Added a simple whitelist script

firewall/Makefile

@@ -16,7 +16,13 @@ clean:
 	if [ -d ./man ] ; then rm -rf ./man ; fi
 	if [ -d ./i ] ; then rm -rf ./i ; fi
 
-manpage: ./bin/firewall
+
+man/%.man: ./bin/%
+	[ -d man ] || mkdir man
+	RUBYLIB=./lib $<  --help | sed -e 's/^=\+$$//' | txt2man -s 1 -t $(notdir $<) | sed -e 's/\\\\fB/\\fB/' > $@
+
+
+manpage: ./bin/firewall man/firewall-whitelist.man
 	if ! [ -d ./man ] ; then mkdir ./man ; fi
 	pod2man ./bin/firewall > ./man/firewall.1
 	pod2man ./bin/firewall-logtail > ./man/firewall-logtail.1

firewall/bin/firewall-whitelist

+#!/usr/bin/ruby
+# 
+# NAME
+#
+#   firewall-whitelist -- Automatically whitelist IP addresses.
+#
+# SYNOPSIS
+#
+#  Help Options:
+#
+#   --help        Show the help information for this script.
+#   --verbose     Show debugging information.
+#
+# This script is designed to automatically whitelist IP addresses which
+# have been used to successfully login via SSH.
+#
+# It does this by parsing the output of the "last" command, and creating
+# entries in /etc/symbiosis/firewall/whitelist.d/
+#
+# AUTHOR
+#
+#   Steve Kemp <steve@bytemark.co.uk>
+#
+
+#
+#  Modules we require
+#
+
+require 'getoptlong'
+require 'ipaddr'
+
+opts = GetoptLong.new(
+    [ '--help',    '-h', GetoptLong::NO_ARGUMENT ],
+    [ '--verbose', '-v', GetoptLong::NO_ARGUMENT ]
+)
+
+
+help = false
+$VERBOSE = false
+show_all = false
+
+opts.each do |opt,arg|
+  case opt
+    when '--help'
+      help = true
+    when '--verbose'
+      $VERBOSE = true
+    when '--show-all'
+      show_all = true
+  end
+end
+
+#
+# CAUTION! Here be quality kode.
+#
+if help
+  # Open the file, stripping the shebang line
+  lines = File.open(__FILE__){|fh| fh.readlines}[2..-1]
+
+  lines.each do |line|
+    line.chomp!
+    break if line.empty?
+    puts line[2..-1].to_s
+  end
+
+  exit 0
+end
+
+ip_addresses = {}
+
+
+#
+#  Run last to find the IPs, store unique ones in a hash.
+#
+IO.popen("/usr/bin/last -i") {|pipe| pipe.readlines}.each do |l|
+  next unless l =~ /[ \t]((\d{1,3}\.){3,3}\d{1,3}|[0-9a-f:]+)[ \t]/ 
+  ip_addresses[ $1 ] = 1
+end
+
+
+#
+#  Did we update?
+#
+updated=false
+
+#
+#  Iterate over each IP
+#
+ip_addresses.each_key do |ip|
+  if ( ( ip =~ /^([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)$/ ) &&
+       ( ip !~ /^(127|0)\./ ) )
+
+    puts "Found IP address: #{ip}" if ( $VERBOSE )
+
+    if ( File.exists?( "/etc/symbiosis/firewall/whitelist.d/#{ip}" ) )
+      puts "\tAlready whitelisted" if ( $VERBOSE )
+    else
+      # ensure the direcotry exists.
+      if ( ! File.directory?( "/etc/symbiosis/firewall/whitelist.d" ) )
+        system( "mkdir -p /etc/symbiosis/firewall/whitelist.d" )
+      end
+
+      # create the file
+      system( "touch /etc/symbiosis/firewall/whitelist.d/#{ip}" )
+
+      updated=true
+      puts "\tAdding to whitelist" if ( $VERBOSE )
+    end
+  end
+end
+
+
+
+#
+#  Finally re-run the firewall if we updated
+#
+if ( updated )
+
+  puts "Updated whitelist, re-running firewall" if ( $VERBOSE )
+
+  system( "/usr/bin/firewall" )
+end

firewall/debian/control

@@ -3,12 +3,12 @@ Section: net
 Priority: extra
 Maintainer: Steve Kemp <steve@bytemark.co.uk>
 Uploaders: Patrick J Cherry <patch@bytemark.co.uk>
-Build-Depends: debhelper (>= 7.0.0), cdbs
+Build-Depends: debhelper (>= 7.0.0), cdbs, txt2man
 Standards-Version: 3.8.0
 
 Package: symbiosis-firewall
 Architecture: all
-Depends: iptables, dnsutils, iproute, ${misc:Depends}
+Depends: iptables, dnsutils, iproute, ruby
 Replaces: bytemark-vhost-ssh-protection, bytemark-vhost-firewall
 Conflicts: bytemark-vhost-firewall, bytemark-vhost-ssh-protection (<< 20081110153344)
 Suggests: libnet-dns-perl

firewall/debian/manpages

 man/firewall.1
 man/firewall-blacklist.1
 man/firewall-logtail.1
+man/firewall-whitelist.man
\ No newline at end of file

firewall/debian/symbiosis-firewall.cron.d

@@ -10,6 +10,12 @@
 
 */15 * * * * root [ -x /usr/bin/firewall-blacklist ] && /usr/bin/firewall-blacklist
 
+#
+#  Whitelist valid IP addresses every hour, but outside the scope of the
+# firewall test.
+#
+30   * * * * root [ -x /usr/bin/firewall-whitelist ] && /usr/bin/firewall-whitelist
+
 
 #
 # Check the firewall works every hour.