function firewall_rule_save()
{
$tpl = new templates();
$iptables = new iptables_chains();
$iptables->localport = $_POST["multiples_ports"];
$iptables->serverip = $_POST["source_address"];
$iptables->rulemd5 = $_POST["rulemd5"];
if (!$iptables->add_chain()) {
echo $tpl->javascript_parse_text("\n{failed}\n");
return;
}
$sock = new sockets();
$sock->getFrameWork("network.php?fw-inbound-rules=yes");
}
function firewall_delete_all_rules()
{
$users = new usersMenus();
if (!$users->AsPostfixAdministrator) {
$error = html_entity_decode($tpl->_ENGINE_parse_body("{ERROR_NO_PRIVS}"));
echo "{$error}";
die;
}
$iptables_chains = new iptables_chains();
if (!$iptables_chains->deleteAllPostfix_chains()) {
echo $iptables_chains->error;
return false;
}
unset($_SESSION["postfix_firewall_rules"]);
$tpl = new templates();
echo html_entity_decode($tpl->_ENGINE_parse_body("{success}\n{delete_not_forget_to_compile}"));
}
function firewall_range_save(){
$iptables=new iptables_chains();
$iptables->localport=$_POST["multiples_ports"];
$iptables->serverip="Range:{$_POST["range-from"]}-{$_POST["range-to"]}";
$iptables->rulemd5=null;
$iptables->allow=$_POST["allow"];
writelogs("Adding $ipaddr {$_POST["multiple-ports-fw"]}",__FUNCTION__,__FILE__,__LINE__);
if(!$iptables->add_chain()){echo $tpl->javascript_parse_text("\n{failed}\n");return;}
$sock=new sockets();
$sock->getFrameWork("network.php?fw-inbound-rules=yes");
}
function ParseLastEvents()
{
$timefile = "/etc/artica-postfix/pids/" . basename(__FILE__) . "." . __FUNCTION__ . ".time";
$timeF = file_time_min($timefile);
if ($timeF < 240) {
if ($GLOBALS["VERBOSE"]) {
echo "{$timeF} minutes, need to wait 240\n";
}
return;
}
@file_put_contents($timefile, "#");
$unix = new unix();
$iptables = $unix->find_program("iptables");
if ($GLOBALS["VERBOSE"]) {
echo "Loading Whitelist\n";
}
$whitelist = load_whitelist();
if ($GLOBALS["VERBOSE"]) {
echo "Loading Whitelist " . count($whitelist) . " items\n";
}
$sock = new sockets();
$PostfixInstantIptablesLastDays = $sock->GET_INFO("PostfixInstantIptablesLastDays");
$PostfixInstantIptablesMaxEvents = $sock->GET_INFO("PostfixInstantIptablesMaxEvents");
if (!is_numeric($PostfixInstantIptablesLastDays)) {
$PostfixInstantIptablesLastDays = 7;
}
if (!is_numeric($PostfixInstantIptablesMaxEvents)) {
$PostfixInstantIptablesMaxEvents = 50;
}
$sql = "SELECT COUNT(ipaddr) as tcount,ipaddr,smtp_err,hostname \n\tFROM mail_con_err_stats WHERE zDate<DATE_SUB(NOW(),INTERVAL 1 DAY) \n\tAND zDate>=DATE_SUB(NOW(),INTERVAL {$PostfixInstantIptablesLastDays} DAY) \n\tGROUP BY ipaddr,smtp_err,hostname ORDER BY COUNT(ipaddr) DESC";
$q = new mysql();
$results = $q->QUERY_SQL($sql, "artica_events");
$newarray = array();
while ($ligne = @mysql_fetch_array($results, MYSQL_ASSOC)) {
$count_events = $ligne["tcount"];
if ($count_events < 3) {
break;
}
$ipaddr = $ligne["ipaddr"];
$error = $ligne["smtp_err"];
$server_name = $ligne["hostname"];
if ($whitelist[$server_name]) {
echo "Whitelisted {$server_name}\n";
continue;
}
if ($whitelist[$ipaddr]) {
echo "Whitelisted {$ipaddr}\n";
continue;
}
$newarray[$ipaddr]["HOST"] = $server_name;
$newarray[$ipaddr]["EVENTS_TEXT"][] = "{$server_name} [{$ipaddr}] - {$count_events} {$error}";
if (isset($newarray[$ipaddr])) {
$newarray[$ipaddr]["EVENTS"] = $newarray[$ipaddr]["EVENTS"] + $count_events;
} else {
$newarray[$ipaddr]["EVENTS"] = $newarray[$ipaddr]["EVENTS"];
}
}
if (!is_array($newarray)) {
return;
}
$newarray2 = $newarray;
while (list($ipaddr, $ligne) = each($newarray)) {
$count = $ligne["EVENTS"];
if ($count < $PostfixInstantIptablesMaxEvents) {
