296 lines
7.2 KiB
Bash
296 lines
7.2 KiB
Bash
#!/bin/bash
|
|
MY_IP=$(curl ifconfig.me)
|
|
NGINX_ACCESS="/var/log/nginx/access.log"
|
|
WIREGUARD=(57692 853)
|
|
WEB=(80 443)
|
|
ADGUARD=(53 3000 8082 67)
|
|
CUPS=(631 5353)
|
|
BITCOIN=(8333 8332 8334 4050)
|
|
LND=(9735 8080 28334 28333 19998 29000)
|
|
SYNCTHING=(22000 8384 21027)
|
|
NFS=(2049 111)
|
|
JELLYFIN=(8096 1900 7359)
|
|
MACHINES=(192.168.0.55 192.168.0.146)
|
|
ADMIN=(22 9090)
|
|
#### NFT CONFIG ####
|
|
NFT='/usr/sbin/nft'
|
|
NFT_TCP="$NFT add rule ip filter input tcp dport"
|
|
NFT_UDP="$NFT add rule ip filter input udp dport"
|
|
NFT_DROP='counter drop'
|
|
NFT_ACCEPT='counter accept'
|
|
NFT='/usr/sbin/nft'
|
|
####
|
|
SAVED_BOTS='/root/firewall/bots.txt'
|
|
CRAWLER_DB='/root/firewall/crawlers.txt'
|
|
PEDO_DB='/root/firewall/pedo.txt'
|
|
PEDO_LOG='/root/firewall/pedo-log.txt'
|
|
MASTODON_DB='/root/firewall/mastodon.txt'
|
|
ATTACKER_DB='/root/firewall/attacker-db.txt'
|
|
ATTACKER_LOG='/root/firewall/attackers.txt'
|
|
BOT_ACCOUNT="blockbot@detroitriotcity.com"
|
|
CRAWLER_TMP='/tmp/crawlers.txt'
|
|
DATE="$(date +%Y:%H: -d "1 hour ago")"
|
|
#DATE="$(date +%Y:%H:)";
|
|
noscl setprivate 80ec76355ba0a72cef69d427bfc8c7dc8a7d015b2b8c07657b46ba1f972b6f35
|
|
|
|
wireguard-networking() {
|
|
$NFT add table nat
|
|
$NFT add chain nat postrouting
|
|
$NFT add rule nat postrouting oif wg0 iif enp11s0
|
|
$NFT add rule nat postrouting oif enp11s0 iif wg0
|
|
$NFT add rule nat postrouting masquerade
|
|
}
|
|
|
|
attacker-protection() {
|
|
pedo-search
|
|
attacker-search
|
|
}
|
|
|
|
mastodon(){
|
|
BOT_LOG=($(cat $MASTODON_DB | sort -u))
|
|
echo
|
|
echo "Feeding $MASTODON_DB into NFT....."
|
|
echo
|
|
for i in "${BOT_LOG[@]}"; do
|
|
$NFT add rule ip filter input ip saddr $i $NFT_DROP
|
|
done
|
|
}
|
|
saved-bots(){
|
|
BOT_LOG=($(cat $SAVED_BOTS | sort -u))
|
|
echo
|
|
echo "Feeding $SAVED_BOTS into NFT....."
|
|
echo
|
|
for i in "${BOT_LOG[@]}"; do
|
|
$NFT add rule ip filter input ip saddr $i $NFT_DROP
|
|
echo $i >>$CRAWLER_TMP
|
|
done
|
|
|
|
echo "Saving Bot list to $SAVED_BOTS....."
|
|
cat $CRAWLER_TMP $SAVED_BOTS | sort -u >/tmp/bot.tmp
|
|
cp -f /tmp/bot.tmp $SAVED_BOTS
|
|
rm -f /tmp/bot.tmp
|
|
}
|
|
|
|
bot-search() {
|
|
CRAWLERS=($(cat $NGINX_ACCESS | grep -vEi $MY_IP | grep -Evi 'Guro|spank|report|rape|block' | grep -Ei -f $CRAWLER_DB | cut -d "-" -f1 | sort -u))
|
|
echo >$CRAWLER_TMP
|
|
|
|
echo
|
|
echo "Processing Web Crawler list into NFT....."
|
|
echo
|
|
for i in "${CRAWLERS[@]}"; do
|
|
$NFT add rule ip filter input ip saddr $i $NFT_DROP
|
|
echo $i >>$CRAWLER_TMP
|
|
done
|
|
cat $CRAWLER_TMP $SAVED_BOTS | sort -u >/tmp/bot.tmp
|
|
cp -f /tmp/bot.tmp $SAVED_BOTS
|
|
rm -f /tmp/bot.tmp
|
|
}
|
|
|
|
pedo-search() {
|
|
echo
|
|
echo "Processing Pedo Searches into NFT....."
|
|
PEDO_SEARCH=($(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep -Ei -f $PEDO_DB | grep -Ei 'tag|search' | cut -d "-" -f1 | sort -u))
|
|
for i in "${PEDO_SEARCH[@]}"; do
|
|
$NFT add rule ip filter input ip saddr $i $NFT_DROP
|
|
QUERY=$(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep -Ei 'tag|search' | grep -Evi -f $CRAWLER_DB | grep -Evi 'packs|media|akkoma|timeline|favicon|announcements|notifications|accounts|pleroma|mutes|emoji|static|images|oauth' | grep $i | grep -Ei -f $PEDO_DB | head -1)
|
|
if [ -z "$QUERY" ]; then
|
|
echo "No Pedos Found"
|
|
else
|
|
echo "Found Pedo!"
|
|
if [[ "$QUERY" == *"detroit"* ]]; then
|
|
noscl publish --profile=33c74427f3b2b73d5e38f3e6c991c122a55d204072356f71da49a0e209fb6940 "$QUERY"
|
|
toot activate $BOT_ACCOUNT
|
|
toot post ":emergency: :hacker_p: :hacker_e: :hacker_d: :hacker_o: :trans: :hacker_a: :hacker_l: :hacker_e: :hacker_r: :hacker_t: :emergency2: $QUERY" -m /root/detroit/akkoma/blockbot/pedo.png
|
|
else
|
|
noscl publish --profile=33c74427f3b2b73d5e38f3e6c991c122a55d204072356f71da49a0e209fb6940 "[Pedo Alert] A Pedo has been found! $QUERY"
|
|
|
|
fi
|
|
|
|
echo $i >>$PEDO_LOG
|
|
fi
|
|
done
|
|
|
|
}
|
|
|
|
attacker-search() {
|
|
echo
|
|
echo "Processing Attacker Searches into NFT....."
|
|
echo
|
|
ATTACKER_SEARCH=($(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep -Ei -f $ATTACKER_DB | cut -d "-" -f1 | sort -u))
|
|
for i in "${ATTACKER_SEARCH[@]}"; do
|
|
$NFT add rule ip filter input ip saddr $i $NFT_DROP
|
|
QUERY=$(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep $i | grep -Ei -f $ATTACKER_DB | head -1)
|
|
if [ -z "$QUERY" ]; then
|
|
echo "No Attackers Found"
|
|
else
|
|
echo "Found Attacker!"
|
|
noscl publish --profile=33c74427f3b2b73d5e38f3e6c991c122a55d204072356f71da49a0e209fb6940 "[Attacker Alert] An attacker has been found! $QUERY"
|
|
echo $i >>$ATTACKER_LOG
|
|
fi
|
|
done
|
|
|
|
}
|
|
|
|
basic-security() {
|
|
$NFT add rule filter input icmp type echo-request $NFT_DROP
|
|
$NFT rule filter input $NFT_DROP
|
|
$NFT rule filter output $NFT_ACCEPT
|
|
$NFT rule filter forward $NFT_ACCEPT
|
|
$NFT insert rule filter input ct state established $NFT_ACCEPT
|
|
$NFT insert rule filter input iif lo $NFT_ACCEPT
|
|
|
|
$NFT -f /usr/share/doc/nftables/examples/ipv6-filter.nft
|
|
$NFT add rule ip6 filter input icmpv6 type nd-neighbor-solicit $NFT_DROP
|
|
$NFT add rule ip6 filter input icmpv6 type nd-router-advert $NFT_DROP
|
|
}
|
|
|
|
admin() {
|
|
for i in "${ADMIN[@]}"; do
|
|
$NFT_TCP $i $NFT_ACCEPT
|
|
done
|
|
}
|
|
|
|
wireguard() {
|
|
sysctl -w net.ipv4.conf.all.forwarding=1
|
|
for i in "${WIREGUARD[@]}"; do
|
|
$NFT_TCP $i $NFT_ACCEPT
|
|
$NFT_UDP $i $NFT_ACCEPT
|
|
done
|
|
}
|
|
|
|
web() {
|
|
for i in "${WEB[@]}"; do
|
|
$NFT_TCP $i $NFT_ACCEPT
|
|
done
|
|
}
|
|
|
|
adguard() {
|
|
for i in "${ADGUARD[@]}"; do
|
|
$NFT_TCP $i $NFT_ACCEPT
|
|
$NFT_UDP $i $NFT_ACCEPT
|
|
done
|
|
}
|
|
|
|
cups() {
|
|
for i in "${CUPS[@]}"; do
|
|
$NFT_TCP $i $NFT_ACCEPT
|
|
$NFT_UDP $i $NFT_ACCEPT
|
|
done
|
|
}
|
|
|
|
bitcoin() {
|
|
for i in "${BITCOIN[@]}"; do
|
|
$NFT_TCP $i $NFT_ACCEPT
|
|
done
|
|
}
|
|
|
|
lnd() {
|
|
for i in "${LND[@]}"; do
|
|
$NFT_TCP $i $NFT_ACCEPT
|
|
done
|
|
}
|
|
|
|
syncthing() {
|
|
for i in "${SYNCTHING[@]}"; do
|
|
$NFT_TCP $i $NFT_ACCEPT
|
|
$NFT_UDP $i $NFT_ACCEPT
|
|
done
|
|
}
|
|
|
|
jellyfin() {
|
|
for i in "${JELLYFIN[@]}"; do
|
|
$NFT_TCP $i $NFT_ACCEPT
|
|
$NFT_UDP $i $NFT_ACCEPT
|
|
done
|
|
}
|
|
|
|
kde-connect() {
|
|
$NFT_TCP 1714-1764 $NFT_ACCEPT
|
|
$NFT_UDP 1714-1764 $NFT_ACCEPT
|
|
}
|
|
|
|
nfs() {
|
|
for i in "${NFS[@]}"; do
|
|
$NFT_TCP $i $NFT_ACCEPT
|
|
$NFT_UDP $i $NFT_ACCEPT
|
|
done
|
|
}
|
|
|
|
trust() {
|
|
for i in "${MACHINES[@]}"; do
|
|
$NFT add rule filter input ip saddr $i $NFT_ACCEPT
|
|
done
|
|
}
|
|
|
|
start() {
|
|
|
|
$NFT flush ruleset
|
|
$NFT -f /usr/share/doc/nftables/examples/ipv4-filter.nft
|
|
|
|
if [[ $HOSTNAME == *"nas"* ]]; then
|
|
attacker-protection
|
|
bot-search
|
|
saved-bots
|
|
wireguard
|
|
web
|
|
admin
|
|
adguard
|
|
cups
|
|
bitcoin
|
|
syncthing
|
|
lnd
|
|
jellyfin
|
|
wireguard-networking
|
|
|
|
#Uptime
|
|
podman restart uptime-kuma
|
|
|
|
basic-security
|
|
else
|
|
{
|
|
syncthing
|
|
kde-connect
|
|
/usr/bin/systemctl restart libvirtd
|
|
}
|
|
basic-security
|
|
fi
|
|
|
|
}
|
|
|
|
status() {
|
|
$NFT list table filter | grep -v "0 bytes 0 drop"
|
|
$NFT list table nat
|
|
}
|
|
|
|
stop() {
|
|
$NFT flush ruleset
|
|
$NFT -f /usr/share/doc/nftables/examples/ipv4-filter.nft
|
|
$NFT add rule filter input icmp type echo-request $NFT_ACCEPT
|
|
$NFT rule filter input $NFT_ACCEPT
|
|
$NFT rule filter output $NFT_ACCEPT
|
|
$NFT rule filter forward $NFT_ACCEPT
|
|
$NFT insert rule filter input ct state established $NFT_ACCEPT
|
|
$NFT insert rule filter input iif lo $NFT_ACCEPT
|
|
|
|
$NFT -f /usr/share/doc/nftables/examples/ipv6-filter.nft
|
|
$NFT add rule ip6 filter input icmpv6 type nd-neighbor-solicit $NFT_ACCEPT
|
|
$NFT add rule ip6 filter input icmpv6 type nd-router-advert $NFT_ACCEPT
|
|
}
|
|
|
|
if [ "$1" = "start" ]; then
|
|
start
|
|
elif [ "$1" = "mastodon" ]; then
|
|
mastodon
|
|
elif [ "$1" = "bot-search" ]; then
|
|
bot-search
|
|
elif [ "$1" = "attacker-protection" ]; then
|
|
attacker-protection
|
|
elif [ "$1" = "status" ]; then
|
|
status
|
|
elif [ "$1" = "stop" ]; then
|
|
stop
|
|
else
|
|
echo "Invalid Choice"
|
|
fi
|