Browse Source

initial

master
Ralph Rönnquist 3 months ago
commit
3f62bbfb97
6 changed files with 188 additions and 0 deletions
  1. +21
    -0
      README.adoc
  2. +79
    -0
      didaff
  3. +15
    -0
      didaff.conf
  4. BIN
      didaff.psk
  5. +15
    -0
      firewall-cron
  6. +58
    -0
      firewall.sh

+ 21
- 0
README.adoc View File

@@ -0,0 +1,21 @@
= DIDAFF for Devuan

This project holds the implementation of a Distributed Intrusion
Detection And Firewalling Framework (DIDAFF) on the Devaun
infrastructure. This infrastructure comprises a small group of
bare-metal nodes that host a range of virtual machine based services,
using the "ganeti" VPS platform.

The DIDAFF includes coordinated firewall setup for the nodes based on
a replicated Baddies Database that is feed from the distributed
detection sources using a combination of tools such as +fail2ban+,
+sshguard+ and bespoke scripting. All detection sources link up with
and provide entries for the Baddies Database in their own ways, and
this is replicated onto the nodes for them to use their replica as
basis for managing the firewall.

Each node runs a DIDAFF server as well as the firewall cron bot.
Various virtual machines have detection logic and tells the nodes
about "baddies" through the DIDAFF API, which uses broadcast on the
local net.


+ 79
- 0
didaff View File

@@ -0,0 +1,79 @@
#!/bin/bash
#
# Handle DIDAFF commands

if [ -z "LOCK" ] ; then
exec flock $0 env LOCK=yes $0 $*
exit 1
fi

cd $(dirname $0)
. ./didaff.conf

usage() {
cat <<EOF >&2
Local commands
add [ <ip> ]* = add baddies
del [ <ip> ]* = remove baddies
list = clean database to default period and print it
clean [ <period> ] = remove baddies older than $period seconds
server = service the buddy port for remote commands

Remote commands:
tell add [ <ip> ]*
tell del [ <ip> ]*
EOF
}

############################################################
clean_baddies() {
OLD=$(date +"%s-${1-$TIMEOUT}"|bc -l)
echo "delete from baddies where time<=$OLD;" | sqlite $DB
}

case "$1" in
add)
shift
TIME=$(date +%s)
for b in $* ; do
[ "$b" = "#" ] && break
echo "insert into baddies values('$b','$TIME');"
done | sqlite $DB
;;
del)
shift
B="$(for b in $* ; do printf ",'%s'" $b ; done)"
echo "delete from baddies where ip in (${B:1});" | sqlite $DB
;;
list)
clean_baddies
WHAT=who
[ "$2" = all ] && WHAT=who,time
echo "select who,time from baddies;" | sqlite -separator ' ' $DB
;;
clean)
clean_baddies $2
;;
setup)
echo "create table baddies(who,time);" | sqlite $DB
;;
server)
socat UDP-RECVFROM:$PORT,fork exec:"$0 read"
;;
read)
D="$(openssl enc -aes-256-ctr -d -pbkdf2 -a -pass file:$PSK)"
case "${D%% *}" in
list|add|del)
eval $0 $D
;;
esac
;;
tell)
shift
echo "$*" | openssl enc -aes-256-ctr -pbkdf2 -a -pass file:$PSK | \
socat - UDP:$REMOTE:$PORT
;;
*)
usage
esac
true

+ 15
- 0
didaff.conf View File

@@ -0,0 +1,15 @@
# The server to send DIDAP commands to
REMOTE=192.168.10.7

# The buddy port
PORT=1025

# The key file for scrambling DIDAP commands
PSK=buddy.psk

# The local database for tracking baddies
DB=BADDIES.db

# How long, in seconds, a baddie detail is valid
TIMEOUT=120


BIN
didaff.psk View File


+ 15
- 0
firewall-cron View File

@@ -0,0 +1,15 @@
#!/bin/bash
#
# Cron bot script to install baddies into an ipset set
#
#

cd $(dirname $0)

. ./firewall.conf

# Ensure the set exist; complain and fail otherwise
/sbin/ipset list $SET >/dev/null || exit 1

# Update the set from the DIDAFF database
./didaff list | /usr/bin/xargs -n1 /sbin/ipset add $SET -exist

+ 58
- 0
firewall.sh View File

@@ -0,0 +1,58 @@
# Firewall configuration

SET=BADDIES
TIMEOUT=10800 # 3 hours

# How to add the iptables rule(s) using the set
iptables_add() {
iptables -I FORWARD -i wanbr -m set --match-set $SET src -j DROP
}

# How to remove the iptables rule(s) using the set
iptables_del() {
iptables -D FORWARD -i wanbr -m set --match-set $SET src -j DROP
}

# How to add the nominated set with the given default timeout
ipset_add() {
ipset create $SET hash:net timeout $TIMEOUT
}

# How to remove a nominated set
ipset_del() { # set
ipset destroy $SET
}

firewall_enable() {
ipset_add
iptables_add
}

firewall_disable() {
iptables_del
ipset_del
}

cron_enable() {
cat <<EOF >> /etc/cron.d/firewall
* * * * * $(dirname $0)/firewall-cron
EOF
}

cron_disable() {
rm -f /etc/cron.d/firewall
}

set -x
case "$1" in
enable)
ipset_add
iptables_add
cron_enable
;;
disable)
cron_disable
iptables_del
ipset_del
;;
esac

Loading…
Cancel
Save