unset($newarray2[$ipaddr]);
//if($GLOBALS["VERBOSE"]){echo "skipping $ipaddr {$ligne["HOST"]} $count events\n";}
continue;
}
}
if ($GLOBALS["VERBOSE"]) {
echo count($newarray2) . " items -> Array:newarray2\n";
}
if (count($newarray2) == 0) {
return;
}
$ipCount = 0;
while (list($ipaddr, $ipaddrARR) = each($newarray2)) {
$sql = "SELECT rulemd5 FROM iptables WHERE serverip='{$ipaddr}' AND local_port='25'";
$ligne = mysql_fetch_array($q->QUERY_SQL($sql, "artica_backup"));
if ($ligne["rulemd5"] != null) {
if ($GLOBALS["VERBOSE"]) {
echo "Skip {$ipaddr} already added\n";
}
continue;
}
$EVENTS = "{$ipaddrARR["EVENTS"]} refused connexions:\n" . @implode("\n", $ipaddrARR["EVENTS_TEXT"]);
$cmd = "{$iptables} -A INPUT -s {$ipaddr} -p tcp --destination-port 25 -j DROP -m comment --comment \"ArticaInstantPostfix\"";
$iptablesClass = new iptables_chains();
$iptablesClass->serverip = $ipaddr;
$iptablesClass->servername = $server_name;
$iptablesClass->rule_string = $cmd;
$iptablesClass->EventsToAdd = $EVENTS;
if (!$iptablesClass->addPostfix_chain()) {
$FAILED = "FAILED TO add {$ipaddr} ";
}
$notifs[] = $EVENTS;
shell_exec($cmd);
if ($GLOBALS["VERBOSE"]) {
echo $cmd . "\n";
}
$ipCount++;
}
if ($ipCount > 0) {
$unix->send_email_events("Instant Iptables {$ipCount} addresse(s) added", "Calculation since {$PostfixInstantIptablesLastDays} days and for {$PostfixInstantIptablesMaxEvents} minimal blocks events\n" . @implode("\n", $notifs), "postfix");
}
}
function compile_sshd_rules(){
include_once(dirname(__FILE__)."/ressources/class.openssh.inc");
$q=new mysql();
$iptablesClass=new iptables_chains();
$unix=new unix();
$openssh=new openssh();
$SSHDPort=$openssh->main_array["Port"];
if(!is_numeric($SSHDPort)){$SSHDPort=22;}
$iptables=$unix->find_program("iptables");
$GLOBALS["IPTABLES_WHITELISTED"]=$iptablesClass->LoadWhiteLists();
$sql="SELECT * FROM iptables WHERE disable=0 AND flux='INPUT' AND local_port=22";
$results=$q->QUERY_SQL($sql,"artica_backup");
iptables_delete_all();
if($GLOBALS["VERBOSE"]){echo "OpenSSH port is $SSHDPort\n";}
while($ligne=@mysql_fetch_array($results,MYSQL_ASSOC)){
$ip=$ligne["serverip"];
if($iptablesClass->isWhiteListed($ip)){continue;}
events("ADD REJECT {$ligne["serverip"]} INBOUND PORT 22");
ssh_events("ADD REJECT {$ligne["serverip"]} INBOUND PORT 22",__FUNCTION__,__FILE__,__LINE__);
/*if($InstantIptablesEventAll==1){
if($GLOBALS["VERBOSE"]){echo "$ip -> LOG\n";}
$cmd="$iptables -A INPUT -s $ip -p tcp --destination-port 25 -j LOG --log-prefix \"SMTP DROP: \" -m comment --comment \"ArticaInstantPostfix\"";
$commands[]=$cmd;
}*/
$cmd="$iptables -A INPUT -s $ip -p tcp --destination-port $SSHDPort -j DROP -m comment --comment \"ArticaInstantSSH\"";
$commands[]=$cmd;
}
if($GLOBALS["VERBOSE"]){echo count($commands)." should be performed\n";}
if(is_array($commands)){
while (list ($index, $line) = each ($commands) ){
writelogs($line,__FUNCTION__,__FILE__,__LINE__);
if($GLOBALS["VERBOSE"]){echo $line."\n";}
shell_exec($line);
}
$unix->send_email_events("SSHD Hack ".count($commands)." rules(s) added",null,"system");
}
}
function ban_servers_save()
{
$ipchain = new iptables_chains();
$tb = explode("\n", $_POST["ban-servers-add"]);
if (!is_array($tb)) {
echo "No data";
return;
}
while (list($num, $ipaddressData) = each($tb)) {
if (!preg_match("#[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+#", $ipaddressData)) {
$ip = gethostbyname($ipaddressData);
$servername = $ipaddressData;
} else {
$ip = $ipaddressData;
$servername = gethostbyaddr($ipaddressData);
}
$ipchain = new iptables_chains();
