Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
Ian Eiloart
Sympl
Commits
8a2baba0
Commit
8a2baba0
authored
Jul 18, 2019
by
Paul Cammish
Browse files
Merge branch 'buster-testing' into 'buster'
buster-testing -> buster See merge request
sympl/sympl!108
parents
564f41f5
ca259cb7
Changes
2
Hide whitespace changes
Inline
Side-by-side
firewall/debian/changelog
View file @
8a2baba0
sympl-firewall (10.0.190718.0) stable; urgency=medium
* Updated sympl-firewall-whitelist to more sane defaults.
* Now only allows SSH for a week.
* Only whitelists an IPv6 address at /128 rather than /64.
-- Paul Cammish <sympl@kelduum.net> Thu, 18 Jul 2019 12:57:00 +0100
sympl-firewall (10.0.190621.0) stable; urgency=medium
* Created Sympl v10.0 (Debian Buster)
...
...
firewall/sbin/sympl-firewall-whitelist
View file @
8a2baba0
...
...
@@ -21,7 +21,7 @@
# -d, --no-delete Do not delete the generated script.
#
# -e, --expire-after <n> Number of days after which whitelisted IPs should be
# expired. Defaults to
8
.
# expired. Defaults to
7
.
#
# -w, --wtmp-file <file> wtmp(5) file to read to find IPs to whitelist.
# Defaults to /var/log/wtmp.
...
...
@@ -32,15 +32,15 @@
#
# USAGE
#
# This script is designed to automatically whitelist IP addresses which
# have been used to successfully login
via SSH
.
# This script is designed to automatically whitelist IP addresses
for SSH
which
# have been used to successfully log
in
already
.
#
# It does this by opening the wtmp file, and looking for IP addresses. Once it
# has found some, it records them in /etc/sympl/firewall/whitelist.d/.
# Each addition is one of the two forms:
#
# 1.2.3.4.auto The IPv4 address 1.2.3.4
# 2001:123:456:789::
|64
.auto The IPv6
range
2001:123:456:789::
/64
# 2001:123:456:789::
1
.auto
The IPv6
address
2001:123:456:789::
1
#
# Once that directory has been written, sympl-firewall(1) is called with
# the reload-whitelist action.
...
...
@@ -72,7 +72,7 @@ wtmp_file = "/var/log/wtmp"
delete
=
true
execute
=
true
force
=
false
expire_after
=
8
expire_after
=
7
opts
=
GetoptLong
.
new
(
[
'--help'
,
'-h'
,
GetoptLong
::
NO_ARGUMENT
],
...
...
@@ -254,9 +254,9 @@ Symbiosis::Utmp.read(wtmp_file).each do |entry|
end
#
# Mask IPv6 to /
64
s.
# Mask IPv6 to /
128
s.
#
ip
=
ip
.
mask
(
64
)
if
ip
.
ipv6?
ip
=
ip
.
mask
(
128
)
if
ip
.
ipv6?
#
# Mask IPv4 to /32s.
...
...
@@ -289,7 +289,7 @@ Symbiosis::Utmp.read(wtmp_file).each do |entry|
puts
"
\t
Adding whitelist entry"
if
$VERBOSELOCAL
syslog
.
info
(
"adding
#{
ip
}
to whitelist"
)
value
=
"
all
"
value
=
"
22
"
elsif
last_run
.
nil?
or
at
>
last_run
puts
"
\t
Updating whitelist entry"
if
$VERBOSELOCAL
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment