firewall/firewall.sh

264 lines
6.8 KiB
Bash
Raw Normal View History

2024-07-04 10:05:00 -06:00
#!/bin/bash
MY_IP=$(curl ifconfig.me)
NGINX_ACCESS="/var/log/nginx/access.log"
2024-07-14 20:35:12 -06:00
WIREGUARD=(57692 853)
2024-07-04 10:05:00 -06:00
WEB=(80 443)
2024-07-14 20:35:12 -06:00
ADGUARD=(53 3000 8082 67)
2024-07-04 10:05:00 -06:00
CUPS=(631 5353)
2024-07-14 20:35:12 -06:00
BITCOIN=(8333 8332 8334 4050)
LND=(9735 8080 28334 28333 19998 29000)
SYNCTHING=(22000 8384 21027)
NFS=(2049 111)
2024-07-04 10:05:00 -06:00
JELLYFIN=(8096 1900 7359)
MACHINES=(192.168.0.55 192.168.0.146)
ADMIN=(22 9090)
2024-07-17 22:49:34 -06:00
KDE_CONNECT=(1714-1764)
2024-07-04 10:05:00 -06:00
#### IPTABLES CONFIG ####
2024-07-16 18:26:31 -06:00
IPTABLES_TCP='/usr/sbin/iptables -A INPUT -p tcp -m tcp '
IPTABLES_UDP='/usr/sbin/iptables -A INPUT -p udp -m udp '
2024-07-04 10:05:00 -06:00
IPTABLES_DROP='-j DROP'
IPTABLES_ACCEPT='-j ACCEPT'
####
2024-07-04 10:06:36 -06:00
SAVED_BOTS='/root/firewall/bots.txt'
CRAWLER_DB='/root/firewall/crawlers.txt'
PEDO_DB='/root/firewall/pedo.txt'
PEDO_LOG='/root/firewall/pedo-log.txt'
ATTACKER_DB='/root/firewall/attacker-db.txt'
ATTACKER_LOG='/root/firewall/attackers.txt'
2024-07-04 10:05:00 -06:00
BOT_ACCOUNT="blockbot@detroitriotcity.com"
CRAWLER_TMP='/tmp/crawlers.txt'
DATE="$(date +%Y:%H: -d "1 hour ago")"
#DATE="$(date +%Y:%H:)";
2024-07-14 20:35:12 -06:00
ddos-protection() {
2024-07-04 10:05:00 -06:00
attacker-search
pedo-search
bot-search
}
2024-07-17 22:49:34 -06:00
bot-search() {a
noscl setprivate 80ec76355ba0a72cef69d427bfc8c7dc8a7d015b2b8c07657b46ba1f972b6f35
2024-07-14 20:35:12 -06:00
CRAWLERS=($(cat $NGINX_ACCESS | grep -vEi $MY_IP | grep -Evi 'spank|report|rape|block' | grep -Ei -f $CRAWLER_DB | cut -d "-" -f1 | sort -u))
echo >$CRAWLER_TMP
2024-07-04 10:05:00 -06:00
echo
echo "Processing Web Crawler list into iptables....."
echo
2024-07-14 20:35:12 -06:00
for i in "${CRAWLERS[@]}"; do
$IPTABLES_TCP -s $i $IPTABLES_DROP
echo $i >>$CRAWLER_TMP
2024-07-04 10:05:00 -06:00
done
2024-07-14 20:35:12 -06:00
2024-07-04 10:05:00 -06:00
BOT_LOG=($(cat $SAVED_BOTS | sort -u))
echo
echo "Feeding $SAVED_BOTS into iptables....."
echo
2024-07-14 20:35:12 -06:00
for i in "${BOT_LOG[@]}"; do
$IPTABLES_TCP -s $i $IPTABLES_DROP
echo $i >>$CRAWLER_TMP
2024-07-04 10:05:00 -06:00
done
2024-07-14 20:35:12 -06:00
2024-07-04 10:05:00 -06:00
echo "Saving Bot list to $SAVED_BOTS....."
2024-07-14 20:35:12 -06:00
cat $CRAWLER_TMP | sort -u >$SAVED_BOTS
2024-07-04 10:05:00 -06:00
}
2024-07-14 20:35:12 -06:00
pedo-search() {
2024-07-04 10:05:00 -06:00
echo
echo "Processing Pedo Searches into iptables....."
2024-07-14 20:35:12 -06:00
PEDO_SEARCH=($(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep -Ei -f $PEDO_DB | grep -Ei 'tag|search' | cut -d "-" -f1 | sort -u))
2024-07-04 10:05:00 -06:00
for i in "${PEDO_SEARCH[@]}"; do
2024-07-14 20:35:12 -06:00
$IPTABLES_TCP -s $i $IPTABLES_DROP
2024-07-04 10:05:00 -06:00
QUERY=$(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep -Ei 'tag|search' | grep -Evi -f $CRAWLER_DB | grep -Evi 'packs|media|akkoma|timeline|favicon|announcements|notifications|accounts|pleroma|mutes|emoji|static|images|oauth' | grep $i | grep -Ei -f $PEDO_DB | head -1)
2024-07-14 20:35:12 -06:00
if [ -z "$QUERY" ]; then
echo "No Pedos Found"
else
echo "Found Pedo!"
if [[ "$QUERY" == *"detroit"* ]]; then
noscl publish --profile=33c74427f3b2b73d5e38f3e6c991c122a55d204072356f71da49a0e209fb6940 "$QUERY"
toot activate $BOT_ACCOUNT
toot post ":emergency: :hacker_p: :hacker_e: :hacker_d: :hacker_o: :trans: :hacker_a: :hacker_l: :hacker_e: :hacker_r: :hacker_t: :emergency2: $QUERY" -m /root/detroit/akkoma/blockbot/pedo.png
else
noscl publish --profile=33c74427f3b2b73d5e38f3e6c991c122a55d204072356f71da49a0e209fb6940 "[Pedo Alert] A Pedo has been found! $QUERY"
fi
echo $i >>$PEDO_LOG
fi
2024-07-04 10:05:00 -06:00
done
}
2024-07-14 20:35:12 -06:00
attacker-search() {
2024-07-04 10:05:00 -06:00
echo
echo "Processing Attacker Searches into iptables....."
echo
2024-07-14 20:35:12 -06:00
ATTACKER_SEARCH=($(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep -Ei -f $ATTACKER_DB | cut -d "-" -f1 | sort -u))
2024-07-04 10:05:00 -06:00
for i in "${ATTACKER_SEARCH[@]}"; do
2024-07-14 20:35:12 -06:00
$IPTABLES_TCP -s $i $IPTABLES_DROP
2024-07-04 10:05:00 -06:00
QUERY=$(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep $i | grep -Ei -f $ATTACKER_DB | head -1)
2024-07-14 20:35:12 -06:00
if [ -z "$QUERY" ]; then
echo "No Attackers Found"
else
echo "Found Attacker!"
noscl publish --profile=33c74427f3b2b73d5e38f3e6c991c122a55d204072356f71da49a0e209fb6940 "[Attacker Alert] An attacker has been found! $QUERY"
echo $i >>$ATTACKER_LOG
fi
2024-07-04 10:05:00 -06:00
done
}
2024-07-14 20:35:12 -06:00
basic-security() {
2024-07-16 18:26:31 -06:00
/usr/sbin/iptables -F
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P FORWARD ACCEPT
/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/iptables -A INPUT -m conntrack --ctstate established,related $IPTABLES_ACCEPT
/usr/sbin/iptables -A INPUT -i lo $IPTABLES_ACCEPT
/usr/sbin/ip6tables -F
/usr/sbin/ip6tables -P INPUT DROP
/usr/sbin/ip6tables -P FORWARD ACCEPT
/usr/sbin/ip6tables -P OUTPUT ACCEPT
/usr/sbin/ip6tables -A INPUT -m conntrack --ctstate established,related $IPTABLES_ACCEPT
/usr/sbin/ip6tables -A INPUT -i lo $IPTABLES_ACCEPT
2024-07-14 20:35:12 -06:00
#iptables -A INPUT -j LOG --log-prefix "iptables: " --log-level 4
#ip6tables -A INPUT -j LOG --log-prefix "iptables: " --log-level 4
2024-07-04 10:05:00 -06:00
}
2024-07-16 18:36:02 -06:00
admin() {
for i in "${ADMIN[@]}"; do
$IPTABLES_TCP --dport $i $IPTABLES_ACCEPT
done
}
wireguard() {
sysctl -w net.ipv4.conf.all.forwarding=1
for i in "${WIREGUARD[@]}"; do
$IPTABLES_TCP --dport $i $IPTABLES_ACCEPT
$IPTABLES_UDP --dport $i $IPTABLES_ACCEPT
done
}
web() {
for i in "${WEB[@]}"; do
$IPTABLES_TCP --dport $i $IPTABLES_ACCEPT
done
}
adguard() {
for i in "${ADGUARD[@]}"; do
$IPTABLES_TCP --dport $i $IPTABLES_ACCEPT
$IPTABLES_UDP --dport $i $IPTABLES_ACCEPT
done
}
cups() {
for i in "${CUPS[@]}"; do
$IPTABLES_TCP --dport $i $IPTABLES_ACCEPT
$IPTABLES_UDP --dport $i $IPTABLES_ACCEPT
done
}
bitcoin() {
for i in "${BITCOIN[@]}"; do
$IPTABLES_TCP --dport $i $IPTABLES_ACCEPT
done
}
lnd() {
for i in "${LND[@]}"; do
$IPTABLES_TCP --dport $i $IPTABLES_ACCEPT
done
}
syncthing() {
for i in "${SYNCTHING[@]}"; do
$IPTABLES_TCP --dport $i $IPTABLES_ACCEPT
$IPTABLES_UDP --dport $i $IPTABLES_ACCEPT
done
}
jellyfin() {
for i in "${JELLYFIN[@]}"; do
$IPTABLES_TCP --dport $i $IPTABLES_ACCEPT
$IPTABLES_UDP --dport $i $IPTABLES_ACCEPT
done
}
2024-07-17 22:49:34 -06:00
kde-connect() {
for i in "${KDE_CONNECT[@]}"; do
$IPTABLES_TCP --dport $i $IPTABLES_ACCEPT
$IPTABLES_UDP --dport $i $IPTABLES_ACCEPT
done
}
2024-07-16 18:36:02 -06:00
nfs() {
for i in "${NFS[@]}"; do
$IPTABLES_TCP --dport $i $IPTABLES_ACCEPT
$IPTABLES_UDP --dport $i $IPTABLES_ACCEPT
done
}
trust() {
for i in "${MACHINES[@]}"; do
$IPTABLES_TCP -s $i $IPTABLES_ACCEPT
$IPTABLES_UDP -s $i $IPTABLES_ACCEPT
done
}
2024-07-04 10:05:00 -06:00
start() {
2024-07-16 18:36:02 -06:00
2024-07-04 10:05:00 -06:00
basic-security
if [[ $HOSTNAME == *"nas"* ]]; then
2024-07-16 18:26:31 -06:00
ddos-protection
2024-07-16 18:36:02 -06:00
wireguard
web
admin
adguard
cups
bitcoin
syncthing
lnd
jellyfin
2024-07-14 20:35:12 -06:00
2024-07-04 10:05:00 -06:00
#Uptime
2024-07-14 20:35:12 -06:00
podman restart uptime-kuma
2024-07-16 18:36:02 -06:00
else
{
syncthing
2024-07-17 22:49:34 -06:00
kde-connect
2024-07-16 18:36:02 -06:00
/usr/bin/systemctl restart libvirtd
}
2024-07-04 10:05:00 -06:00
fi
}
stop() {
2024-07-16 18:36:02 -06:00
/usr/sbin/iptables -F
/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P FORWARD ACCEPT
/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/iptables -t nat -F
/usr/sbin/iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED $IPTABLES_ACCEPT
/usr/sbin/iptables -A INPUT -i lo $IPTABLES_ACCEPT
/usr/sbin/iptables -F
/usr/sbin/ip6tables -P INPUT ACCEPT
/usr/sbin/ip6tables -P FORWARD ACCEPT
/usr/sbin/ip6tables -P OUTPUT ACCEPT
/usr/sbin/ip6tables -t nat -F
/usr/sbin/ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED $IPTABLES_ACCEPT
/usr/sbin/ip6tables -A INPUT -i lo $IPTABLES_ACCEPT
2024-07-04 10:05:00 -06:00
}
if [ "$1" = "start" ]; then
start
elif [ "$1" = "ddos" ]; then
ddos-protection
elif [ "$1" = "stop" ]; then
stop
else
echo "Invalid Choice"
fi