diff --git a/README.md b/README.md index 1bfd3df..2c6b04b 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ # Updates -- 7th July 2025: Added a count for the number of table entries - pf sets a maximum and it would be handy to know if I'm bumping along that number. +- 7th July 2025: Added a count for the number of table entries - pf sets a maximum and it would be handy to know if I'm bumping along that number. Starting removing the SSH Brute force code - SSHGuard is in OpenBSD packages and already blocks SSH bruteforcers but can be configured for other services. - 1st July 2025: Renamed "HAIL_MARY" to "CLOUD_BRUTEFORCE_MITIGATION". Read [Catechism of the Catholic Church](https://www.vatican.va/archive/ENG0015/_INDEX.HTM) before complaining. - 19th June 2025: Updated the _AGENT to the latest Windows Firefox as some sites were rejecting download attempts based on an outdated user agent. @@ -40,8 +40,6 @@ permit root permit nopass _pfbadhost cmd /sbin/pfctl args -nf /etc/pf.conf permit nopass _pfbadhost cmd /sbin/pfctl args -t pfbadhost -T replace -f /etc/pf-badhost.txt permit nopass _pfbadhost cmd /sbin/pfctl args -t pfbadhost -T show | wc -l -# Optional rule for authlog scanning -permit nopass _pfbadhost cmd /usr/bin/zcat args -f /var/log/authlog /var/log/authlog.0.gz ... ``` diff --git a/pf-badhost.sh b/pf-badhost.sh index 99e8012..749a74b 100644 --- a/pf-badhost.sh +++ b/pf-badhost.sh @@ -87,17 +87,6 @@ _BOGON_4=0 # Enable IPv6 Bogon Filter (Blocks unassigned/reserved/martian addresses) _BOGON_6=0 -################################################################### -# Cloud Bruteforcer Mitigation (SSH authlog analysis) -# Searches SSH authlog for bruteforcers -# -# Set to '1' to enable - _CLOUD_BRUTEFORCE_MITIGATION=0 -# -# Set failed log-in limit for bans - _LOGIN_LIMIT=25 -################################################################### - ################################################################### # Country GeoIP Blacklist # Enter any ISO-3166 Country Codes you want to block (1 per line) @@ -434,31 +423,6 @@ mysort() { fi } -# ------------------------------------------------------------------------------ -# Authlog Analysis Functions -# ------------------------------------------------------------------------------ - -# CLOUD_BRUTEFORCE_MITIGATION preproccessor -AUTHLOG_PROC() { - myawk -- '{if ($6 !~ "Disconnected|Accepted" && $7 !~ "disconnect") printf("%s\n%s\n%s\n%s\n%s\n%s\n", $9, $10, $11, $12, $13, $14)}' -} - -CLOUD_BRUTEFORCE_MITIGATION_MITIGATE() { - # Check OSTYPE - if [ "${_OS_TYPE}" != 'macos' ]; then - # IPv4 Authlog List Gen - if [ "${_IPV4}" -eq 1 ]; then - "${getroot}" -- "${authlog_unzip}" -f "${authlog_path1}" "${authlog_path2}" | AUTHLOG_PROC | PARSE_V4 | WHITELIST_FILTER | myawk -- '{ a[$0]++ }END{ for(i in a) print a[i],i }' | myawk -v LOGIN_LIMIT="${_LOGIN_LIMIT}" -- '$1>LOGIN_LIMIT {print $2}' | mysort -uV - fi - # IPv6 Authlog List Gen - if [ "${_IPV6}" -eq 1 ]; then - "${getroot}" -- "${authlog_unzip}" -f "${authlog_path1}" "${authlog_path2}" | AUTHLOG_PROC | PARSE_V6 | WHITELIST_FILTER | myawk '{ a[$0]++ }END{ for(i in a) print a[i],i }' | myawk -v LOGIN_LIMIT="${_LOGIN_LIMIT}" -- '$1>LOGIN_LIMIT {print $2}' | mysort -uV - fi - else - echo 'MacOS does not support authlog analysis :(' 1>&2 - fi > "${authlog}" -} - # ------------------------------------------------------------------------------ # Geoblock Functions # ------------------------------------------------------------------------------ @@ -642,11 +606,7 @@ PRINT_LIST() { printf '\n# User Defined Rules:\n\n' cat -- < "${user_rules}" fi - # Authlog Analysis - if [ "${_CLOUD_BRUTEFORCE_MITIGATION}" -eq 1 ]; then - printf '\n# Rules Generated from %s:\n\n' "$authlog_path1" - cat -- < "${authlog}" - fi + # Tor Filtering if [ -s "${tor_whitelist}" ]; then printf '\n# Tor Whitelist:\n\n' @@ -766,14 +726,7 @@ LOGGER() { PRINT_STATS() { # Print number of addresses in table (expand CIDR ranges) - typeset authlog_num v4_num v4_total v6_num v6_total - authlog_num="$(wc -l -- < "${authlog}" | tr -cd '[:digit:]')" - - if [ "${_CLOUD_BRUTEFORCE_MITIGATION}" -eq 1 ]; then - printf '\nBruteforcers found in "%s": %s\n' "${authlog_path1}" "${authlog_num}" - else - printf '\n' - fi + typeset v4_num v4_total v6_num v6_total if [ "${_IPV4}" -eq 1 ]; then v4_num="$(mygrep -cv -- "/[[:digit:]]{1,2}$" < "${v4list}")" @@ -985,9 +938,7 @@ PRE_EXEC_TESTS() { if [ "${_NO_UID_CHECK}" -ne 1 ]; then CHECK_PRIVILEGE fi - if [ "${_CLOUD_BRUTEFORCE_MITIGATION}" -eq 1 ]; then - CHECK_CMD "${authlog_unzip}" > /dev/null - fi + if [ "${_PRINT_ONLY}" -ne 1 ]; then pfctl="$(CHECK_CMD pfctl)" CHECK_DRIVE @@ -1006,7 +957,6 @@ VAR_SANITY_CHECK() { IS_INT "${_BOGON_6}" || ERR 'User defined variable "$_BOGON_6" contains a non-integer value - Unable to proceed!' IS_INT "${_CHECK_ONLY}" || ERR 'User defined variable "$_CHECK_ONLY" contains a non-integer value - Unable to proceed!' IS_INT "${_GEOBLOCK}" || ERR 'User defined variable "$_GEOBLOCK" contains a non-integer value - Unable to proceed!' - IS_INT "${_CLOUD_BRUTEFORCE_MITIGATION}" || 'User defined variable "$_CLOUD_BRUTEFORCE_MITIGATION" contains a non-integer value - Unable to proceed!' IS_INT "${_IPV4}" || 'User defined variable "$_IPV4" contains a non-integer value - Unable to proceed!' IS_INT "${_IPV6}" || ERR 'User defined variable "$_IPV6" contains a non-integer value - Unable to proceed!' IS_INT "${_LOG}" || ERR 'User defined variable "$_LOG" contains a non-integer value - Unable to proceed!' @@ -1218,7 +1168,6 @@ main() { E) authlog_unzip="${OPTARG}" ;; # set tool to unzip authlog F) netget="${OPTARG}" ;; # set curl/fetch/ftp/wget preference G) _GEOBLOCK=1 ;; # Enable Geoblocking - H) _CLOUD_BRUTEFORCE_MITIGATION=1 ; _LOGIN_LIMIT="${OPTARG}" ;; # Enable SSH authlog analysis J) authlog_path1="${OPTARG}" ;; K) authlog_path2="${OPTARG}" ;; O) typeset -l -r _OS_TYPE="${OPTARG}" ;; @@ -1322,7 +1271,7 @@ main() { # Mark user-defined booleans as read-only readonly _AGENT _LOG _STRICT _IPV4 _IPV6 _AGGREGATE \ - _GEOBLOCK _BOGON_4 _BOGON_6 _CLOUD_BRUTEFORCE_MITIGATION \ + _GEOBLOCK _BOGON_4 _BOGON_6 \ _TOR_WHITELIST _TOR_BLOCK_ALL _TOR_BLOCK_EXIT \ _RFC3330 _RFC5156 _WHITELIST @@ -1362,18 +1311,6 @@ main() { openbsd) test -n "${getroot}" || getroot="$(CHECK_CMD doas)" test -n "${netget}" || netget='ftp' - test -n "${authlog_path1}" || authlog_path1='/var/log/authlog' - test -n "${authlog_path2}" || authlog_path2='/var/log/authlog.0.gz' - test -n "${authlog_unzip}" || authlog_unzip="$(CHECK_CMD zcat)" - ;; - custom) - test -n "${getroot}" || ERR "Custom OS type specified - please set doas/sudo preference with '-Z' option" - test -n "${netget}" || ERR "Custom OS type specified - please set curl/fetch/ftp/wget preference with '-F' option" - if [ "${_CLOUD_BRUTEFORCE_MITIGATION}" -eq 1 ]; then - test -n "${authlog_path1}" || ERR "Custom OS type specified - please specifiy path to SSH authlog with '-J' option" - test -n "${authlog_path2}" || ERR "Custom OS type specified - please specifiy path to secondary SSH authlog with '-K' option" - test -n "${authlog_unzip}" || ERR "Custom OS type specified - please specifiy zcat/bzcat for SSH authlog analysis with '-E' option" - fi ;; *) printf '\n\nUnknown Operating System Specified. Available Options Are:\n * -OpenBSD\n * -FreeBSD\n * -NetBSD\n * -DragonflyBSD\n * -MacOS\n\nQuitting Without Making Changes...\n\n' @@ -1382,7 +1319,7 @@ main() { esac # Mark operating system specific variables as read-only - readonly getroot netget authlog_path1 authlog_path2 authlog_unzip + readonly getroot netget # Config test / dry run if [ "${_CHECK_ONLY}" -eq 1 ]; then @@ -1537,11 +1474,6 @@ main() { printf '%s\n' "${_i}" done > "${user_rules}" - # CLOUD_BRUTEFORCE_MITIGATION - if [ "${_CLOUD_BRUTEFORCE_MITIGATION}" -eq 1 ]; then - CLOUD_BRUTEFORCE_MITIGATION - fi - # Generate lists to load into PF LIST_GEN