Commit ca259cb7 authored by Paul Cammish's avatar Paul Cammish
Browse files

Merge branch 'adjust_whitelist_buster' into 'buster'

Set more seand defaults for sympl-firewall-whitelist

See merge request sympl/sympl!106
parents 12e1fb5b e6e3b372
sympl-firewall (10.0.190718.0) stable; urgency=medium
* Updated sympl-firewall-whitelist to more sane defaults.
* Now only allows SSH for a week.
* Only whitelists an IPv6 address at /128 rather than /64.
-- Paul Cammish <sympl@kelduum.net> Thu, 18 Jul 2019 12:57:00 +0100
sympl-firewall (10.0.190621.0) stable; urgency=medium sympl-firewall (10.0.190621.0) stable; urgency=medium
* Created Sympl v10.0 (Debian Buster) * Created Sympl v10.0 (Debian Buster)
......
...@@ -21,7 +21,7 @@ ...@@ -21,7 +21,7 @@
# -d, --no-delete Do not delete the generated script. # -d, --no-delete Do not delete the generated script.
# #
# -e, --expire-after <n> Number of days after which whitelisted IPs should be # -e, --expire-after <n> Number of days after which whitelisted IPs should be
# expired. Defaults to 8. # expired. Defaults to 7.
# #
# -w, --wtmp-file <file> wtmp(5) file to read to find IPs to whitelist. # -w, --wtmp-file <file> wtmp(5) file to read to find IPs to whitelist.
# Defaults to /var/log/wtmp. # Defaults to /var/log/wtmp.
...@@ -32,15 +32,15 @@ ...@@ -32,15 +32,15 @@
# #
# USAGE # USAGE
# #
# This script is designed to automatically whitelist IP addresses which # This script is designed to automatically whitelist IP addresses for SSH which
# have been used to successfully login via SSH. # have been used to successfully log in already.
# #
# It does this by opening the wtmp file, and looking for IP addresses. Once it # It does this by opening the wtmp file, and looking for IP addresses. Once it
# has found some, it records them in /etc/sympl/firewall/whitelist.d/. # has found some, it records them in /etc/sympl/firewall/whitelist.d/.
# Each addition is one of the two forms: # Each addition is one of the two forms:
# #
# 1.2.3.4.auto The IPv4 address 1.2.3.4 # 1.2.3.4.auto The IPv4 address 1.2.3.4
# 2001:123:456:789::|64.auto The IPv6 range 2001:123:456:789::/64 # 2001:123:456:789::1.auto The IPv6 address 2001:123:456:789::1
# #
# Once that directory has been written, sympl-firewall(1) is called with # Once that directory has been written, sympl-firewall(1) is called with
# the reload-whitelist action. # the reload-whitelist action.
...@@ -72,7 +72,7 @@ wtmp_file = "/var/log/wtmp" ...@@ -72,7 +72,7 @@ wtmp_file = "/var/log/wtmp"
delete = true delete = true
execute = true execute = true
force = false force = false
expire_after = 8 expire_after = 7
opts = GetoptLong.new( opts = GetoptLong.new(
[ '--help', '-h', GetoptLong::NO_ARGUMENT ], [ '--help', '-h', GetoptLong::NO_ARGUMENT ],
...@@ -254,9 +254,9 @@ Symbiosis::Utmp.read(wtmp_file).each do |entry| ...@@ -254,9 +254,9 @@ Symbiosis::Utmp.read(wtmp_file).each do |entry|
end end
# #
# Mask IPv6 to /64s. # Mask IPv6 to /128s.
# #
ip = ip.mask(64) if ip.ipv6? ip = ip.mask(128) if ip.ipv6?
# #
# Mask IPv4 to /32s. # Mask IPv4 to /32s.
...@@ -289,7 +289,7 @@ Symbiosis::Utmp.read(wtmp_file).each do |entry| ...@@ -289,7 +289,7 @@ Symbiosis::Utmp.read(wtmp_file).each do |entry|
puts "\tAdding whitelist entry" if $VERBOSELOCAL puts "\tAdding whitelist entry" if $VERBOSELOCAL
syslog.info("adding #{ip} to whitelist") syslog.info("adding #{ip} to whitelist")
value = "all" value = "22"
elsif last_run.nil? or at > last_run elsif last_run.nil? or at > last_run
puts "\tUpdating whitelist entry" if $VERBOSELOCAL puts "\tUpdating whitelist entry" if $VERBOSELOCAL
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment