Benutzer-Werkzeuge

Webseiten-Werkzeuge


know-how:firewall

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen RevisionVorhergehende Überarbeitung
Nächste Überarbeitung
Vorhergehende Überarbeitung
know-how:firewall [2020/08/12 14:15] – [rogue client workstation detection] ccknow-how:firewall [2024/02/26 10:31] (aktuell) cc
Zeile 1: Zeile 1:
 +~~ODT~~
 FIXME FIXME
 ====== Features ====== ====== Features ======
Zeile 461: Zeile 462:
 </code> </code>
 ====== rogue client workstation detection ====== ====== rogue client workstation detection ======
-  * FIXME mit arpalert 
  
  
 +  * Getestet mit Debian 9 - **apt-get install arpalert**
 +
 +  * Es soll eine Mail an root geschickt werden wenn ein unbekannter Client dem System hinzugefügt wird und zusätzlich noch wenn möglich ein Port Scan auf den Client durchgeführt werden
 +
 +
 +  * **grep -v ^# /etc/arpalert/arpalert.conf**
 +
 +<code>
 +maclist file = "/etc/arpalert/maclist.allow"
 +
 +maclist alert file = "/etc/arpalert/maclist.deny"
 +
 +maclist leases file = "/var/lib/arpalert/arpalert.leases"
 +
 +
 +
 +lock file = "/var/run/arpalert.pid"
 +
 +use syslog = true
 +
 +log level = 7
 +
 +user = arpalert
 +
 +umask = 177
 +
 +dump packet = false
 +
 +daemon = false
 +
 +dump inter = 5
 +
 +catch only arp = true
 +
 +interface = "eth1"
 +
 +action on detect = "/usr/local/sbin/notifyArpalert.sh"
 +
 +mod on detect = ""
 +mod config = ""
 +
 +execution timeout = 10
 +
 +max alert = 20
 +
 +dump black list = false
 +dump white list = false
 +dump new address = true
 +
 +mac timeout = 1555200
 +
 +expire authorized mac addresses = false
 +
 +max entry = 1000000
 +
 +anti flood interval = 5  
 +
 +anti flood global = 50
 +
 +mac vendor file = "/etc/arpalert/oui.txt"
 +log mac vendor = true
 +alert mac vendor = true
 +mod mac vendor = true
 +
 +log referenced address = false
 +alert on referenced address = false
 +mod on referenced address = false
 +
 +log deny address = true
 +alert on deny address = true
 +mod on deny address = true
 +
 +log new address = true
 +alert on new address = true
 +mod on new address = true
 +
 +log new mac address = true
 +alert on new mac address = true
 +mod on new mac address = true
 +
 +log ip change = true
 +alert on ip change = false
 +mod on ip change = true
 +
 +log mac change = true
 +alert on mac change = false
 +mod on mac change = true
 +
 +log unauth request = true
 +alert on unauth request = true
 +mod on unauth request = true
 +ignore unknown sender = false
 +ignore me = true
 +ignore self test = true
 +unauth ignore time method = 2
 +
 +log request abus = true
 +alert on request abus = true
 +mod on request abus = true
 +max request = 1000000
 +
 +log mac error = true
 +alert on mac error = true
 +mod on mac error = true
 +
 +log flood = true
 +alert on flood = true
 +mod on flood = true
 +
 +log expire mac address = false
 +alert on expire mac address = false
 +mod on expire mac address = false
 +
 +</code>
 +
 +  * **/usr/local/sbin/notifyArpalert.sh**
 +
 +<code>
 +#!/bin/bash
 +
 +
 +tmp_file=$(mktemp)
 +
 +ip_address="$2"
 +mac_address="$1"
 +params="$3"
 +ethernet_device="$4"
 +alert_type="$5"
 +
 +
 +echo "Possible Intrusion Attempt" > $tmp_file
 +echo "IP Address: $ip_address" >> $tmp_file
 +echo "MAC Address: $mac_address" >> $tmp_file
 +echo "Parameters: $params" >> $tmp_file
 +echo "Alert Type: $alert_type" >> $tmp_file
 +
 +alert_explained=$(cat << EOF
 +Alert Types: \n
 +0: ip change \n
 +1: mac address only detected but not in whithe list \n
 +2: mac address in black list \n
 +3: new mac address \n
 +4: unauthorized arp request \n
 +5: abusive number of arp request detected \n
 +6: ethernet mac address different from arp mac address \n
 +7: global flood detection \n
 +8: new mac adress without ip \n
 +9: mac change \n
 +10: mac expire \n
 +EOF)
 +
 +echo -e $alert_explained >> $tmp_file
 +
 +echo "Nmap Scan: " >> $tmp_file
 +
 +ip route get $ip_address | grep -q eth1
 +
 +( [[ $? == 0 ]] && nmap -Pn $ip_address  >> $tmp_file ) || echo "I'm not performing nmap on $ip_address" >> $tmp_file 
 +
 +
 +cat $tmp_file | mail -s "Possible Break in Attempt " root
 +
 +rm $tmp_file
 +
 +</code>
 +
 +  * ** /etc/arpalert/maclist.allow **
 +
 +<code>
 +#KOMMENTAR GERÄT1
 +11:22:33:44:55:66 IP_GERÄT1 INTERFACE_NETZWERK
 +</code>
 ====== rogue dhcp server detection ====== ====== rogue dhcp server detection ======
 ===== dhcp-probe ===== ===== dhcp-probe =====
Zeile 578: Zeile 750:
 [Service] [Service]
 Type=simple Type=simple
-ExecStart=/sbin/dhclient -v -d -sf /usr/local/sbin/triggerDHCPLease.sh -cf /usr/local/etc/dhcp-monitoring/dhclient.conf  -lf /bin/true %i+ExecStart=/sbin/dhclient -v -d -sf /usr/local/sbin/triggerDHCPLease.sh -cf /usr/local/etc/dhcp-monitoring/dhclient.conf  -lf /dev/zero %i
 #2020-08-12 cc: ExecStop not defined on purpose #2020-08-12 cc: ExecStop not defined on purpose
 KillSignal=9 KillSignal=9
Zeile 586: Zeile 758:
 WantedBy=multi-user.target WantedBy=multi-user.target
  
 +</code>
 +
 +  * Für Netzwerinterface **eth1** starten
 +  * **ln -s /lib/systemd/system/dhcp-monitoring\@.service  /etc/systemd/system/multi-user.target.wants/dhcp-monitoring\@eth1.service**
 +
 +<code>
 +ls -al /etc/systemd/system/multi-user.target.wants/dhcp-monitoring\@eth1.service 
 +lrwxrwxrwx 1 root root 44 Aug 12 13:35 /etc/systemd/system/multi-user.target.wants/dhcp-monitoring@eth1.service -> /lib/systemd/system/dhcp-monitoring@.service
 </code> </code>
  
Zeile 655: Zeile 835:
 supersede dhcp-renewal-time 300; supersede dhcp-renewal-time 300;
 </code> </code>
-====== roadworker wake on lan (wol) trigger ======+ 
 + 
 + 
 +====== VPN ====== 
 + 
 +===== roadworker mfa - multiple factor auth ===== 
 +  * Bei **OpenVPN** mit entsprechender Konfiguration wäre sie implizit gegeben wenn zB: ein Zertifikat zur Authentifizierung benutzt wird + Username + Password 
 + 
 + 
 +  * OpenVPN Server - **roadworker-auth.conf**: 
 + 
 +<code> 
 +... 
 +auth-user-pass-verify /etc/openvpn/roadworker-auth/hybrid_auth.sh via-env 
 +script-security 3 
 +... 
 +</code> 
 + 
 +  * **/etc/openvpn/roadworker-auth/hybrid_auth.sh** 
 + 
 +<code> 
 +#!/bin/bash 
 + 
 +function bailout () 
 +
 +  echo $1 
 +  exit 1 
 + 
 +
 + 
 +export username 
 +export password 
 + 
 +#env > /tmp/debug 
 +#echo "u: -$AUTH_USERNAME-" >> /tmp/debug 
 +#echo "p: -$AUTH_PASSWORD-" >> /tmp/debug 
 + 
 +ORIGINAL_PASSWORD="$password" 
 +AUTH_TOTP_SECRET="/etc/openvpn/roadworker-auth/totp/$username" 
 + 
 + 
 +echo $username | grep -P -q "^[A-Za-z0-9\.]+$" 
 + 
 +#2021-09-21 cc: Somehow malformed 
 +[[ $? != 0 ]] && bailout "Username malformed" 
 + 
 + 
 +[[ -f $AUTH_TOTP_SECRET && ${#password} -lt 7 ]] && bailout "TOTP is used but password is too small" 
 + 
 +#2021-09-21 cc: The last 6 digits contain the TOTP string / the rest is the password 
 +[[ -f $AUTH_TOTP_SECRET ]] && password=$(echo ${ORIGINAL_PASSWORD::-6}) 
 + 
 +/etc/openvpn/roadworker-auth/smb_auth.sh 
 + 
 +RET_SMB_AUTH=$? 
 + 
 +[[ ! -f $AUTH_TOTP_SECRET ]] && exit $? 
 + 
 +#echo "smb auth: $RET_SMB_AUTH" > /tmp/smb_auth 
 + 
 +[[ $RET_SMB_AUTH != 0 ]] && bailout "SMB Auth invalid"  
 + 
 + 
 +password=$(echo ${ORIGINAL_PASSWORD: -6}) 
 + 
 +/etc/openvpn/roadworker-auth/totp_auth.sh 
 + 
 +exit $? 
 +</code> 
 + 
 +  * **/etc/openvpn/roadworker-auth/smb_auth.sh** 
 +  *  Gültiger Account check via smb FIXME check username  
 + 
 +<code> 
 +AUTH_USERNAME="$username" 
 +AUTH_PASSWORD="$password" 
 +AUTH_SERVER="SERVER_AUTH" 
 + 
 + 
 +[[ $AUTH_USERNAME == "" || $AUTH_USERNAME == " " ]] &&  AUTH_USERNAME="---" 
 +[[ $AUTH_PASSWORD == "" || $AUTH_USERNAME == " " ]] &&  AUTH_PASSWORD="---" 
 + 
 +#env > /tmp/debug 
 +#echo "u: -$AUTH_USERNAME-" >> /tmp/debug_smb 
 +#echo "p: -$AUTH_PASSWORD-" >> /tmp/debug_smb 
 + 
 +echo $AUTH_PASSWORD | /usr/bin/smbclient -mSMB3 --ip-address=$AUTH_SERVER --list=$AUTH_SERVER --user=$AUTH_USERNAME --timeout=5 &> /dev/null 
 + 
 +exit $? 
 +</code> 
 + 
 +  * **/etc/openvpn/roadworker-auth/totp_auth.sh** 
 +  * TOTP Check mit **oathtool** 
 + 
 +<code> 
 +#!/bin/bash 
 + 
 + 
 +function bailout () 
 +
 +  echo $1 
 +  exit 1 
 + 
 +
 + 
 +AUTH_USERNAME="$username" 
 +AUTH_PASSWORD="$password" 
 +AUTH_TOTP_SECRET="/etc/openvpn/roadworker-auth/totp/$AUTH_USERNAME" 
 + 
 + 
 +[[ $AUTH_USERNAME == "" || $AUTH_USERNAME == " " ]] &&  AUTH_USERNAME="---" 
 +[[ $AUTH_PASSWORD == "" || $AUTH_USERNAME == " " ]] &&  AUTH_PASSWORD="---" 
 + 
 + 
 +echo $AUTH_USERNAME | grep -P -q "^[A-Za-z0-9\.]+$" 
 + 
 +#2021-09-21 cc: Somehow malformed 
 +[[ $? != 0 ]] && bailout "Username malformed" 
 + 
 + 
 +#2021-09-21 cc: Somehow not 6 digits 
 +echo $AUTH_PASSWORD | grep -P -q "^[0-9]{6}$" 
 + 
 +[[ $? != 0 ]] && bailout "Digits malformed" 
 + 
 +#2021-09-21 cc: This is tricky , if there's no secret file - it hasn't been created yet so auth succeeds 
 +[[ ! -f $AUTH_TOTP_SECRET ]] && exit 0 
 + 
 +TOTP_SEED=$(cat $AUTH_TOTP_SECRET) 
 + 
 +DIGIT_CODE=$(oathtool -b --totp $TOTP_SEED) 
 + 
 +#env > /tmp/debug 
 +#echo "u: -$AUTH_USERNAME-" >> /tmp/debug 
 +#echo "p: -$AUTH_PASSWORD-" >> /tmp/debug 
 +#echo "c: -$DIGIT_CODE" >> /tmp/debug 
 + 
 +[[ $DIGIT_CODE == $AUTH_PASSWORD ]] && exit 0 
 + 
 +exit 1 
 +</code> 
 + 
 + 
 +  * Um für bestimmten User **TOTP zu aktivieren** 
 + 
 +<code> 
 +pwgen -0 -s -1 16 > /etc/openvpn/roadworker-auth/totp/username 
 +</code> 
 + 
 +  * Dieser TOTP Seed , der nun unter **/etc/openvpn/roadworker-auth/totp/username** zB: **ABCABCBABCBCDFFG** muss dem entsprechenden User **sicher** übermittelt werden zB: über Signal/Whatsapp - er kann ihn zB: im **Google Authenticator** als eigenen Eintrag hinzufügen 
 + 
 + 
 +  * Variante um bei bestehender zertifikatsbasierender Authentifizierung OTP zu aktivieren: 
 +  * **für bestimmtes Gerät d.h. Zertifikat ** wird es obligatorisch und User können zum Zertifikat spezifiziert werden 
 +  * **/etc/openvpn/roadworker-cert/roadworker-cert.conf** 
 +<code> 
 +... 
 +auth-user-pass-verify /etc/openvpn/roadworker-cert/totp_auth.sh via-env 
 +auth-user-pass-optional 
 +script-security 3 
 +.... 
 +</code> 
 +  * **/etc/openvpn/roadworker-cert/totp_auth.sh** 
 +<code> 
 +#!/bin/bash 
 + 
 + 
 +function bailout () 
 +
 +   echo $1 
 +   echo $1 | logger -t totp  
 +     exit 1 
 + 
 +    } 
 + 
 +    AUTH_USERNAME="$username" 
 +    AUTH_PASSWORD="$password" 
 +    AUTH_COMMON_NAME="$common_name" 
 +    AUTH_TOTP_ROOT_SECRET="/etc/openvpn/roadworker-cert/totp/" 
 +    AUTH_TOTP_SECRET="$AUTH_TOTP_ROOT_SECRET/$AUTH_COMMON_NAME/$AUTH_USERNAME" 
 + 
 +    #2021-10-14 cc: Certificate required 
 +    echo $common_name | grep -P -q "^[A-Za-z0-9\.\-]+$" 
 + 
 +    [[ $? != 0 ]] && bailout "Common certificate Name malformed" 
 + 
 +    #2021-10-14 cc: IF directory with common name does not exist OTP is not activated 
 +    [[ ! -d "$AUTH_TOTP_ROOT_SECRET/$AUTH_COMMON_NAME" ]] && exit 0 
 + 
 + 
 +    echo $AUTH_USERNAME | grep -P -q "^[A-Za-z0-9\.]+$" 
 + 
 +    #2021-09-21 cc: Somehow malformed 
 +    [[ $? != 0 ]] && bailout "Username malformed" 
 + 
 + 
 +    #2021-09-21 cc: Somehow not 6 digits 
 +    echo $AUTH_PASSWORD | grep -P -q "^[0-9]{6}$" 
 + 
 +    [[ $? != 0 ]] && bailout "Digits malformed" 
 + 
 +    #2021-09-21 cc: This is tricky , if there's no secret file - it has been created yet so auth succeeds 
 +    #2021-10-14 cc: If common_name root path exists there must be a file for the user 
 +    [[ ! -f $AUTH_TOTP_SECRET ]] && bailout "TOTP Secret not found - is needed" 
 + 
 +    TOTP_SEED=$(cat $AUTH_TOTP_SECRET) 
 + 
 +    DIGIT_CODE=$(oathtool -b --totp $TOTP_SEED) 
 + 
 +    #env > /tmp/debug 
 +    #echo "u: -$AUTH_USERNAME-" >> /tmp/debug 
 +    #echo "p: -$AUTH_PASSWORD-" >> /tmp/debug 
 +    #echo "c: -$DIGIT_CODE" >> /tmp/debug 
 + 
 +    [[ $DIGIT_CODE == $AUTH_PASSWORD ]] && exit 0 
 + 
 +    exit 1 
 + 
 +</code> 
 +===== roadworker openvpn wake on lan (wol) trigger =====
   * zB: bei Roadworkern die per Remote Desktop auf ihre Bürorechner zugreifen möchten / Die Bürorechner können ruhig heruntergefahren werden / Sobald eine erfolgreiche authentifizierte Verbindung aufgebaut wurde wird wol für den Rechner getriggered   * zB: bei Roadworkern die per Remote Desktop auf ihre Bürorechner zugreifen möchten / Die Bürorechner können ruhig heruntergefahren werden / Sobald eine erfolgreiche authentifizierte Verbindung aufgebaut wurde wird wol für den Rechner getriggered
  
Zeile 693: Zeile 1092:
  
 </code> </code>
 +
 +===== roadworker strongswan ipsec =====
 +  * FIXME Auth über radius server / Trigger bei strongswan für wake on lan 
 +  * Getestet auf: **Ubuntu 18.04**
 +
 +  * **/etc/ipsec.conf**
 +  * Verbindungsparameter wurden speziell auf Windows Rechner ausgerichtet , damit **IPSEC VPN** im Windows automatisch funktioniert - **Achtung** bei Windows wird die Default Route ersetzt , muss sich um ein "Feature" handeln egal ob bei **leftsubnet** nur das Zielnetz spezifiziert wird 
 +  * CA Zertifikat muss für den **Computer** Zertifikatsstore importiert worden sein  und **FQDN** muss matchen bei Verbindungsaufbau mit zB: **vpn.firewall.at**
 +
 +<code>
 +# ipsec.conf - strongSwan IPsec configuration file
 +config setup
 +    #plutostart=no
 +
 +conn %default
 +    keyexchange=ikev2
 +    ike=aes256-sha1-modp1024!
 +    esp=aes256-sha1!
 +    dpdaction=clear
 +    dpddelay=300s
 +    rekey=no
 +
 +conn roadworker 
 +    left=%any
 +    leftsubnet=0.0.0.0/0
 +    leftauth=pubkey
 +    leftcert=vpn.firewall.at.crt
 +    leftid=@vpn.firweall.at
 +    right=%any
 +    rightsourceip=172.16.3.0/24
 +    rightauth=eap-radius
 +    eap_identity=%identity
 +    rightsendcert=never   
 +    auto=add
 +    leftupdown=/usr/local/sbin/wakeup.sh
 +</code>
 +
 +  * wake on lan (wol)  bei erfolgreichem Login: **/usr/local/sbin/wakeup.sh**
 +<code>
 +#!/bin/bash
 +
 +#Debugging: env > /tmp/env_wakeup
 +#PLUTO_XAUTH_ID=ACCOUNTNAME@DOMAIN
 +
 +/usr/sbin/etherwake -i eth1 -b -D MAC_ADDRESS
 +
 +exit 0
 +
 +</code>
 +
 +====== unbound ======
 +  * Rekursiver DNS Resolver der DNSSEC validiert und auch dns over tls unterstützt
 +
 +===== internal dns zone =====
 +  * zB: wenn intern ein AD Server benutzt wird für interne Domäne
 +
 +<code>
 +server:
 +..
 +..
 +    #2024-02-11 cc: if pannoniait.intern was used by a e.g. windows ad server
 +    private-domain: pannoniait.intern
 +    domain-insecure: pannoniait.intern
 +..
 +..
 +
 +#2024-02-11 cc: If pannoniait.intern was used e.g. by windows ad server
 +forward-zone:
 +   name: pannoniait.intern
 +   forward-addr: IP_DNS_SERVER
 +
 +</code>
 +
 +===== dns over tls =====
 +  * führt zu massiven DNS Performanceeinbruch FIXME performance + prefetch usw.
 +<code>
 +server:
 +..
 +..
 +    #2024-02-11 cc: The debian place where the bundle can be found
 +    tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
 +..
 +..
 +forward-zone:
 +    name: "."
 +    forward-addr: 9.9.9.9@853#dns.quad9.net
 +    forward-addr: 149.112.112.112@853#dns.quad9.net
 +    forward-tls-upstream: yes
 +..
 +..
 +</code>
 +
 +====== Traffic Shaping - tc ======
 +  * FIXME - Großteil "man" Seiten https://wiki.archlinux.org/title/Advanced_traffic_control / https://tldp.org/en/Traffic-Control-HOWTO/ar01s06.html 
 +  * FIXME - PLAYGROUND - für bestimmten Traffic Bandbreite insgesamt einschränken , damit zB: ein Pool von Adressen eingeschränkt werden kann wie zB: Windows Updates :) entweder über iptables Markierungen oder über ipset Matches
 +<code>
 +#!/bin/sh -x
 +
 +# Maximum allowed downlink. Set to 90% of the achievable downlink in mbit
 +DOWNLINK=60
 +
 +# Interface facing the Internet
 +EXTDEV=wlp2s0
 +
 +# Load IFB, all other modules all loaded automatically
 +modprobe ifb
 +ip link set dev ifb0 down
 +
 +# Clear old queuing disciplines (qdisc) on the interfaces and the MANGLE table
 +tc qdisc del dev $EXTDEV root    2> /dev/null > /dev/null
 +tc qdisc del dev $EXTDEV ingress 2> /dev/null > /dev/null
 +tc qdisc del dev ifb0 root       2> /dev/null > /dev/null
 +tc qdisc del dev ifb0 ingress    2> /dev/null > /dev/null
 +iptables -t mangle -F
 +
 +# appending "stop" (without quotes) after the name of the script stops here.
 +if [ "$1" = "stop" ]
 +then
 +        echo "Shaping removed on $EXTDEV."
 +        exit
 +fi
 +
 +ip link set dev ifb0 up
 +
 +# HTB classes on IFB with rate limiting - default class 3:30 
 +tc qdisc add dev ifb0 root handle 3: htb default 30
 +
 +tc class add dev ifb0 parent 3:3 classid 3:30 htb rate 60mbit ceil 60mbit
 +tc class add dev ifb0 parent 3:3 classid 3:33 htb rate 10mbit ceil 10mbit
 +
 +# Packets marked with "2" on IFB flow through class 3:33
 +tc filter add dev ifb0 parent 3:0 protocol ip handle 2 fw flowid 3:33
 +
 +# Martin Devera, author of HTB, then recommends SFQ for beneath these classes:
 +tc qdisc add dev ifb0 parent 3:30 handle 30: sfq perturb 10
 +tc qdisc add dev ifb0 parent 3:33 handle 33: sfq perturb 10
 +
 +#https://speed.hetzner.de/1GB.bin
 +iptables -t mangle -A PREROUTING -s 88.198.248.254 -j MARK --set-mark 2
 +iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
 +
 +
 +
 +# Forward all ingress traffic on internet interface to the IFB device
 +tc qdisc add dev $EXTDEV ingress handle ffff:
 +tc filter add dev $EXTDEV parent ffff: protocol ip \
 +        u32 match u32 0 0 \
 +        action connmark \
 +        action mirred egress redirect dev ifb0 \
 +        flowid ffff:1
 +
 +
 +# Kein markieren mehr der Pakete / iptables fällt weg über ipset 
 +# root@mrWhiteGhost:/home/urnilxfgbez/Desktop# ipset create slowdown hash:ip
 +#root@mrWhiteGhost:/home/urnilxfgbez/Desktop# tc filter add dev ifb0 parent 3:0 protocol ip basic match 'ipset(slowdown src,dst)' flowid 3:33
 +#
 +#
 +#
 +#
 +
 +
 +
 +#root@mrWhiteGhost:/tmp# tc -s class show dev ifb0
 +#class htb 3:33 root prio 0 rate 10Mbit ceil 10Mbit burst 1600b cburst 1600b 
 +# Sent 28375626 bytes 20582 pkt (dropped 0, overlimits 20488 requeues 0) 
 +# backlog 0b 0p requeues 0
 +# lended: 20582 borrowed: 0 giants: 0
 +# tokens: -16889 ctokens: -16889
 +#
 +#class htb 3:30 root prio 0 rate 60Mbit ceil 60Mbit burst 1590b cburst 1590b 
 +# Sent 1760229 bytes 3364 pkt (dropped 0, overlimits 884 requeues 0) 
 +# backlog 0b 0p requeues 0
 +# lended: 3364 borrowed: 0 giants: 0
 +# tokens: 3125 ctokens: 3125
 +
 +
 +
 +
 +exit 0
 +</code>
 +
 +
 +
 +====== GeoIP - iptables matches ======
 +  * Getestet mit Debian Buster - **Achtung** hier gibt es keine xtables-addons* Pakete mehr / Sukzessive Wechsel zu **nftables** wird spürbar(er)
 +  * Dafür gibt es die Pakete in Debian Bullseye wieder / Die Pakete für bullseye scheinen auch unter Debian Buster zu laufen (**xtables-addons-common_3.13-1_amd64.deb/xtables-addons-dkms_3.13-1_all.deb** ) FIXME testen,testen,testen
 +
 +  * Grundsätzliches: **iptables -m geoip --help**
 +
 +<code>
 +iptables -m geoip --help
 +iptables v1.8.2
 +
 +Usage: iptables -[ACD] chain rule-specification [options]
 + iptables -I chain [rulenum] rule-specification [options]
 + iptables -R chain rulenum rule-specification [options]
 + iptables -D chain rulenum [options]
 + iptables -[LS] [chain [rulenum]] [options]
 + iptables -[FZ] [chain] [options]
 + iptables -[NX] chain
 + iptables -E old-chain-name new-chain-name
 + iptables -P chain target [options]
 + iptables -h (print this help information)
 +
 +Commands:
 +Either long or short options are allowed.
 +  --append  -A chain Append to chain
 +  --check   -C chain Check for the existence of a rule
 +  --delete  -D chain Delete matching rule from chain
 +  --delete  -D chain rulenum
 + Delete rule rulenum (1 = first) from chain
 +  --insert  -I chain [rulenum]
 + Insert in chain as rulenum (default 1=first)
 +  --replace -R chain rulenum
 + Replace rule rulenum (1 = first) in chain
 +  --list    -L [chain [rulenum]]
 + List the rules in a chain or all chains
 +  --list-rules -S [chain [rulenum]]
 + Print the rules in a chain or all chains
 +  --flush   -F [chain] Delete all rules in  chain or all chains
 +  --zero    -Z [chain [rulenum]]
 + Zero counters in chain or all chains
 +  --new     -N chain Create a new user-defined chain
 +  --delete-chain
 +      -X [chain] Delete a user-defined chain
 +  --policy  -P chain target
 + Change policy on chain to target
 +  --rename-chain
 +      -E old-chain new-chain
 + Change chain name, (moving any references)
 +Options:
 +    --ipv4 -4 Nothing (line is ignored by ip6tables-restore)
 +    --ipv6 -6 Error (line is ignored by iptables-restore)
 +[!] --proto -p proto protocol: by number or name, eg. `tcp'
 +[!] --source -s address[/mask][...]
 + source specification
 +[!] --destination -d address[/mask][...]
 + destination specification
 +[!] --in-interface -i input name[+]
 + network interface name ([+] for wildcard)
 + --jump -j target
 + target for rule (may load target extension)
 +  --goto      -g chain
 +        jump to chain with no return
 +  --match -m match
 + extended match (may load extension)
 +  --numeric -n numeric output of addresses and ports
 +[!] --out-interface -o output name[+]
 + network interface name ([+] for wildcard)
 +  --table -t table table to manipulate (default: `filter')
 +  --verbose -v verbose mode
 +  --wait -w [seconds] maximum wait to acquire xtables lock before give up
 +  --wait-interval -W [usecs] wait time to try to acquire xtables lock
 + default is 1 second
 +  --line-numbers print line numbers when listing
 +  --exact -x expand numbers (display exact values)
 +[!] --fragment -f match second or further fragments only
 +  --modprobe=<command> try to insert modules using this command
 +  --set-counters PKTS BYTES set the counter during insert/append
 +[!] --version -V print package version.
 +
 +geoip match options:
 +[!] --src-cc, --source-country country[,country...]
 + Match packet coming from (one of) the specified country(ies)
 +[!] --dst-cc, --destination-country country[,country...]
 + Match packet going to (one of) the specified country(ies)
 +
 +NOTE: The country is inputed by its ISO3166 code
 +</code>
 +
 +  * Datenbank aktualisieren 1x im Monat **update-geoip.sh**
 +<code>
 +#!/bin/bash
 +
 +DST_TEMP_DB="/tmp/dbip-country-lite.csv.gz"
 +SRC_URL="https://download.db-ip.com/free/dbip-country-lite-$(date +%Y)-$(date +%m).csv.gz"
 +
 +#Required on Ubuntu 18.04: libtext-csv-xs-perl, libnet-cidr-lite-perl / took xt_geoip_build from ubuntu 20.04
 +XTABLES_BUILD_SCRIPT="/usr/lib/xtables-addons/xt_geoip_build"
 +
 +XTABLES_GEOIP_DIRECTORY="/usr/share/xt_geoip"
 +
 +function bailout
 +{
 + >&2 echo -e "$1"
 + exit 2
 +
 +}
 +
 +[[ -f $DST_TEMP_DB ]] && bailout "FAIL: $DST_TEMP_DB already found aborting"
 +
 +wget -q "$SRC_URL" -O $DST_TEMP_DB || bailout "FAIL: $DST_TEMP_DB cannot be downloaded from $SRC_URL"
 +
 +
 +gunzip -t $DST_TEMP_DB || bailout "FAIL: Gzip Format failure from $SRC_URL"
 +
 +[[ -d "$XTABLES_GEOIP_DIRECTORY" ]] || echo "FAIL: could not find Destination: $XTABLES_GEOIP_DIRECTORY"
 +
 +gunzip -f $DST_TEMP_DB --to-stdout > $XTABLES_GEOIP_DIRECTORY/dbip-country-lite.csv || bailout "FAIL: cannot gunzip file from $SRC_URL"
 +
 +[[ -x $XTABLES_BUILD_SCRIPT  ]] || echo "FAIL: could not find $XTABLES_BUILD_SCRIPT"
 +
 +$XTABLES_BUILD_SCRIPT -D "$XTABLES_GEOIP_DIRECTORY" -S "$XTABLES_GEOIP_DIRECTORY"
 +
 +rm $DST_TEMP_DB
 +
 +exit 0
 +</code>
 +
 +  * **Achtung** **/usr/lib/xtables-addons/xt_geoip_build** stammt aus dem Ubuntu 20.04 Paket von **xtables-addons-common_3.8-2_amd64.deb**
 +
 +  * Nach 20 Minuten Tests mit iptables matches gabs noch keine panic :)
 +
 +<code>
 +   19   976 LOG        all  --  *      *       0.0.0.0/           0.0.0.0/           -m geoip --source-country CN,RS  LOG flags 0 level 4
 +</code>
 +====== GeoIP - map-geoip.sh ======
 +  * GeoIP Lookup aus vorhandenen Logfiles / kann auch gepiped werden um vorher relevante Auszüge rauszugreppen
 +
 +  * **map-geoip.sh**
 +
 +<code>
 +#!/bin/bash
 +
 +# cmd: foo=$(mmdblookup -f /usr/local/share/ip-db/dbip-country-lite.mmdb  -i 192.168.0.1 country iso_code 2>/dev/null)
 +
 +# https://download.db-ip.com/free/dbip-country-lite-2022-03.mmdb.gz 
 +
 +PATH_LOGS="/var/log/fw.log.1"
 +PATH_GEODB="/usr/local/share/ip-db/dbip-country-lite.mmdb"
 +
 +function bailout
 +{
 +        echo -e "$1" >&2
 + echo -e "\nUsage: $0 [LOGFILE_FIREWALLS]"
 + exit 2
 +
 +
 +}
 +
 +function lookup_geo
 +{
 + mmdblookup -f $PATH_GEODB  -i $1 country iso_code 2>/dev/null | grep -o -P "\"[a-zA-Z]{2}\"" | tr -d "\""
 +
 +}
 +
 +function lookup_ip
 +{
 +    echo $1 | grep -o -P "$2(([0-9]{1,3}\.)){3}[0-9]{1,3}" 
 +
 +
 +}
 +
 +[[ -r $PATH_GEODB ]] || bailout "Cannot read geodb database: $PATH_GEODB"
 +
 +
 +[[ -r "$1" ]] && PATH_LOGS="$1"
 +
 +[[ $1 == "-" ]] && PATH_LOGS="-"
 +
 +
 +[[ -r $PATH_LOGS || $PATH_LOGS == "-"  ]] || bailout "Cannot read path logs: $PATH_LOGS"
 +
 +
 +which mmdblookup >/dev/null || bailout "Cannot find mmdblookup please install\n"
 +
 +IFS=$'\n'
 +
 +while read foo ; 
 +do  
 +        LOG_SUFFIX=""
 + SRC_IP=""
 + DST_IP=""
 +
 + SRC_IP=$(lookup_ip $foo "SRC=" |tr -d "SRC=")
 + DST_IP=$(lookup_ip $foo "DST=" | tr -d "DST=" )
 +       
 + #echo "SRC: $SRC_IP"
 + #echo "DST: $DST_IP"
 +
 + if [ ${#SRC_IP} -gt 0 ] && [ ${#DST_IP} -gt 0 ]  
 + then
 + SRC_GEO=$(lookup_geo $SRC_IP)
 + DST_GEO=$(lookup_geo $DST_IP)
 +
 +                [[ -z $SRC_GEO  ]] && SRC_GEO="00"
 + [[ -z $DST_GEO ]] && DST_GEO="00"
 +
 + LOG_SUFFIX="SRC_GEO=$SRC_GEO DST_GEO=$DST_GEO"
 +
 +
 + echo "$foo$LOG_SUFFIX"
 + fi
 +
 +
 +done < <(zcat -f $PATH_LOGS )
 +</code>
 +====== WEB Module ======
 +===== Blocks - Multi - IPSET =====
 +  * In Kombination mit dnsmasq und seiner Funktionalität ipsets aktualisieren zu können
 +  *  www-data muss dnsmasq neu starten können zB: visudo -> www-data  ALL=(ALL)NOPASSWD:/usr/sbin/service dnsmasq restart / und die entsprechenden Berechtigungen für das Set File besitzen unter /etc/dnsmasq.d/ipset-foo.conf
 +  * **Achtung:** Wenn es eine Vielzahl an Sets gibt die mit dnsmasq befüllt werden sollen muss auf die dnsmasq Syntax geachtet werden **ipset=/hostname/set1/set2/set3** und nicht jeweils eine extra Datei für set1, set2, set3 
 +  * **merge-ipsets.sh**
 +
 +<code>
 +#!/bin/bash
 +function bailout
 +{
 +        echo -e "$1" >&2
 +        exit 2
 +
 +}
 +
 +which dnsmasq >/dev/null || bailout "Cannot find dnsmasq binary"
 +
 +
 +LOCATION_DNSMASQS="/etc/dnsmasq.conf /etc/dnsmasq.d/*"
 +TMP_LOCATION=$(mktemp)
 +FINAL_LOCATION="/etc/dnsmasq.d/ipset-master.conf"
 +
 +if [ ! -w $FINAL_LOCATION ] 
 +then
 + rm $TMP_LOCATION
 +
 + bailout "FAIL: Final config file: $FINAL_LOCATION cannot be written to "
 +
 +fi
 +
 +
 +grep -h  "^ipset=" $LOCATION_DNSMASQS  | cut -d"/" -f"2" | sort | uniq -c  | while read hosts ; 
 +do 
 + nr_matches=$(echo $hosts | awk '{print $1}')
 + host_entry=$(echo $hosts | awk '{print $2}')
 +
 +        if (($nr_matches > 1 ))  &&  [ -n $host_entry ] ; 
 + then
 +                 build_entry="ipset=/$host_entry"
 +
 + while read found_sets
 + do
 + build_entry+="/$found_sets"
 +
 + done <<< $(grep -h "^ipset=/$host_entry/" $LOCATION_DNSMASQS | cut -d"/" -f 3- | tr "/" "\n" | sort | uniq )
 +
 +
 + echo $build_entry >> $TMP_LOCATION
 +                echo $build_entry
 +
 + fi
 +  
 +
 +
 +done
 +
 +filesize_tmp=$(stat -c %s $TMP_LOCATION)
 +
 +if [ $filesize_tmp == "0" ]
 +then
 +
 +rm $TMP_LOCATION
 +
 +echo "No double ipsets found in $LOCATION_DNSMASQS"
 +
 +exit 0
 +
 +fi
 +
 +
 +
 +
 +
 +cmp -s $TMP_LOCATION $FINAL_LOCATION
 +
 +compare_ret="$?"
 +
 +if [ $compare_ret == "0" ]
 +then
 + rm $TMP_LOCATION
 +        echo "Current ipsets have already been merged"
 + exit 0
 +fi
 +
 +
 +dnsmasq --test --conf-file=$TMP_LOCATION 
 +
 +ipset_tests="$?"
 +if [ $ipset_tests != "0" ]
 +then
 + rm $TMP_LOCATION
 + bailout "FAIL: Malformed config file: $TMP_LOCATION"
 +fi
 +
 +#2022-02-21 cc: Keep Ownership intact
 +cat $TMP_LOCATION > $FINAL_LOCATION
 +
 +rm $TMP_LOCATION
 +
 +systemctl reload dnsmasq || bailout "FAIL: Cannot reload dnsmasq"
 +
 +
 +exit 0
 +</code>
 +  * {{ :know-how:ipset-master.zip |}}
 +
 +===== Blocks - IPSET =====
 +  * In Kombination mit dnsmasq und seiner Funktionalität ipsets aktualisieren zu können
 +  *  www-data muss dnsmasq neu starten können zB: visudo -> www-data  ALL=(ALL)NOPASSWD:/usr/sbin/service dnsmasq restart / und die entsprechenden Berechtigungen für das Set File besitzen unter /etc/dnsmasq.d/ipset-foo.conf
 +  * {{ :know-how:blocked-ipset.zip |}}
 +
 +===== Blocks - Hostnamen =====
 +  * In Kombination mit dnsmasq / um quasi "dns Spoofing" zu betreiben d.h. das Resolving zu überschreiben für bestimmte Hostnamen
 +  * www-data muss dnsmasq neu starten können zB: visudo -> www-data  ALL=(ALL)NOPASSWD:/usr/sbin/service dnsmasq restart
 +  * {{ :know-how:blocked-addresses.zip |}}
 +===== Proxy =====
 +  * Um squid proxy ACLs zu bearbeiten
 +  * Achtung www-data braucht sudo Rechte für parse / reload
 +  * zB: visudo -> www-data  ALL=(ALL)NOPASSWD:/usr/sbin/squid3 -k reconfigure, /usr/sbin/squid3 -k parse
 +  * {{ :know-how:proxy.zip |}}
 +===== Authorizer =====
 +  * Um nach erfolgter Authentifizierung IP/MACs in ipset einzutragen
 +  * {{ :know-how:authorizer.tar.gz |}}
  
know-how/firewall.1597234549.txt.gz · Zuletzt geändert: 2020/08/12 14:15 von cc