Merge branch 'adjust_whitelist_buster' into 'buster'

Set more seand defaults for sympl-firewall-whitelist See merge request sympl/sympl!106

Merge branch 'adjust_whitelist_buster' into 'buster'
Set more seand defaults for sympl-firewall-whitelist See merge request sympl/sympl!106
ca259cb7 · Paul Cammish · 12e1fb5b · e6e3b372 · ca259cb7 · ca259cb7
Commit ca259cb7 authored Jul 18, 2019 by Paul Cammish
--- a/firewall/debian/changelog
+++ b/firewall/debian/changelog
+sympl-firewall (10.0.190718.0) stable; urgency=medium
+
+  * Updated sympl-firewall-whitelist to more sane defaults.
+  * Now only allows SSH for a week.
+  * Only whitelists an IPv6 address at /128 rather than /64.
+
+ -- Paul Cammish <sympl@kelduum.net>  Thu, 18 Jul 2019 12:57:00 +0100
+
 sympl-firewall (10.0.190621.0) stable; urgency=medium

  * Created Sympl v10.0 (Debian Buster)

--- a/firewall/sbin/sympl-firewall-whitelist
+++ b/firewall/sbin/sympl-firewall-whitelist
@@ -21,7 +21,7 @@
 #  -d, --no-delete         Do not delete the generated script.
 #
 #  -e, --expire-after <n>  Number of days after which whitelisted IPs should be
-#                          expired. Defaults to 8.
+#                          expired. Defaults to 7.
 #
 #  -w, --wtmp-file <file>  wtmp(5) file to read to find IPs to whitelist.
 #                          Defaults to /var/log/wtmp.
@@ -32,15 +32,15 @@
 #
 # USAGE
 #
-# This script is designed to automatically whitelist IP addresses which
-# have been used to successfully login via SSH.
+# This script is designed to automatically whitelist IP addresses for SSH which
+# have been used to successfully log in already.
 #
 # It does this by opening the wtmp file, and looking for IP addresses. Once it
 # has found some, it records them in /etc/sympl/firewall/whitelist.d/.
 # Each addition is one of the two forms:
 #
 #   1.2.3.4.auto                The IPv4 address 1.2.3.4
-#   2001:123:456:789::|64.auto  The IPv6 range 2001:123:456:789::/64
+#   2001:123:456:789::1.auto    The IPv6 address 2001:123:456:789::1
 #
 # Once that directory has been written, sympl-firewall(1) is called with
 # the reload-whitelist action.
@@ -72,7 +72,7 @@ wtmp_file    = "/var/log/wtmp"
 delete       = true
 execute      = true
 force        = false
-expire_after = 8
+expire_after = 7

 opts = GetoptLong.new(
         [ '--help',       '-h', GetoptLong::NO_ARGUMENT ],
@@ -254,9 +254,9 @@ Symbiosis::Utmp.read(wtmp_file).each do |entry|
  end

  #
-  # Mask IPv6 to /64s.
+  # Mask IPv6 to /128s.
  #
-  ip = ip.mask(64) if ip.ipv6?
+  ip = ip.mask(128) if ip.ipv6?

  #
  # Mask IPv4 to /32s.
@@ -289,7 +289,7 @@ Symbiosis::Utmp.read(wtmp_file).each do |entry|
      puts "\tAdding whitelist entry" if  $VERBOSELOCAL
      syslog.info("adding #{ip} to whitelist")

-      value = "all"
+      value = "22"

    elsif last_run.nil? or at > last_run
      puts "\tUpdating whitelist entry" if  $VERBOSELOCAL