Commit 19d782c0 authored by Valentin Samir's avatar Valentin Samir

[config, firewall4] Bridage upload long et limitation des connexion ssh

parent c37b3b0f
...@@ -277,12 +277,12 @@ file_pickle = { 4 : '/tmp/ipt_pickle', ...@@ -277,12 +277,12 @@ file_pickle = { 4 : '/tmp/ipt_pickle',
6 : '/tmp/ip6t_pickle' 6 : '/tmp/ip6t_pickle'
} }
blacklist_sanctions = ['upload', 'warez', 'p2p', 'autodisc_p2p','autodisc_virus','virus', 'bloq'] blacklist_sanctions = ['warez', 'p2p', 'autodisc_p2p','autodisc_virus','virus', 'bloq']
if bl_carte_et_definitif: if bl_carte_et_definitif:
blacklist_sanctions.append('carte_etudiant') blacklist_sanctions.append('carte_etudiant')
blacklist_sanctions_soft = ['autodisc_virus','ipv6_ra','mail_invalide','virus', blacklist_sanctions_soft = ['autodisc_virus','ipv6_ra','mail_invalide','virus',
'upload', 'warez', 'p2p', 'autodisc_p2p', 'bloq','carte_etudiant','chambre_invalide'] 'warez', 'p2p', 'autodisc_p2p', 'bloq','carte_etudiant','chambre_invalide']
blacklist_bridage_upload = ['autodisc_upload'] blacklist_bridage_upload = ['autodisc_upload', 'upload']
adm_users = [ 'root', 'identd', 'daemon', 'postfix', 'freerad', 'amavis', adm_users = [ 'root', 'identd', 'daemon', 'postfix', 'freerad', 'amavis',
'nut', 'respbats', 'list', 'sqlgrey', 'ntpd', 'lp' ] 'nut', 'respbats', 'list', 'sqlgrey', 'ntpd', 'lp' ]
......
...@@ -463,6 +463,7 @@ class firewall_komaz(firewall_base_routeur): ...@@ -463,6 +463,7 @@ class firewall_komaz(firewall_base_routeur):
'reseaux_non_routable' : self.reseaux_non_routable, 'reseaux_non_routable' : self.reseaux_non_routable,
'filtrage_ports' : self.filtrage_ports, 'filtrage_ports' : self.filtrage_ports,
'limitation_debit' : self.limitation_debit, 'limitation_debit' : self.limitation_debit,
'limit_ssh_connexion' : self.limit_ssh_connexion,
}) })
self.use_ipset.extend([self.blacklist_soft, self.reseaux_non_routable]) self.use_ipset.extend([self.blacklist_soft, self.reseaux_non_routable])
...@@ -522,6 +523,7 @@ class firewall_komaz(firewall_base_routeur): ...@@ -522,6 +523,7 @@ class firewall_komaz(firewall_base_routeur):
self.add(table, chain, '-j %s' % self.connexion_secours(table)) self.add(table, chain, '-j %s' % self.connexion_secours(table))
self.add(table, chain, '-j %s' % self.connexion_appartement(table)) self.add(table, chain, '-j %s' % self.connexion_appartement(table))
self.add(table, chain, '-j %s' % self.ingress_filtering(table)) self.add(table, chain, '-j %s' % self.ingress_filtering(table))
self.add(table, chain, '-j %s' % self.limit_ssh_connexion(table))
self.add(table, chain, '-j %s' % self.filtrage_ports(table)) self.add(table, chain, '-j %s' % self.filtrage_ports(table))
return return
...@@ -538,6 +540,19 @@ class firewall_komaz(firewall_base_routeur): ...@@ -538,6 +540,19 @@ class firewall_komaz(firewall_base_routeur):
self.add(table, chain, '-j %s' % self.connexion_appartement(table)) self.add(table, chain, '-j %s' % self.connexion_appartement(table))
return return
def limit_ssh_connexion(self, table=None, apply=False):
chain = 'LIMIT-SSH-CONNEXION'
if table == 'filter':
pretty_print(table, chain)
self.add(table, chain, '-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH --set' % dev['out'])
self.add(table, chain, '-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH --update --seconds 30 --hitcount 10 --rttl -j DROP' % dev['out'])
print OK
if apply:
self.apply(table, chain)
return chain
def test_mac_ip(self, table=None, fill_ipset=False, apply=False): def test_mac_ip(self, table=None, fill_ipset=False, apply=False):
chain = super(self.__class__, self).test_mac_ip() chain = super(self.__class__, self).test_mac_ip()
...@@ -679,16 +694,18 @@ class firewall_komaz(firewall_base_routeur): ...@@ -679,16 +694,18 @@ class firewall_komaz(firewall_base_routeur):
for ip in ip_list: for ip in ip_list:
machine = conn.search("ipHostNumber=%s" % ip) machine = conn.search("ipHostNumber=%s" % ip)
# Est-ce qu'il y a des blacklists soft parmis les blacklists de la machine # Est-ce qu'il y a des blacklists soft parmis les blacklists de la machine
if machine: if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_sanctions_soft):
if set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_sanctions_soft): try: self.ipset['blacklist']['soft'].add(ip)
try: self.ipset['blacklist']['soft'].add(ip) except IpsetError: pass
except IpsetError: pass
if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_bridage_upload):
try: self.ipset['blacklist']['upload'].add(ip)
except IpsetError: pass
else: else:
try: self.ipset['blacklist']['soft'].delete(ip) try: self.ipset['blacklist']['soft'].delete(ip)
except IpsetError: pass except IpsetError: pass
# Est-ce qu'il y a des blacklists pour upload parmis les blacklists de la machine
if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_bridage_upload):
try: self.ipset['blacklist']['upload'].add(ip)
except IpsetError: pass
else:
try: self.ipset['blacklist']['upload'].delete(ip) try: self.ipset['blacklist']['upload'].delete(ip)
except IpsetError: pass except IpsetError: pass
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment