Event Guard remove all instances of a specific IP address
This commit is contained in:
FusionPBX
@@ -5,7 +5,7 @@
|
||||
$apps[$x]['uuid'] = 'c5b86612-1514-40cb-8e2c-3f01a8f6f637';
|
||||
$apps[$x]['category'] = 'Switch';
|
||||
$apps[$x]['subcategory'] = 'Security';
|
||||
$apps[$x]['version'] = '2.0';
|
||||
$apps[$x]['version'] = '2.1';
|
||||
$apps[$x]['license'] = 'Mozilla Public License 1.1';
|
||||
$apps[$x]['url'] = 'http://www.fusionpbx.com';
|
||||
$apps[$x]['description']['en-us'] = '';
|
||||
|
||||
@@ -24,6 +24,12 @@ class event_guard_iptables implements event_guard_interface {
|
||||
*/
|
||||
private $firewall_path;
|
||||
|
||||
/**
|
||||
* chains array
|
||||
* @var array
|
||||
*/
|
||||
private $chains;
|
||||
|
||||
/**
|
||||
* called when the object is created
|
||||
*/
|
||||
@@ -37,10 +43,15 @@ class event_guard_iptables implements event_guard_interface {
|
||||
// Set firewall path
|
||||
$this->firewall_path = trim(shell_exec('command -v iptables'));
|
||||
|
||||
// Set grep path
|
||||
$this->grep_path = trim(shell_exec('command -v grep'));
|
||||
|
||||
// Create a chain array
|
||||
$chains[] = 'sip-auth-ip';
|
||||
$chains[] = 'sip-auth-fail';
|
||||
foreach ($chains as $chain) {
|
||||
$this->chains[] = 'sip-auth-ip';
|
||||
$this->chains[] = 'sip-auth-fail';
|
||||
|
||||
// Add the chains to active iptables
|
||||
foreach ($this->chains as $chain) {
|
||||
shell_exec($this->firewall_path.' --new ' . $chain . ' >/dev/null 2>&1 &');
|
||||
shell_exec($this->firewall_path.' -I INPUT -j '.$chain . ' >/dev/null 2>&1 &');
|
||||
}
|
||||
@@ -64,7 +75,7 @@ class event_guard_iptables implements event_guard_interface {
|
||||
|
||||
// Run the block command for iptables
|
||||
// Example: iptables -I INPUT -s 127.0.0.1 -j DROP
|
||||
$command = $this->firewall_path.' -I '.$filter.' -s '.$ip_address.' -j DROP';
|
||||
$command = $this->firewall_path . ' -I ' . escapeshellarg($filter) . ' -s ' . $ip_address . ' -j DROP';
|
||||
$result = shell_exec($command);
|
||||
if (!empty($result)) {
|
||||
return false;
|
||||
@@ -83,21 +94,32 @@ class event_guard_iptables implements event_guard_interface {
|
||||
* @return bool True if the IP address was successfully unblocked, false otherwise.
|
||||
*/
|
||||
public function block_delete(string $ip_address, string $filter) : bool {
|
||||
// Invalid ip address
|
||||
// Invalid IP address
|
||||
if (!filter_var($ip_address, FILTER_VALIDATE_IP)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Remove from all chains or a specific one
|
||||
if ($filter == 'all') {
|
||||
$chains = $this->chains;
|
||||
}
|
||||
else {
|
||||
$chains[] = $filter;
|
||||
}
|
||||
|
||||
// Unblock the address
|
||||
$command = $this->firewall_path.' -L '.$filter.' -n --line-numbers | grep "'.$ip_address.' " | cut -d " " -f1';
|
||||
$line_number = trim(shell_exec($command));
|
||||
echo "\n". $command . " line ".__line__."\n";
|
||||
if (is_numeric($line_number)) {
|
||||
//$result = shell_exec('iptables -D INPUT '.$line_number);
|
||||
$command = $this->firewall_path.' -D '.$filter.' '.$line_number;
|
||||
$command = $this->firewall_path.' -S | '. $this->grep_path . ' ' . $ip_address;
|
||||
$result = trim(shell_exec($command));
|
||||
if (!empty($result)) {
|
||||
//remove the IP address from each chain
|
||||
foreach($chains as $chain) {
|
||||
for ($i = 1; $i <= 999; $i++) {
|
||||
$command = $this->firewall_path.' -D '. escapeshellarg($chain) . ' -s ' . $ip_address . ' -j DROP';
|
||||
$result = shell_exec($command);
|
||||
if (!empty($result)) {
|
||||
return false;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
echo "Unblock address ".$ip_address ." line ".$line_number." command ".$command." result ".$result."\n";
|
||||
}
|
||||
@@ -114,6 +136,11 @@ class event_guard_iptables implements event_guard_interface {
|
||||
* @return bool True if the address is blocked, False otherwise
|
||||
*/
|
||||
public function block_exists(string $ip_address, string $filter) : bool {
|
||||
// Invalid IP address
|
||||
if (!filter_var($ip_address, FILTER_VALIDATE_IP)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Determine whether to return true or false
|
||||
// Check to see if the address is blocked
|
||||
$command = $this->firewall_path.' -L -n --line-numbers | grep '.$ip_address;
|
||||
|
||||
@@ -24,6 +24,12 @@ class event_guard_nftables implements event_guard_interface {
|
||||
*/
|
||||
private $firewall_path;
|
||||
|
||||
/**
|
||||
* chains array
|
||||
* @var array
|
||||
*/
|
||||
private $chains;
|
||||
|
||||
/**
|
||||
* called when the object is created
|
||||
*/
|
||||
@@ -38,9 +44,9 @@ class event_guard_nftables implements event_guard_interface {
|
||||
$this->firewall_path = trim(shell_exec('command -v nft'));
|
||||
|
||||
// Create a chain array
|
||||
$chains[] = 'sip-auth-ip';
|
||||
$chains[] = 'sip-auth-fail';
|
||||
foreach ($chains as $chain) {
|
||||
$this->chains[] = 'sip-auth-ip';
|
||||
$this->chains[] = 'sip-auth-fail';
|
||||
foreach ($this->chains as $chain) {
|
||||
shell_exec($this->firewall_path.' add chain inet filter ' . $chain . ' { type filter hook input priority -50 \; }'); // >/dev/null 2>&1 &');
|
||||
}
|
||||
}
|
||||
@@ -62,7 +68,7 @@ class event_guard_nftables implements event_guard_interface {
|
||||
|
||||
// Run the block command for nftables
|
||||
// Example: nft add element inet filter sip-auth-ip { 192.168.1.100 }
|
||||
$command = $this->firewall_path.' add rule inet filter '.$filter.' ip saddr '.$ip_address.' counter drop';
|
||||
$command = $this->firewall_path.' add rule inet filter ' . escapeshellarg($filter) . ' ip saddr ' . $ip_address. ' counter drop';
|
||||
$result = shell_exec($command);
|
||||
if (!empty($result) && strlen($result) > 3) {
|
||||
return false;
|
||||
@@ -86,8 +92,19 @@ class event_guard_nftables implements event_guard_interface {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Remove from all chains or a specific one
|
||||
if ($filter == 'all') {
|
||||
$chains = $this->chains;
|
||||
}
|
||||
else {
|
||||
$chains[] = $filter;
|
||||
}
|
||||
|
||||
//remove the IP address from each chain
|
||||
foreach($chains as $chain) {
|
||||
for ($i = 1; $i <= 999; $i++) {
|
||||
// Command used to get the handle
|
||||
$command = $this->firewall_path.' -a list chain inet filter '.$filter.' | grep '.$ip_address;
|
||||
$command = $this->firewall_path.' -a list chain inet filter ' . escapeshellarg($chain) . ' | grep ' . $ip_address;
|
||||
echo $command."\n";
|
||||
$result = trim(shell_exec($command));
|
||||
$rows = explode("\n", $result);
|
||||
@@ -95,12 +112,14 @@ class event_guard_nftables implements event_guard_interface {
|
||||
// Unblock the address
|
||||
foreach ($rows as $row) {
|
||||
$handle = trim(explode("#", $row)[1] ?? '');
|
||||
$command = $this->firewall_path.' delete rule inet filter '.$filter.' '.$handle;
|
||||
echo $command."\n";
|
||||
$command = $this->firewall_path.' delete rule inet filter ' . escapeshellarg($chain) . ' '.$handle;
|
||||
echo "[".$command."]\n";
|
||||
$result = shell_exec($command);
|
||||
}
|
||||
if (!empty($result)) {
|
||||
return false;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Return success
|
||||
@@ -115,6 +134,11 @@ class event_guard_nftables implements event_guard_interface {
|
||||
* @return bool True if the address is blocked, False otherwise
|
||||
*/
|
||||
public function block_exists(string $ip_address, string $filter) : bool {
|
||||
// Invalid IP address
|
||||
if (!filter_var($ip_address, FILTER_VALIDATE_IP)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Determine whether to return true or false
|
||||
// Check to see if the address is blocked
|
||||
$command = $this->firewall_path.' list chain inet filter input | grep "ip saddr '.$ip_address.'"';
|
||||
|
||||
@@ -24,6 +24,12 @@ class event_guard_pf implements event_guard_interface {
|
||||
*/
|
||||
private $firewall_path;
|
||||
|
||||
/**
|
||||
* filters array
|
||||
* @var array
|
||||
*/
|
||||
private $filters;
|
||||
|
||||
/**
|
||||
* called when the object is created
|
||||
*/
|
||||
@@ -36,6 +42,10 @@ class event_guard_pf implements event_guard_interface {
|
||||
|
||||
// Set firewall path
|
||||
$this->firewall_path = trim(shell_exec('command -v pfctl'));
|
||||
|
||||
// Create a filter array
|
||||
$this->filters[] = 'sip-auth-ip';
|
||||
$this->filters[] = 'sip-auth-fail';
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -80,13 +90,25 @@ class event_guard_pf implements event_guard_interface {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Remove from all chains or a specific one
|
||||
if ($filter == 'all') {
|
||||
$filters[] = $this->filters;
|
||||
}
|
||||
else {
|
||||
$filters[] = $filter;
|
||||
}
|
||||
|
||||
// Unblock the address
|
||||
// Example: pfctl -t sip-auth-ip -T delete 127.0.0.5
|
||||
foreach($filters as $filter) {
|
||||
for ($i = 1; $i <= 999; $i++) {
|
||||
$command = $this->firewall_path.' -t '.$filter.' -T delete '.$ip_address;
|
||||
$result = shell_exec($command);
|
||||
if (!empty($result)) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Return success
|
||||
return true;
|
||||
|
||||
@@ -187,10 +187,10 @@ class event_guard_service extends service {
|
||||
$x = 0;
|
||||
foreach($event_guard_logs as $row) {
|
||||
//unblock the ip address
|
||||
$this->block_delete($row['ip_address'], $row['filter']);
|
||||
$this->block_delete($row['ip_address'], 'all');
|
||||
|
||||
//debug info
|
||||
$this->info("unblocked: [ip_address: ".$row['ip_address'].", filter: ".$row['filter'].", to-user: ".$row['extension'].", to-host: ".$row['hostname'].", line: ".__line__);
|
||||
$this->info("unblocked: [ip_address: ".$row['ip_address'].", filter: all, to-user: ".$row['extension'].", to-host: ".$row['hostname'].", line: ".__line__);
|
||||
|
||||
//log the blocked ip address to the database
|
||||
$array['event_guard_logs'][$x]['event_guard_log_uuid'] = $row['event_guard_log_uuid'];
|
||||
|
||||
Reference in New Issue
Block a user