| 1 |
diff -Nur e-smith-openssh-2.6.0.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/42CreateSSHAutoblock e-smith-openssh-2.6.0/root/etc/e-smith/templates/etc/rc.d/init.d/masq/42CreateSSHAutoblock |
| 2 |
--- e-smith-openssh-2.6.0.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/42CreateSSHAutoblock 2016-02-05 17:15:23.000000000 -0500 |
| 3 |
+++ e-smith-openssh-2.6.0/root/etc/e-smith/templates/etc/rc.d/init.d/masq/42CreateSSHAutoblock 2020-05-03 02:57:42.368000000 -0400 |
| 4 |
@@ -1,13 +1,23 @@ |
| 5 |
{ |
| 6 |
my $abtries = ${'sshd'}{'AutoBlockTries'} || "4"; |
| 7 |
my $abtime = ${'sshd'}{'AutoBlockTime'} || "900"; |
| 8 |
+ my $sshd_port = ${'sshd'}{'TCPPort'} || "22"; |
| 9 |
|
| 10 |
$OUT .=<<"EOF"; |
| 11 |
+ # Create a whitelist |
| 12 |
+ /sbin/iptables --new-chain SSH_Whitelist |
| 13 |
+ /sbin/iptables --new-chain SSH_Whitelist_1 |
| 14 |
+ /sbin/iptables --append SSH_Whitelist -j SSH_Whitelist_1 |
| 15 |
|
| 16 |
# Use recent packets match to block SSH from sites generating |
| 17 |
# $abtries connections within $abtime seconds |
| 18 |
- # Check/clear IP block status in /proc/net/ipt_recent/SSH |
| 19 |
+ # Check/clear IP block status in /proc/net/xt_recent/SSH |
| 20 |
/sbin/iptables --new-chain SSH_Autoblock |
| 21 |
+ |
| 22 |
+ # First check if not whitelisted |
| 23 |
+ /sbin/iptables --append SSH_Autoblock --proto tcp --dport $sshd_port \\ |
| 24 |
+ -m state --state NEW -j SSH_Whitelist |
| 25 |
+ |
| 26 |
/sbin/iptables --append SSH_Autoblock -m recent --set --name SSH |
| 27 |
/sbin/iptables --append SSH_Autoblock -m recent --rcheck --rttl \\ |
| 28 |
--seconds $abtime --hitcount $abtries --name SSH -j denylog |
| 29 |
diff -Nur e-smith-openssh-2.6.0.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustSSHAutoblock e-smith-openssh-2.6.0/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustSSHAutoblock |
| 30 |
--- e-smith-openssh-2.6.0.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustSSHAutoblock 2016-02-05 17:15:23.000000000 -0500 |
| 31 |
+++ e-smith-openssh-2.6.0/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustSSHAutoblock 2020-05-03 02:58:12.182000000 -0400 |
| 32 |
@@ -1,10 +1,42 @@ |
| 33 |
{ |
| 34 |
+ # SSH_Whitelist |
| 35 |
+ my $sshd_port = ${'sshd'}{'TCPPort'} || "22"; |
| 36 |
+ # Find the current SSH_Whitelit_$$ chain, and create a new one. |
| 37 |
+ $OUT .=<<'EOF'; |
| 38 |
+ OLD_SSH_Whitelist=$(get_safe_id SSH_Whitelist filter find) |
| 39 |
+ NEW_SSH_Whitelist=$(get_safe_id SSH_Whitelist filter new) |
| 40 |
+ /sbin/iptables --new-chain $NEW_SSH_Whitelist |
| 41 |
+EOF |
| 42 |
+ # here we add the content from sshd ValidFrom |
| 43 |
+ # or create a new one dedicated for sshd |
| 44 |
+ my @vals = split ",", ($sshd{ValidFrom} || ''); |
| 45 |
+ #$OUT .="#sshd whitelist content : " |
| 46 |
+ #$OUT .= join " ", @vals; |
| 47 |
+ |
| 48 |
+ foreach my $ip ( @vals ){ |
| 49 |
+ $OUT .= " /sbin/iptables --append \$NEW_SSH_Whitelist -s $ip"; |
| 50 |
+ $OUT .= " -p tcp"; |
| 51 |
+ $OUT .= " --dport $sshd_port" ; |
| 52 |
+ $OUT .= " -j ACCEPT\n"; |
| 53 |
+ } |
| 54 |
+ |
| 55 |
+ $OUT .= " /sbin/iptables --append \$NEW_SSH_Whitelist" . |
| 56 |
+ " -j RETURN\n"; |
| 57 |
+ |
| 58 |
+ # Having created a new SSH_Whitelist chain, activate it and destroy the old one. |
| 59 |
+ $OUT .=<<'EOF'; |
| 60 |
+ /sbin/iptables --replace SSH_Whitelist 1 \ |
| 61 |
+ --jump $NEW_SSH_Whitelist |
| 62 |
+ /sbin/iptables --flush $OLD_SSH_Whitelist |
| 63 |
+ /sbin/iptables --delete-chain $OLD_SSH_Whitelist |
| 64 |
+EOF |
| 65 |
+ # SSH_Autoblock |
| 66 |
my $abtries = ${'sshd'}{'AutoBlockTries'} || "4"; |
| 67 |
my $abtime = ${'sshd'}{'AutoBlockTime'} || "900"; |
| 68 |
|
| 69 |
$OUT .=<<"EOF"; |
| 70 |
|
| 71 |
- /sbin/iptables --replace SSH_Autoblock 2 -m recent --rcheck --rttl \\ |
| 72 |
+ /sbin/iptables --replace SSH_Autoblock 3 -m recent --rcheck --rttl \\ |
| 73 |
--seconds $abtime --hitcount $abtries --name SSH -j denylog |
| 74 |
# Clear SSH_Autoblock site history too |
| 75 |
echo / > /proc/net/xt_recent/SSH |
Parent Directory
| 
Revision Log
| 
Revision Graph
