Commit ca259cb7 authored by Paul Cammish's avatar Paul Cammish
Browse files

Merge branch 'adjust_whitelist_buster' into 'buster'

Set more seand defaults for sympl-firewall-whitelist

See merge request sympl/sympl!106
parents 12e1fb5b e6e3b372
sympl-firewall (10.0.190718.0) stable; urgency=medium
* Updated sympl-firewall-whitelist to more sane defaults.
* Now only allows SSH for a week.
* Only whitelists an IPv6 address at /128 rather than /64.
-- Paul Cammish <sympl@kelduum.net> Thu, 18 Jul 2019 12:57:00 +0100
sympl-firewall (10.0.190621.0) stable; urgency=medium
* Created Sympl v10.0 (Debian Buster)
......
......@@ -21,7 +21,7 @@
# -d, --no-delete Do not delete the generated script.
#
# -e, --expire-after <n> Number of days after which whitelisted IPs should be
# expired. Defaults to 8.
# expired. Defaults to 7.
#
# -w, --wtmp-file <file> wtmp(5) file to read to find IPs to whitelist.
# Defaults to /var/log/wtmp.
......@@ -32,15 +32,15 @@
#
# USAGE
#
# This script is designed to automatically whitelist IP addresses which
# have been used to successfully login via SSH.
# This script is designed to automatically whitelist IP addresses for SSH which
# have been used to successfully log in already.
#
# It does this by opening the wtmp file, and looking for IP addresses. Once it
# has found some, it records them in /etc/sympl/firewall/whitelist.d/.
# Each addition is one of the two forms:
#
# 1.2.3.4.auto The IPv4 address 1.2.3.4
# 2001:123:456:789::|64.auto The IPv6 range 2001:123:456:789::/64
# 2001:123:456:789::1.auto The IPv6 address 2001:123:456:789::1
#
# Once that directory has been written, sympl-firewall(1) is called with
# the reload-whitelist action.
......@@ -72,7 +72,7 @@ wtmp_file = "/var/log/wtmp"
delete = true
execute = true
force = false
expire_after = 8
expire_after = 7
opts = GetoptLong.new(
[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
......@@ -254,9 +254,9 @@ Symbiosis::Utmp.read(wtmp_file).each do |entry|
end
#
# Mask IPv6 to /64s.
# Mask IPv6 to /128s.
#
ip = ip.mask(64) if ip.ipv6?
ip = ip.mask(128) if ip.ipv6?
#
# Mask IPv4 to /32s.
......@@ -289,7 +289,7 @@ Symbiosis::Utmp.read(wtmp_file).each do |entry|
puts "\tAdding whitelist entry" if $VERBOSELOCAL
syslog.info("adding #{ip} to whitelist")
value = "all"
value = "22"
elsif last_run.nil? or at > last_run
puts "\tUpdating whitelist entry" if $VERBOSELOCAL
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment