-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmain.m
More file actions
145 lines (133 loc) · 6.04 KB
/
main.m
File metadata and controls
145 lines (133 loc) · 6.04 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
// main.m
// pf-blocker — Objective-C replacement for the OpenBSD homemade block scripts.
//
// Usage:
// pf-blocker --monitor-invalid-user
// Block IPs seen in "Invalid user" SSH log entries.
//
// pf-blocker --monitor-disconnect
// Block IPs seen in "Received disconnect from" SSH log entries.
//
// pf-blocker --monitor-allowlist-violations
// Block IPs that have violated the CGI allowlist
// (OBJC-allowlisting / request_validator) 10+ times in the past hour.
// Reads /var/log/authlog.
//
// pf-blocker --monitor-slowloris-violations
// Bring IPs already flagged by the Slowloris detector
// (OBJC-slowlorisdetector / SlowlorisMonitor) into the HBP ledger so
// that --expire-blocks can manage their lifetime.
// Reads /var/log/daemon.
//
// pf-blocker --monitor-ddos
// Bring IPs already flagged by the DDoS detector
// (OpenBSDDDOSShield / DDOSShield) into the HBP ledger so that
// --expire-blocks can manage their lifetime.
// Reads /var/log/daemon.
//
// pf-blocker --expire-blocks
// Remove blocks older than BLOCK_HOURS from the block file and ledger.
//
// All modes are designed to be invoked from root's crontab, for example:
//
// */5 * * * * /usr/local/sbin/pf-blocker --monitor-invalid-user
// */5 * * * * /usr/local/sbin/pf-blocker --monitor-disconnect
// */5 * * * * /usr/local/sbin/pf-blocker --monitor-allowlist-violations
// */5 * * * * /usr/local/sbin/pf-blocker --monitor-slowloris-violations
// */5 * * * * /usr/local/sbin/pf-blocker --monitor-ddos
// 0 * * * * /usr/local/sbin/pf-blocker --expire-blocks
#import <Foundation/Foundation.h>
#import "HBPConfiguration.h"
#import "HBPAuthLogScanner.h"
#import "HBPBlockManager.h"
#import "HBPViolationScanner.h"
static void printUsage(const char *prog) {
fprintf(stderr,
"Usage: %s [--monitor-invalid-user | --monitor-disconnect |\n"
" --monitor-allowlist-violations |\n"
" --monitor-slowloris-violations |\n"
" --monitor-ddos | --expire-blocks]\n"
"\n"
" --monitor-invalid-user Block IPs from sshd 'Invalid user' entries\n"
" --monitor-disconnect Block IPs from sshd 'Received disconnect' entries\n"
" --monitor-allowlist-violations Block IPs with 10+ CGI allowlist violations in 1h\n"
" --monitor-slowloris-violations Add Slowloris-blocked IPs to the HBP ledger\n"
" --monitor-ddos Add OpenBSDDDOSShield-detected IPs to the HBP ledger\n"
" --expire-blocks Remove blocks older than BLOCK_HOURS\n",
prog);
}
int main(int argc, const char *argv[]) {
@autoreleasepool {
if (argc < 2) {
printUsage(argv[0]);
return 1;
}
NSString *mode = [NSString stringWithUTF8String:argv[1]];
HBPConfiguration *config = [HBPConfiguration defaultConfiguration];
[config warnAboutPlaceholders];
HBPBlockManager *manager = [[HBPBlockManager alloc] initWithConfiguration:config];
if ([mode isEqualToString:@"--monitor-invalid-user"]) {
HBPAuthLogScanner *scanner =
[[HBPAuthLogScanner alloc] initWithConfiguration:config];
NSArray<NSString *> *ips =
[scanner scanForPattern:@"sshd.*Invalid user"];
NSInteger n = [manager addBlocksForIPs:ips
syslogTag:@"blocked SSH invalid-user attacker"];
if (n > 0) {
[manager reloadPFTable];
}
} else if ([mode isEqualToString:@"--monitor-disconnect"]) {
HBPAuthLogScanner *scanner =
[[HBPAuthLogScanner alloc] initWithConfiguration:config];
NSArray<NSString *> *ips =
[scanner scanForPattern:@"sshd.*Received disconnect from"];
NSInteger n = [manager addBlocksForIPs:ips
syslogTag:@"blocked SSH disconnect attacker"];
if (n > 0) {
[manager reloadPFTable];
}
} else if ([mode isEqualToString:@"--monitor-allowlist-violations"]) {
HBPViolationScanner *scanner =
[[HBPViolationScanner alloc] initWithConfiguration:config];
NSArray<NSString *> *ips =
[scanner scanLogFile:config.authlogFile
pattern:@"request_validator.*client="];
NSInteger n = [manager addBlocksForIPs:ips
syslogTag:@"blocked CGI allowlist violator"];
if (n > 0) {
[manager reloadPFTable];
}
} else if ([mode isEqualToString:@"--monitor-slowloris-violations"]) {
HBPViolationScanner *scanner =
[[HBPViolationScanner alloc] initWithConfiguration:config];
NSArray<NSString *> *ips =
[scanner scanLogFile:@"/var/log/daemon"
pattern:@"SlowlorisMonitor.*Suspicious IP"];
NSInteger n = [manager addBlocksForIPs:ips
syslogTag:@"blocked Slowloris attacker"];
if (n > 0) {
[manager reloadPFTable];
}
} else if ([mode isEqualToString:@"--monitor-ddos"]) {
HBPViolationScanner *scanner =
[[HBPViolationScanner alloc] initWithConfiguration:config];
NSArray<NSString *> *ips =
[scanner scanLogFile:@"/var/log/daemon"
pattern:@"DDOSShield.*detected from"];
NSInteger n = [manager addBlocksForIPs:ips
syslogTag:@"blocked DDoS attacker"];
if (n > 0) {
[manager reloadPFTable];
}
} else if ([mode isEqualToString:@"--expire-blocks"]) {
NSInteger n = [manager expireOldBlocks];
if (n > 0) {
[manager reloadPFTable];
}
} else {
printUsage(argv[0]);
return 1;
}
}
return 0;
}