verita84/firewall
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix

Browse Source
This commit is contained in:
Your Name 2024-09-24 17:44:34 -06:00
parent 64b9d828d5
commit b7b5c39a47
2 changed files with 141 additions and 13510 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

121
firewall.sh
View File

@ -4,6 +4,8 @@ MY_IP=($(redis-cli --raw SMEMBERS my_ip))
ATTACK_THRESHOLD="50"
NGINX_ACCESS="/tmp/access.log"
ACCESS="/tmp/minute.log"
HTTP_LIMIT="100"
RATE_LIMITED_HTTP="30"
grep $DATE $NGINX_ACCESS > $ACCESS
#Firewall Port Configuration
#
@ -69,8 +71,7 @@ ipBlockParser() {
portOpenParser() {
if [[ "$1" == "443" || "$1" == "80" ]]; then
$NFT add rule ip filter input ct state new tcp dport $1 update @http_ratelimit { ip saddr limit rate 10/second } accept
$NFT add rule ip6 filter input ct state new tcp dport $1 update @http_ratelimit { ip6 saddr limit rate 10/second } accept
echo "Skipping $1"
else
$NFT add rule ip filter input position 0 tcp dport $1 accept
$NFT add rule ip filter input position 0 udp dport $1 accept
@ -81,10 +82,12 @@ portOpenParser() {
ipDeleteParser() {
if [[ "$1" == *":"* ]]; then
$NFT delete rule ip6 filter input handle $HANDLE
$NFT delete rule ip6 filter input handle $HANDLE &>/dev/null
else
$NFT delete rule ip filter input handle $HANDLE
$NFT delete rule ip filter input handle $HANDLE &>/dev/null
fi
redis-cli SREM tmp_block $i
redis-cli SREM bots $i
}
blockCountry() {
@ -107,6 +110,7 @@ wireguard-networking() {
}
attacker-protection() {
module-unblock
watch
module-nostr
bot-search
@ -147,8 +151,8 @@ basic-security() {
done
$NFT add rule filter input drop
$NFT add rule ip6 filter input drop
#$NFT add rule filter input drop
#$NFT add rule ip6 filter input drop
}
virtualization() {
@ -185,6 +189,10 @@ start() {
#Docker
$NFT insert rule filter input iif docker0 accept
#HTTP Rate Limit
rateLimit $HTTP_LIMIT
else
virtualization
fi
@ -214,6 +222,7 @@ automaticStatus() {
status() {
clear
sleep 2
RATE=$(cat $NFT_CACHE | grep 443 | cut -d ' ' -f14)
DATE="$(date +%d/%b/%Y:%H:%M -d '1 minute ago')"
STATS=$(grep $DATE $ACCESS | grep -vi $MY_IP | wc -l)
GET=$(grep $DATE $ACCESS | grep -vi $MY_IP | grep GET | wc -l)
@ -226,6 +235,7 @@ status() {
echo $MENU_TOP
echo "Attack Threshold: $ATTACK_THRESHOLD"
echo "Firewall Rules: $($NFT list table filter | wc -l)"
echo "Rate Limit: $RATE"
echo
echo "Traffic Last Minute: $STATS"
echo " GET: $GET"
@ -248,7 +258,7 @@ status() {
stop() {
#forgive
$NFT -s list ruleset | tee $RULE_SET
#$NFT -s list ruleset | tee $RULE_SET
$NFT flush ruleset
$NFT -f /usr/share/nftables/ipv4-filter.nft
$NFT add rule filter input icmp type echo-request accept
@ -264,6 +274,26 @@ stop() {
message "Stopping Firewall"
}
rateLimit(){
HANDLE=($(nft -n -a list ruleset | grep "ct state 0x8 tcp dport" | grep -E '80|443' | grep handle | cut -d '#' -f2 | cut -d ' ' -f3))
for i in "${HANDLE[@]}"; do
if [[ "$i" == *":"* ]]; then
$NFT delete rule ip6 filter input handle $i &>/dev/null
else
$NFT delete rule filter input handle $i &>/dev/null
fi
done
echo "Setting Rate Limit to : $1"
echo
$NFT add rule ip6 filter input ct state new tcp dport 443 update @http_ratelimit { ip6 saddr limit rate $1/second } accept
$NFT add rule ip6 filter input ct state new tcp dport 80 update @http_ratelimit { ip6 saddr limit rate $1/second } accept
$NFT add rule ip filter input ct state new tcp dport 443 update @http_ratelimit { ip saddr limit rate $1/second } accept
$NFT add rule ip filter input ct state new tcp dport 80 update @http_ratelimit { ip saddr limit rate $1/second } accept
}
forgive() {
IP=($(redis-cli --raw SMEMBERS tmp_block | sort -u))
echo $IP
@ -271,62 +301,67 @@ forgive() {
HANDLE=$(nft -n -a list ruleset | grep $i | grep handle | cut -d '#' -f2 | cut -d ' ' -f3)
echo "Removing: $i Handle: $HANDLE"
ipDeleteParser $HANDLE
redis-cli SREM tmp_block $i
done
echo "Clearing old $TMP_BLOCK"
redis-cli DEL tmp_blocked
rateLimit $HTTP_LIMIT
}
module-go() {
ATTACK="module-go DDOS Attack "
GO_SPAM=$(grep $2 $ACCESS | grep -E "Go-http-client" | wc -l)
if [[ "$GO_SPAM" -gt 10 ]]; then
ipBlockParser "$1"
redis-cli SADD tmp_block $i
message "Go Spam Attack!"
redis-cli SADD tmp_block $1
message "$ATTACK $1"
fi
}
module-akkoma() {
ATTACK="module-akkoma DDOS Attack "
SEARCH_SPAM=$(grep $2 $ACCESS | grep -E "api/v1/instance|api/v1/notifications|api/v1/accounts|api/v2/search|timelines/public|timelines/home|/api/v1/accounts" | grep $1 | wc -l)
CHECK=$(cat $NFT_CACHE | sort -u | grep $i)
CHECK=$(cat $NFT_CACHE | sort -u | grep $1)
if [[ "$SEARCH_SPAM" -gt 30 ]]; then
echo "$IP $CHECK $COUNT"
if [ "$CHECK" = "" ]; then
ipBlockParser "$1"
redis-cli SADD tmp_block $i
message "module-akkoma: Spam Attack! $i"
echo "module-akkoma: Spam $1"
redis-cli SADD tmp_block $1
message "$ATTACK $1"
echo "$ATTACK $1"
else
echo "module-akkoma: Ignoring Duplicate IP: $i"
echo "$ATTACK Ignoring Duplicate IP: $1"
fi
fi
}
module-get-spam() {
ATTACK="module-akkoma DDOS Attack "
GET_SPAM=$(grep $2 $ACCESS | grep -E "GET / HTTP" | wc -l)
if [[ "$GET_SPAM" -gt 10 ]]; then
if [[ "$GET_SPAM" -gt 20 ]]; then
ipBlockParser "$1"
redis-cli SADD tmp_block $i
message "GET Spam Attack! $1"
redis-cli SADD tmp_block $1
message "$ATTACK $1"
fi
}
module-php() {
ATTACK="module-php DDOS Attack "
PHP_SPAM=$(grep $2 $ACCESS | grep -E ".php|cgi-bin|wp-content|wp-admin|wp-includes" | wc -l)
if [[ "$PHP_SPAM" -gt 1 ]]; then
ipBlockParser "$1"
message "PHP Attack!"
redis-cli SADD tmp_block $i
message "$ATTACK $1"
redis-cli SADD tmp_block $1
fi
}
module-lightning() {
ATTACK="module-lightning DDOS Attack "
LN_SPAM=$(grep $2 $ACCESS | grep "lnurlp/verita84" | wc -l)
if [[ "$LN_SPAM" -gt 5 ]]; then
ipBlockParser "$1"
message "Lightning Spam Attack!"
redis-cli SADD tmp_block $i
message "$ATTACK $1"
redis-cli SADD tmp_block $1
fi
}
@ -367,6 +402,48 @@ watch() {
echo
fi
done
BLOCK_CHECK=$(redis-cli --raw SMEMBERS tmp_block)
if [[ "$BLOCK_CHECK" == *"empty"* || "$BLOCK_CHECK" == "" ]]; then
rateLimit $HTTP_LIMIT
else
rateLimit $RATE_LIMITED_HTTP
fi
}
message() {
echo "$1" | /root/go/bin/algia dm-post -u 33c74427f3b2b73d5e38f3e6c991c122a55d204072356f71da49a0e209fb6940 --stdin
}
module-unblock() {
IP=($(grep $DATE $ACCESS | grep "/unblock" | cut -d ' ' -f1 | cut -d ' ' -f1 ))
for i in "${IP[@]}"; do
echo "Unblocking $i"
ipDeleteParser $i
done
}
module-nostr() {
IP=($(grep $DATE $ACCESS | grep "/block=" | cut -d '=' -f2 | cut -d ' ' -f1 | sed 's/"//'))
for i in "${IP[@]}"; do
echo $i
if [[ "$i" == *"npub"* ]]; then
bash /opt/strfry-policies/block.sh $i
else
echo "No Npubs to block"
fi
done
}
test-bots() {
for i in "${SAVED_BOTS[@]}"; do
DATA=$(grep $i $ACCESS | grep -Fivf <(printf '%s\n' "${CRAWLER_DB[@]}"))
if [ "$DATA" = "" ]; then
echo "No Data. Probably OK"
else
echo $DATA
fi
done
}
module-nostr() {

13530
nft.rules
View File

File diff suppressed because it is too large Load Diff