Commit 111322d9 by netz.coop eG

Sicherheit: Shellbefehle, die durch root per cron ausgeführt werden, werden vorgefiltert.

1 parent a29e6770
...@@ -44,46 +44,46 @@ class Sytemoutput { ...@@ -44,46 +44,46 @@ class Sytemoutput {
public function createfw($array_pclistgroups){ public function createfw($array_pclistgroups){
$i=0; $i=0;
file_put_contents(FWFILENAME, PHP_EOL); file_put_contents(FWFILENAME, PHP_EOL);
file_put_contents(FWFILENAME,'iptables -t nat -F PREROUTING'. PHP_EOL); file_put_contents(FWFILENAME,' -t nat -F PREROUTING'. PHP_EOL);
file_put_contents(FWFILENAME,'iptables -F FORWARD'. PHP_EOL ,FILE_APPEND); file_put_contents(FWFILENAME,' -F FORWARD'. PHP_EOL ,FILE_APPEND);
foreach($array_pclistgroups as $key =>$value){ foreach($array_pclistgroups as $key =>$value){
if($value['open']==='1'){ if($value['open']==='1'){
// file_put_contents(FWFILENAME,''.$value['ip'].'\n',FILE_APPEND); // file_put_contents(FWFILENAME,''.$value['ip'].'\n',FILE_APPEND);
file_put_contents(FWFILENAME,'iptables -t nat -A PREROUTING --src '.$value['ip'].' -i eth1 -j OPEN'. PHP_EOL ,FILE_APPEND); file_put_contents(FWFILENAME,' -t nat -A PREROUTING --src '.$value['ip'].' -i eth1 -j OPEN'. PHP_EOL ,FILE_APPEND);
}else if($value['open']==='0' || $value['open']==='off' ){ }else if($value['open']==='0' || $value['open']==='off' ){
// by Heiko }else if($value['open']==='1' || $value['open']==='on' ){ // by Heiko }else if($value['open']==='1' || $value['open']==='on' ){
// if($i===0){ // if($i===0){
// file_put_contents(FWFILENAME,'iptables -t nat -A PREROUTING --src '.$value['ip'].' -i eth1 -p udp --dport 53 -j REDIRECT --to-port 5335 '. PHP_EOL ,FILE_APPEND); // file_put_contents(FWFILENAME,' -t nat -A PREROUTING --src '.$value['ip'].' -i eth1 -p udp --dport 53 -j REDIRECT --to-port 5335 '. PHP_EOL ,FILE_APPEND);
// }else{ // }else{
file_put_contents(FWFILENAME,'iptables -t nat -A PREROUTING --src '.$value['ip'].' -i eth1 -j BLOCK'. PHP_EOL ,FILE_APPEND); file_put_contents(FWFILENAME,' -t nat -A PREROUTING --src '.$value['ip'].' -i eth1 -j BLOCK'. PHP_EOL ,FILE_APPEND);
// schlechte Idee, blockiert auch den gewünschten Datenverkehr // schlechte Idee, blockiert auch den gewünschten Datenverkehr
// file_put_contents(FWFILENAME,'iptables -A FORWARD --src '.$value['ip'].' -i eth1 -j DROP'. PHP_EOL ,FILE_APPEND); // file_put_contents(FWFILENAME,' -A FORWARD --src '.$value['ip'].' -i eth1 -j DROP'. PHP_EOL ,FILE_APPEND);
// } // }
// file_put_contents(FWFILENAME,'iptables -t nat -A PREROUTING --src '.$value['ip'].' -i eth1 -p tcp --dport 53 -j REDIRECT --to-port 5335 '. PHP_EOL ,FILE_APPEND); // file_put_contents(FWFILENAME,' -t nat -A PREROUTING --src '.$value['ip'].' -i eth1 -p tcp --dport 53 -j REDIRECT --to-port 5335 '. PHP_EOL ,FILE_APPEND);
} }
// $i++; // $i++;
} }
} }
public function createhosts($array_pclistgroups){ public function createhosts($array_pclistgroups){
file_put_contents(DNSFILENAME,'iptables -t nat -N OPEN'. PHP_EOL); file_put_contents(DNSFILENAME,' -t nat -N OPEN'. PHP_EOL);
file_put_contents(DNSFILENAME,'iptables -t nat -F OPEN'. PHP_EOL ,FILE_APPEND); file_put_contents(DNSFILENAME,' -t nat -F OPEN'. PHP_EOL ,FILE_APPEND);
file_put_contents(DNSFILENAME,'iptables -t nat -A OPEN -j ACCEPT'. PHP_EOL ,FILE_APPEND); file_put_contents(DNSFILENAME,' -t nat -A OPEN -j ACCEPT'. PHP_EOL ,FILE_APPEND);
file_put_contents(DNSFILENAME,'iptables -t nat -N BLOCK'. PHP_EOL ,FILE_APPEND); file_put_contents(DNSFILENAME,' -t nat -N BLOCK'. PHP_EOL ,FILE_APPEND);
file_put_contents(DNSFILENAME,'iptables -t nat -F BLOCK'. PHP_EOL ,FILE_APPEND); file_put_contents(DNSFILENAME,' -t nat -F BLOCK'. PHP_EOL ,FILE_APPEND);
foreach($array_pclistgroups as $key =>$value){ foreach($array_pclistgroups as $key =>$value){
if($value['open']==='0'){ if($value['open']==='0'){
}else if($value['enable']==='1' || $value['enable']==='on' ){ }else if($value['enable']==='1' || $value['enable']==='on' ){
file_put_contents(DNSFILENAME,'iptables -t nat -A BLOCK -i eth1 -d '.$value['ip'].' -j ACCEPT'. PHP_EOL ,FILE_APPEND); file_put_contents(DNSFILENAME,' -t nat -A BLOCK -i eth1 -d '.$value['ip'].' -j ACCEPT'. PHP_EOL ,FILE_APPEND);
} }
} }
file_put_contents(DNSFILENAME,'iptables -t nat -A BLOCK -i eth1 -m multiport -p tcp --dports 80,443,8080 -j DNAT --to-destination 10.8.11.10'. PHP_EOL ,FILE_APPEND); file_put_contents(DNSFILENAME,' -t nat -A BLOCK -i eth1 -m multiport -p tcp --dports 80,443,8080 -j DNAT --to-destination 10.8.11.10'. PHP_EOL ,FILE_APPEND);
} }
......
...@@ -7,9 +7,8 @@ ...@@ -7,9 +7,8 @@
*/ */
define('DBFILE', 'include/db/nclists.sqlite'); define('DBFILE', 'include/db/nclists.sqlite');
define('FWFILENAME', 'fw.txt'); define('FWFILENAME', 'output/hosts_fw.conf');
define('FW2FILENAME', 'fw.txt'); define('DNSFILENAME', 'output/domain_fw.conf');
define('DNSFILENAME', 'hosts.open'); define('CRONFILENAME', 'output/close_fw_cron.conf');
define('CRONFILENAME', 'close_fw_cron.conf');
define('SQLSORT', 'ORDER BY id DESC'); define('SQLSORT', 'ORDER BY id DESC');
define('SQLGRPSORT', 'ORDER BY group_id DESC'); define('SQLGRPSORT', 'ORDER BY group_id DESC');
#!/bin/bash #!/bin/bash
# Schaut nach, ob neue crontab-Regeln vorhanden sind und führt sie aus # Schaut nach, ob neue crontab-Regeln vorhanden sind und führt sie aus
# Der Code soll verhindern, dass bei einem gehacktem Webfrontend root anderer Code untergeschoben werden kann.
# __SEARCH_PATTERN steht für den einzigen erlaubten Befehl in der crontab
__CLOSE_FW_CON_CONF="output/close_fw_cron.conf"
__SEARCH_PATTERN="/usr/local/sbin/close_fw.sh"
PATH=/usr/bin:/bin:/sbin:/usr/sbin PATH=/usr/bin:/bin:/sbin:/usr/sbin
cd /var/www/ncfilters.gs-ams.local/ncfilters/ cd /var/www/ncfilters.gs-ams.local/ncfilters/
/usr/bin/find . -mmin -1 -exec /usr/bin/crontab "close_fw_cron.conf" \;
__TEMP=$(mktemp)
/usr/bin/find $__CLOSE_FW_CON_CONF -mmin -1 -exec /bin/cat $__CLOSE_FW_CON_CONF \;| while read line
do
echo "$line" |grep "$__SEARCH_PATTERN" >> $__TEMP
done
crontab $__TEMP
rm $__TEMP
...@@ -2,10 +2,26 @@ ...@@ -2,10 +2,26 @@
# Wenn per Frontend eine neue Domain oder ein PC geändert wird, werden die zwei unten stehenden Dateinen geschrieben. # Wenn per Frontend eine neue Domain oder ein PC geändert wird, werden die zwei unten stehenden Dateinen geschrieben.
# Dieses Script schaut, ob sich die Dateien verändert haben und wenn ja, führt sie aus. # Dieses Script schaut, ob sich die Dateien verändert haben und wenn ja, führt sie aus.
# Es werden neue iptables Regeln ausgeführt # Es werden neue iptables Regeln ausgeführt
# # Der Code soll verhindern, dass bei einem gehacktem Webfrontend root anderer Code untergeschoben werden kann.
PATH=/usr/bin:/bin:/sbin:/usr/sbin PATH=/usr/bin:/bin:/sbin:/usr/sbin
cd /var/www/ncfilters.gs-ams.local/ncfilters/ cd /var/www/ncfilters.gs-ams.local/ncfilters/
/usr/bin/find . -mmin -1 -exec /bin/bash "hosts.open" \;
/usr/bin/find . -mmin -1 -exec /bin/bash "fw.txt" \;
function apply_iptables_rules(){
__FILE=$1
while read line
do
if [ -n "$line" ]
then
iptables $line
fi
done < $__FILE
}
/usr/bin/find output/hosts_fw.conf -mmin -1 | apply_iptables_rules output/hosts_fw.conf
/usr/bin/find output/domain_fw.conf -mmin -1 | apply_iptables_rules output/domain_fw.conf
iptables -t nat -N OPEN
iptables -t nat -F OPEN
iptables -t nat -A OPEN -j ACCEPT
iptables -t nat -N BLOCK
iptables -t nat -F BLOCK
iptables -t nat -A BLOCK -i eth1 -d 217.13.73.6 -j ACCEPT
iptables -t nat -A BLOCK -i eth1 -d 217.13.73.99 -j ACCEPT
iptables -t nat -A BLOCK -i eth1 -d 217.13.73.99 -j ACCEPT
iptables -t nat -A BLOCK -i eth1 -d 217.13.73.44 -j ACCEPT
iptables -t nat -A BLOCK -i eth1 -d 81.24.75.240 -j ACCEPT
iptables -t nat -A BLOCK -i eth1 -d 88.215.233.20 -j ACCEPT
iptables -t nat -A BLOCK -i eth1 -d 193.96.226.140 -j ACCEPT
iptables -t nat -A BLOCK -i eth1 -d 81.24.75.240 -j ACCEPT
iptables -t nat -A BLOCK -i eth1 -d 91.197.29.51 -j ACCEPT
iptables -t nat -A BLOCK -i eth1 -d 80.237.133.162 -j ACCEPT
iptables -t nat -A BLOCK -i eth1 -d 188.64.58.118 -j ACCEPT
iptables -t nat -A BLOCK -i eth1 -d 78.41.149.100 -j ACCEPT
iptables -t nat -A BLOCK -i eth1 -d 95.143.172.226 -j ACCEPT
iptables -t nat -A BLOCK -i eth1 -d 134.119.130.3 -j ACCEPT
iptables -t nat -A BLOCK -i eth1 -d 149.219.205.67 -j ACCEPT
iptables -t nat -A BLOCK -i eth1 -d 185.30.93.10 -j ACCEPT
iptables -t nat -A BLOCK -i eth1 -d 212.12.48.72 -j ACCEPT
iptables -t nat -A BLOCK -i eth1 -d 89.146.224.244 -j ACCEPT
iptables -t nat -A BLOCK -i eth1 -m multiport -p tcp --dports 80,443,8080 -j DNAT --to-destination 10.8.11.10
iptables -t nat -F PREROUTING
iptables -F FORWARD
iptables -t nat -A PREROUTING --src 10.8.11.101 -i eth1 -j OPEN
iptables -t nat -A PREROUTING --src 10.8.11.102 -i eth1 -j OPEN
iptables -t nat -A PREROUTING --src 10.8.11.103 -i eth1 -j OPEN
iptables -t nat -A PREROUTING --src 10.8.11.104 -i eth1 -j OPEN
iptables -t nat -A PREROUTING --src 10.8.11.105 -i eth1 -j OPEN
iptables -t nat -A PREROUTING --src 10.8.11.106 -i eth1 -j OPEN
iptables -t nat -A PREROUTING --src 10.8.11.107 -i eth1 -j OPEN
iptables -t nat -A PREROUTING --src 10.8.11.108 -i eth1 -j OPEN
iptables -t nat -A PREROUTING --src 10.8.11.109 -i eth1 -j OPEN
iptables -t nat -A PREROUTING --src 10.8.11.111 -i eth1 -j OPEN
iptables -t nat -A PREROUTING --src 10.8.11.112 -i eth1 -j OPEN
iptables -t nat -A PREROUTING --src 10.8.11.146 -i eth1 -j OPEN
iptables -t nat -A PREROUTING --src 10.8.11.141 -i eth1 -j OPEN
iptables -t nat -A PREROUTING --src 10.8.11.142 -i eth1 -j OPEN
iptables -t nat -A PREROUTING --src 10.8.11.110 -i eth1 -j BLOCK
iptables -t nat -A PREROUTING --src 10.8.11.126 -i eth1 -j BLOCK
iptables -t nat -A PREROUTING --src 10.8.11.134 -i eth1 -j OPEN
iptables -t nat -A PREROUTING --src 10.8.11.143 -i eth1 -j OPEN
iptables -t nat -A PREROUTING --src 10.8.11.144 -i eth1 -j BLOCK
iptables -t nat -A PREROUTING --src 10.8.11.148 -i eth1 -j BLOCK
iptables -t nat -A PREROUTING --src 10.8.11.135 -i eth1 -j OPEN
iptables -t nat -A PREROUTING --src 10.8.11.149 -i eth1 -j OPEN
iptables -t nat -A PREROUTING --src 10.8.11.122 -i eth1 -j OPEN
iptables -t nat -A PREROUTING --src 10.8.11.123 -i eth1 -j OPEN
iptables -t nat -A PREROUTING --src 10.8.11.120 -i eth1 -j BLOCK
iptables -t nat -A PREROUTING --src 10.8.11.121 -i eth1 -j BLOCK
iptables -t nat -A PREROUTING --src 10.8.11.136 -i eth1 -j BLOCK
iptables -t nat -A PREROUTING --src 10.8.11.137 -i eth1 -j BLOCK
iptables -t nat -A PREROUTING --src 10.8.11.139 -i eth1 -j BLOCK
iptables -t nat -A PREROUTING --src 10.8.11.132 -i eth1 -j OPEN
iptables -t nat -A PREROUTING --src 10.8.11.138 -i eth1 -j OPEN
iptables -t nat -A PREROUTING --src 10.8.11.140 -i eth1 -j OPEN
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!