/[smeserver]/rpms/e-smith-openssh/sme10/e-smith-openssh-2.6.0-bz9893-autoblock-whitelist.patch
ViewVC logotype

Annotation of /rpms/e-smith-openssh/sme10/e-smith-openssh-2.6.0-bz9893-autoblock-whitelist.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph

Revision 1.1 - (hide annotations) (download)
Sun May 3 07:07:36 2020 UTC (4 years, 6 months ago) by jpp
Branch: MAIN
CVS Tags: e-smith-openssh-2_6_0-7_el7_sme, e-smith-openssh-2_6_0-4_el7_sme, e-smith-openssh-2_6_0-6_el7_sme, e-smith-openssh-2_6_0-3_el7_sme, e-smith-openssh-2_6_0-8_el7_sme, e-smith-openssh-2_6_0-5_el7_sme, HEAD 
* Sun May 03 2020 Jean-Philipe Pialasse <tests@pialasse.com> 2.6.0-3.sme
- add Whitelist to AutoBlock using property sshd ValidFrom [SME: 9893]
1 jpp 1.1 diff -Nur e-smith-openssh-2.6.0.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/42CreateSSHAutoblock e-smith-openssh-2.6.0/root/etc/e-smith/templates/etc/rc.d/init.d/masq/42CreateSSHAutoblock
2     --- e-smith-openssh-2.6.0.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/42CreateSSHAutoblock 2016-02-05 17:15:23.000000000 -0500
3     +++ e-smith-openssh-2.6.0/root/etc/e-smith/templates/etc/rc.d/init.d/masq/42CreateSSHAutoblock 2020-05-03 02:57:42.368000000 -0400
4     @@ -1,13 +1,23 @@
5     {
6     my $abtries = ${'sshd'}{'AutoBlockTries'} || "4";
7     my $abtime = ${'sshd'}{'AutoBlockTime'} || "900";
8     + my $sshd_port = ${'sshd'}{'TCPPort'} || "22";
9    
10     $OUT .=<<"EOF";
11     + # Create a whitelist
12     + /sbin/iptables --new-chain SSH_Whitelist
13     + /sbin/iptables --new-chain SSH_Whitelist_1
14     + /sbin/iptables --append SSH_Whitelist -j SSH_Whitelist_1
15    
16     # Use recent packets match to block SSH from sites generating
17     # $abtries connections within $abtime seconds
18     - # Check/clear IP block status in /proc/net/ipt_recent/SSH
19     + # Check/clear IP block status in /proc/net/xt_recent/SSH
20     /sbin/iptables --new-chain SSH_Autoblock
21     +
22     + # First check if not whitelisted
23     + /sbin/iptables --append SSH_Autoblock --proto tcp --dport $sshd_port \\
24     + -m state --state NEW -j SSH_Whitelist
25     +
26     /sbin/iptables --append SSH_Autoblock -m recent --set --name SSH
27     /sbin/iptables --append SSH_Autoblock -m recent --rcheck --rttl \\
28     --seconds $abtime --hitcount $abtries --name SSH -j denylog
29     diff -Nur e-smith-openssh-2.6.0.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustSSHAutoblock e-smith-openssh-2.6.0/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustSSHAutoblock
30     --- e-smith-openssh-2.6.0.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustSSHAutoblock 2016-02-05 17:15:23.000000000 -0500
31     +++ e-smith-openssh-2.6.0/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustSSHAutoblock 2020-05-03 02:58:12.182000000 -0400
32     @@ -1,10 +1,42 @@
33     {
34     + # SSH_Whitelist
35     + my $sshd_port = ${'sshd'}{'TCPPort'} || "22";
36     + # Find the current SSH_Whitelit_$$ chain, and create a new one.
37     + $OUT .=<<'EOF';
38     + OLD_SSH_Whitelist=$(get_safe_id SSH_Whitelist filter find)
39     + NEW_SSH_Whitelist=$(get_safe_id SSH_Whitelist filter new)
40     + /sbin/iptables --new-chain $NEW_SSH_Whitelist
41     +EOF
42     + # here we add the content from sshd ValidFrom
43     + # or create a new one dedicated for sshd
44     + my @vals = split ",", ($sshd{ValidFrom} || '');
45     + #$OUT .="#sshd whitelist content : "
46     + #$OUT .= join " ", @vals;
47     +
48     + foreach my $ip ( @vals ){
49     + $OUT .= " /sbin/iptables --append \$NEW_SSH_Whitelist -s $ip";
50     + $OUT .= " -p tcp";
51     + $OUT .= " --dport $sshd_port" ;
52     + $OUT .= " -j ACCEPT\n";
53     + }
54     +
55     + $OUT .= " /sbin/iptables --append \$NEW_SSH_Whitelist" .
56     + " -j RETURN\n";
57     +
58     + # Having created a new SSH_Whitelist chain, activate it and destroy the old one.
59     + $OUT .=<<'EOF';
60     + /sbin/iptables --replace SSH_Whitelist 1 \
61     + --jump $NEW_SSH_Whitelist
62     + /sbin/iptables --flush $OLD_SSH_Whitelist
63     + /sbin/iptables --delete-chain $OLD_SSH_Whitelist
64     +EOF
65     + # SSH_Autoblock
66     my $abtries = ${'sshd'}{'AutoBlockTries'} || "4";
67     my $abtime = ${'sshd'}{'AutoBlockTime'} || "900";
68    
69     $OUT .=<<"EOF";
70    
71     - /sbin/iptables --replace SSH_Autoblock 2 -m recent --rcheck --rttl \\
72     + /sbin/iptables --replace SSH_Autoblock 3 -m recent --rcheck --rttl \\
73     --seconds $abtime --hitcount $abtries --name SSH -j denylog
74     # Clear SSH_Autoblock site history too
75     echo / > /proc/net/xt_recent/SSH
admin@koozali.org
 ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed