ class firewall_komaz(firewall_base_routeur):
self
.
add
(
table
,
chain
,
'-j %s'
%
self
.
connexion_secours
(
table
))
self
.
add
(
table
,
chain
,
'-j %s'
%
self
.
connexion_appartement
(
table
))
self
.
add
(
table
,
chain
,
'-j %s'
%
self
.
ingress_filtering
(
table
))
self
.
add
(
table
,
chain
,
'-j %s'
%
self
.
limit_ssh_connexion
(
table
))
self
.
add
(
table
,
chain
,
'-j %s'
%
self
.
filtrage_ports
(
table
))
return
...
...
@@ -538,6 +540,19 @@ class firewall_komaz(firewall_base_routeur):
self
.
add
(
table
,
chain
,
'-j %s'
%
self
.
connexion_appartement
(
table
))
return
def
limit_ssh_connexion
(
self
,
table
=
None
,
apply
=
False
):
chain
=
'LIMIT-SSH-CONNEXION'
if
table
==
'filter'
:
pretty_print
(
table
,
chain
)
self
.
add
(
table
,
chain
,
'-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH --set'
%
dev
[
'out'
])
self
.
add
(
table
,
chain
,
'-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH --update --seconds 30 --hitcount 10 --rttl -j DROP'
%
dev
[
'out'
])
print
OK
if
apply
:
self
.
apply
(
table
,
chain
)
return
chain
def
test_mac_ip
(
self
,
table
=
None
,
fill_ipset
=
False
,
apply
=
False
):
chain
=
super
(
self
.
__class__
,
self
).
test_mac_ip
()
...
...
@@ -679,16 +694,18 @@ class firewall_komaz(firewall_base_routeur):
for
ip
in
ip_list
:
machine
=
conn
.
search
(
"ipHostNumber=%s"
%
ip
)
# Est-ce qu'il y a des blacklists soft parmis les blacklists de la machine
if
machine
:
if
set
([
bl
.
value
[
'type'
]
for
bl
in
machine
[
0
].
blacklist_actif
()
]).
intersection
(
blacklist_sanctions_soft
):
try
:
self
.
ipset
[
'blacklist'
][
'soft'
].
add
(
ip
)
except
IpsetError
:
pass
if
machine
and
set
([
bl
.
value
[
'type'
]
for
bl
in
machine
[
0
].
blacklist_actif
()
]).
intersection
(
blacklist_bridage_upload
):
try
:
self
.
ipset
[
'blacklist'
][
'upload'
].
add
(
ip
)
except
IpsetError
:
pass
if
machine
and
set
([
bl
.
value
[
'type'
]
for
bl
in
machine
[
0
].
blacklist_actif
()
]).
intersection
(
blacklist_sanctions_soft
):
try
:
self
.
ipset
[
'blacklist'
][
'soft'
].
add
(
ip
)
except
IpsetError
:
pass
else
:
try
:
self
.
ipset
[
'blacklist'
][
'soft'
].
delete
(
ip
)
except
IpsetError
:
pass
# Est-ce qu'il y a des blacklists pour upload parmis les blacklists de la machine
if
machine
and
set
([
bl
.
value
[
'type'
]
for
bl
in
machine
[
0
].
blacklist_actif
()
]).
intersection
(
blacklist_bridage_upload
):
try
:
self
.
ipset
[
'blacklist'
][
'upload'
].
add
(
ip
)
except
IpsetError
:
pass
else
:
try
:
self
.
ipset
[
'blacklist'
][
'upload'
].
delete
(
ip
)
except
IpsetError
:
pass
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment