Sicherheit: Shellbefehle, die durch root per cron ausgeführt werden, werden vorgefiltert.

netz.coop eG
Commit 111322d9 authored Jun 18, 2017 by netz.coop eG
Showing with 108 additions and 21 deletions
include/classes/Sytemoutput.php
include/configure.php
include/install/doc/usr/local/sbin/close_fw_cron.sh
include/install/doc/usr/local/sbin/switch_fw.sh
output/domain_fw.conf
output/hosts_fw.conf
--- a/include/classes/Sytemoutput.php
+++ b/include/classes/Sytemoutput.php
@@ -44,46 +44,46 @@ class Sytemoutput {
 	public function createfw($array_pclistgroups){
 		$i=0;
 		file_put_contents(FWFILENAME, PHP_EOL);
-		file_put_contents(FWFILENAME,'iptables  -t nat -F PREROUTING'. PHP_EOL);			
+		file_put_contents(FWFILENAME,' -t nat -F PREROUTING'. PHP_EOL);			
-		file_put_contents(FWFILENAME,'iptables  -F FORWARD'. PHP_EOL ,FILE_APPEND);			
+		file_put_contents(FWFILENAME,'  -F FORWARD'. PHP_EOL ,FILE_APPEND);			
 		foreach($array_pclistgroups as $key =>$value){
 			if($value['open']==='1'){
 	//			file_put_contents(FWFILENAME,''.$value['ip'].'\n',FILE_APPEND);
-				file_put_contents(FWFILENAME,'iptables  -t nat -A PREROUTING --src '.$value['ip'].' -i eth1 -j OPEN'. PHP_EOL ,FILE_APPEND);			
+				file_put_contents(FWFILENAME,'  -t nat -A PREROUTING --src '.$value['ip'].' -i eth1 -j OPEN'. PHP_EOL ,FILE_APPEND);			
 				}else if($value['open']==='0' ||  $value['open']==='off' ){
 // by Heiko			}else if($value['open']==='1' ||  $value['open']==='on' ){
 //				if($i===0){
-//				file_put_contents(FWFILENAME,'iptables  -t nat -A PREROUTING --src '.$value['ip'].' -i eth1 -p udp --dport  53 -j REDIRECT --to-port 5335 '. PHP_EOL ,FILE_APPEND);			
+//				file_put_contents(FWFILENAME,'  -t nat -A PREROUTING --src '.$value['ip'].' -i eth1 -p udp --dport  53 -j REDIRECT --to-port 5335 '. PHP_EOL ,FILE_APPEND);			
 //				}else{
-					file_put_contents(FWFILENAME,'iptables  -t nat -A PREROUTING --src '.$value['ip'].' -i eth1 -j BLOCK'. PHP_EOL ,FILE_APPEND);			
+					file_put_contents(FWFILENAME,'  -t nat -A PREROUTING --src '.$value['ip'].' -i eth1 -j BLOCK'. PHP_EOL ,FILE_APPEND);			
 					// schlechte Idee, blockiert auch den gewünschten Datenverkehr
-//					file_put_contents(FWFILENAME,'iptables   -A FORWARD --src '.$value['ip'].' -i eth1 -j DROP'. PHP_EOL ,FILE_APPEND);			
+//					file_put_contents(FWFILENAME,'   -A FORWARD --src '.$value['ip'].' -i eth1 -j DROP'. PHP_EOL ,FILE_APPEND);			
 //				}
-//				file_put_contents(FWFILENAME,'iptables  -t nat -A PREROUTING --src '.$value['ip'].' -i eth1 -p tcp --dport  53 -j REDIRECT --to-port 5335 '. PHP_EOL ,FILE_APPEND);			
+//				file_put_contents(FWFILENAME,'  -t nat -A PREROUTING --src '.$value['ip'].' -i eth1 -p tcp --dport  53 -j REDIRECT --to-port 5335 '. PHP_EOL ,FILE_APPEND);			
 			} 
 //			$i++;
 		}
 	}
 	public function createhosts($array_pclistgroups){
-		file_put_contents(DNSFILENAME,'iptables -t nat -N OPEN'. PHP_EOL);
+		file_put_contents(DNSFILENAME,' -t nat -N OPEN'. PHP_EOL);
-		file_put_contents(DNSFILENAME,'iptables -t nat -F OPEN'. PHP_EOL ,FILE_APPEND);
+		file_put_contents(DNSFILENAME,' -t nat -F OPEN'. PHP_EOL ,FILE_APPEND);
-		file_put_contents(DNSFILENAME,'iptables -t nat -A OPEN -j ACCEPT'. PHP_EOL ,FILE_APPEND);
+		file_put_contents(DNSFILENAME,' -t nat -A OPEN -j ACCEPT'. PHP_EOL ,FILE_APPEND);
-		file_put_contents(DNSFILENAME,'iptables -t nat -N BLOCK'. PHP_EOL ,FILE_APPEND);
+		file_put_contents(DNSFILENAME,' -t nat -N BLOCK'. PHP_EOL ,FILE_APPEND);
-		file_put_contents(DNSFILENAME,'iptables -t nat -F BLOCK'. PHP_EOL ,FILE_APPEND);
+		file_put_contents(DNSFILENAME,' -t nat -F BLOCK'. PHP_EOL ,FILE_APPEND);
 		foreach($array_pclistgroups as $key =>$value){
 			if($value['open']==='0'){
 			}else if($value['enable']==='1' ||  $value['enable']==='on' ){
-					file_put_contents(DNSFILENAME,'iptables -t nat -A BLOCK -i eth1 -d '.$value['ip'].' -j ACCEPT'. PHP_EOL ,FILE_APPEND);
+					file_put_contents(DNSFILENAME,' -t nat -A BLOCK -i eth1 -d '.$value['ip'].' -j ACCEPT'. PHP_EOL ,FILE_APPEND);
 			} 
 		}
-		file_put_contents(DNSFILENAME,'iptables -t nat -A BLOCK  -i eth1 -m multiport -p tcp --dports  80,443,8080  -j DNAT --to-destination 10.8.11.10'. PHP_EOL ,FILE_APPEND);
+		file_put_contents(DNSFILENAME,' -t nat -A BLOCK  -i eth1 -m multiport -p tcp --dports  80,443,8080  -j DNAT --to-destination 10.8.11.10'. PHP_EOL ,FILE_APPEND);
 	}

--- a/include/configure.php
+++ b/include/configure.php
@@ -7,9 +7,8 @@
 */
 define('DBFILE', 'include/db/nclists.sqlite');
-define('FWFILENAME', 'fw.txt');
+define('FWFILENAME', 'output/hosts_fw.conf');
-define('FW2FILENAME', 'fw.txt');
+define('DNSFILENAME', 'output/domain_fw.conf');
-define('DNSFILENAME', 'hosts.open');
+define('CRONFILENAME', 'output/close_fw_cron.conf');
-define('CRONFILENAME', 'close_fw_cron.conf');
 define('SQLSORT', 'ORDER BY id DESC');
 define('SQLGRPSORT', 'ORDER BY group_id DESC');
--- a/include/install/doc/usr/local/sbin/close_fw_cron.sh
+++ b/include/install/doc/usr/local/sbin/close_fw_cron.sh
 #!/bin/bash
 # Schaut nach, ob neue crontab-Regeln vorhanden sind und führt sie aus 
+# Der Code soll verhindern, dass bei einem gehacktem Webfrontend root anderer Code untergeschoben werden kann.
+# __SEARCH_PATTERN steht für den einzigen erlaubten Befehl in der crontab
+__CLOSE_FW_CON_CONF="output/close_fw_cron.conf"
+__SEARCH_PATTERN="/usr/local/sbin/close_fw.sh"
 PATH=/usr/bin:/bin:/sbin:/usr/sbin
 cd /var/www/ncfilters.gs-ams.local/ncfilters/
-/usr/bin/find .  -mmin -1 -exec /usr/bin/crontab  "close_fw_cron.conf" \;
+__TEMP=$(mktemp)
+/usr/bin/find  $__CLOSE_FW_CON_CONF -mmin -1 -exec /bin/cat $__CLOSE_FW_CON_CONF \;| while read line
+                                                                                        do
+                                                                                                 echo "$line" |grep "$__SEARCH_PATTERN" >> $__TEMP
+                                                                                        done
+crontab $__TEMP
+rm $__TEMP
--- a/include/install/doc/usr/local/sbin/switch_fw.sh
+++ b/include/install/doc/usr/local/sbin/switch_fw.sh
@@ -2,10 +2,26 @@
 # Wenn per Frontend eine neue Domain oder ein PC geändert wird, werden die zwei unten stehenden Dateinen geschrieben.
 # Dieses Script schaut, ob sich die Dateien verändert haben und wenn ja, führt sie aus.
 # Es werden neue iptables Regeln ausgeführt
+# # Der Code soll verhindern, dass bei einem gehacktem Webfrontend root anderer Code untergeschoben werden kann.
 PATH=/usr/bin:/bin:/sbin:/usr/sbin
 cd /var/www/ncfilters.gs-ams.local/ncfilters/
-/usr/bin/find .  -mmin -1 -exec /bin/bash "hosts.open" \;
-/usr/bin/find .  -mmin -1 -exec /bin/bash "fw.txt" \;
+function apply_iptables_rules(){
+        __FILE=$1
+        while read line
+                 do
+                        if [ -n "$line" ]
+                                then
+                                        iptables $line
+                                fi
+                 done < $__FILE
+}
+/usr/bin/find output/hosts_fw.conf  -mmin -1 | apply_iptables_rules output/hosts_fw.conf
+/usr/bin/find output/domain_fw.conf -mmin -1 | apply_iptables_rules output/domain_fw.conf
--- a/output/domain_fw.conf
+++ b/output/domain_fw.conf
+iptables -t nat -N OPEN
+iptables -t nat -F OPEN
+iptables -t nat -A OPEN -j ACCEPT
+iptables -t nat -N BLOCK
+iptables -t nat -F BLOCK
+iptables -t nat -A BLOCK -i eth1 -d 217.13.73.6 -j ACCEPT
+iptables -t nat -A BLOCK -i eth1 -d 217.13.73.99 -j ACCEPT
+iptables -t nat -A BLOCK -i eth1 -d 217.13.73.99 -j ACCEPT
+iptables -t nat -A BLOCK -i eth1 -d 217.13.73.44 -j ACCEPT
+iptables -t nat -A BLOCK -i eth1 -d 81.24.75.240 -j ACCEPT
+iptables -t nat -A BLOCK -i eth1 -d 88.215.233.20 -j ACCEPT
+iptables -t nat -A BLOCK -i eth1 -d 193.96.226.140 -j ACCEPT
+iptables -t nat -A BLOCK -i eth1 -d 81.24.75.240 -j ACCEPT
+iptables -t nat -A BLOCK -i eth1 -d 91.197.29.51 -j ACCEPT
+iptables -t nat -A BLOCK -i eth1 -d 80.237.133.162 -j ACCEPT
+iptables -t nat -A BLOCK -i eth1 -d 188.64.58.118 -j ACCEPT
+iptables -t nat -A BLOCK -i eth1 -d 78.41.149.100 -j ACCEPT
+iptables -t nat -A BLOCK -i eth1 -d 95.143.172.226 -j ACCEPT
+iptables -t nat -A BLOCK -i eth1 -d 134.119.130.3 -j ACCEPT
+iptables -t nat -A BLOCK -i eth1 -d 149.219.205.67 -j ACCEPT
+iptables -t nat -A BLOCK -i eth1 -d 185.30.93.10 -j ACCEPT
+iptables -t nat -A BLOCK -i eth1 -d 212.12.48.72 -j ACCEPT
+iptables -t nat -A BLOCK -i eth1 -d 89.146.224.244 -j ACCEPT
+iptables -t nat -A BLOCK  -i eth1 -m multiport -p tcp --dports  80,443,8080  -j DNAT --to-destination 10.8.11.10
--- a/output/hosts_fw.conf
+++ b/output/hosts_fw.conf
+iptables  -t nat -F PREROUTING
+iptables  -F FORWARD
+iptables  -t nat -A PREROUTING --src 10.8.11.101 -i eth1 -j OPEN
+iptables  -t nat -A PREROUTING --src 10.8.11.102 -i eth1 -j OPEN
+iptables  -t nat -A PREROUTING --src 10.8.11.103 -i eth1 -j OPEN
+iptables  -t nat -A PREROUTING --src 10.8.11.104 -i eth1 -j OPEN
+iptables  -t nat -A PREROUTING --src 10.8.11.105 -i eth1 -j OPEN
+iptables  -t nat -A PREROUTING --src 10.8.11.106 -i eth1 -j OPEN
+iptables  -t nat -A PREROUTING --src 10.8.11.107 -i eth1 -j OPEN
+iptables  -t nat -A PREROUTING --src 10.8.11.108 -i eth1 -j OPEN
+iptables  -t nat -A PREROUTING --src 10.8.11.109 -i eth1 -j OPEN
+iptables  -t nat -A PREROUTING --src 10.8.11.111 -i eth1 -j OPEN
+iptables  -t nat -A PREROUTING --src 10.8.11.112 -i eth1 -j OPEN
+iptables  -t nat -A PREROUTING --src 10.8.11.146 -i eth1 -j OPEN
+iptables  -t nat -A PREROUTING --src 10.8.11.141 -i eth1 -j OPEN
+iptables  -t nat -A PREROUTING --src 10.8.11.142 -i eth1 -j OPEN
+iptables  -t nat -A PREROUTING --src 10.8.11.110 -i eth1 -j BLOCK
+iptables  -t nat -A PREROUTING --src 10.8.11.126 -i eth1 -j BLOCK
+iptables  -t nat -A PREROUTING --src 10.8.11.134 -i eth1 -j OPEN
+iptables  -t nat -A PREROUTING --src 10.8.11.143 -i eth1 -j OPEN
+iptables  -t nat -A PREROUTING --src 10.8.11.144 -i eth1 -j BLOCK
+iptables  -t nat -A PREROUTING --src 10.8.11.148 -i eth1 -j BLOCK
+iptables  -t nat -A PREROUTING --src 10.8.11.135 -i eth1 -j OPEN
+iptables  -t nat -A PREROUTING --src 10.8.11.149 -i eth1 -j OPEN
+iptables  -t nat -A PREROUTING --src 10.8.11.122 -i eth1 -j OPEN
+iptables  -t nat -A PREROUTING --src 10.8.11.123 -i eth1 -j OPEN
+iptables  -t nat -A PREROUTING --src 10.8.11.120 -i eth1 -j BLOCK
+iptables  -t nat -A PREROUTING --src 10.8.11.121 -i eth1 -j BLOCK
+iptables  -t nat -A PREROUTING --src 10.8.11.136 -i eth1 -j BLOCK
+iptables  -t nat -A PREROUTING --src 10.8.11.137 -i eth1 -j BLOCK
+iptables  -t nat -A PREROUTING --src 10.8.11.139 -i eth1 -j BLOCK
+iptables  -t nat -A PREROUTING --src 10.8.11.132 -i eth1 -j OPEN
+iptables  -t nat -A PREROUTING --src 10.8.11.138 -i eth1 -j OPEN
+iptables  -t nat -A PREROUTING --src 10.8.11.140 -i eth1 -j OPEN