$ipchain->servername = $servername;
$ipchain->serverip = $ip;
$ipchain->EventsToAdd = "Manual rule";
$ipchain->rule_string = "iptables -A INPUT -s {$ip} -p tcp --destination-port 25 -j DROP -m comment --comment \"ArticaInstantPostfix\"";
if (!$ipchain->addPostfix_chain()) {
echo "Failed {$ip} {$servername}\n";
return;
}
}
$sock = new sockets();
$sock->getFrameWork("cmd.php?postfix-iptables-compile=yes");
}
function parsequeue()
{
$q = new mysql();
$q->Check_iptables_table();
$ini = new Bs_IniHandler();
$ini->loadFile('/etc/artica-postfix/settings/Daemons/PostfixAutoBlockResults');
foreach (glob("/var/log/artica-postfix/smtp-hack/*.hack") as $filename) {
$basename = basename($filename);
$array = unserialize(@file_get_contents($filename));
$IP = $array["IP"];
if ($IP == "127.0.0.1") {
@unlink($filename);
continue;
}
$server_name = gethostbyaddr($IP);
$matches = $array["MATCHES"];
$EVENTS = $array["EVENTS"];
$date = $array["DATE"];
if ($GLOBALS["VERBOSE"]) {
echo "{$basename}: servername:{$server_name} IP=[{$IP}]\n";
}
$cmd = "iptables -A INPUT -s {$IP} -p tcp --destination-port 25 -j DROP -m comment --comment \"ArticaInstantPostfix\"";
$iptables = new iptables_chains();
$iptables->serverip = $IP;
$iptables->servername = $server_name;
$iptables->rule_string = $cmd;
$iptables->EventsToAdd = $EVENTS;
if ($iptables->addPostfix_chain()) {
if ($GLOBALS["VERBOSE"]) {
echo "Add IP:Addr=<{$IP}>, servername=<{$server_name}> to mysql\n";
}
$ini->set($IP, "events", $matches);
$ini->set($IP, "iptablerule", $cmd);
$ini->set($IP, "hostname", $server_name);
if ($GLOBALS["VERBOSE"]) {
echo "delete {$filename}\n";
}
@unlink($filename);
}
}
$filestr = $ini->toString();
file_put_contents("/etc/artica-postfix/settings/Daemons/PostfixAutoBlockResults", $filestr);
}
function blocked_ip_identity_ban()
{
include_once 'ressources/class.iptables-chains.inc';
$tpl = new templates();
$ipchain = new iptables_chains();
$IPSRC = $_GET["identity-ban"];
if (trim($IPSRC) == null) {
echo "NULL!";
return;
}
if (!preg_match("#[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+#", $IPSRC)) {
$ip = gethostbyname($IPSRC);
$servername = $IPSRC;
} else {
$ip = $IPSRC;
$servername = gethostbyaddr($IPSRC);
}
$ipchain = new iptables_chains();
$ipchain->servername = $servername;
$ipchain->serverip = $ip;
$ipchain->EventsToAdd = "Manual rule";
$ipchain->rule_string = "iptables -A INPUT -s {$ip} -p tcp --destination-port 25 -j DROP -m comment --comment \"ArticaInstantPostfix\"";
if (!$ipchain->addPostfix_chain()) {
echo $tpl->javascript_parse_text("{failed} {$ip} {$servername} ");
return;
} else {
echo $tpl->javascript_parse_text("{success} {$ip} {$servername} ");
}
$sock = new sockets();
$sock->getFrameWork("cmd.php?postfix-iptables-compile=yes");
}
function nginx_attack()
{
$zDate = date('Y-m-d H:i:s');
$HTTP_HOST = $_SERVER["HTTP_HOST"];
$servername = $HTTP_HOST;
$HTTP_X_REAL_IP = $_SERVER["HTTP_X_REAL_IP"];
if ($HTTP_X_REAL_IP == "127.0.0.1") {
return;
}
$q = new mysql_squid_builder();
$timekey = date('YmdH');
$table = "ngixattck_{$timekey}";
$url = base64_decode($_GET["uencode"]);
$localport = $_GET["localport"];
if ($GLOBALS["VERBOSE"]) {
Debuglogs("{$HTTP_HOST} {$HTTP_X_REAL_IP} {$table}", __FUNCTION__, __LINE__);
}
if (!is_numeric($localport)) {
$localport = 80;
}
$ports[] = 80;
$ports[] = 443;
if ($localport != 80) {
if ($localport != 443) {
$ports[] = $localport;
}
}
$hostname = null;
$country = null;
if (!isset($_SESSION["nginx_exploits_fw"][$servername])) {
$ligne = mysql_fetch_array($q->QUERY_SQL("SELECT maxaccess,sendlogs FROM nginx_exploits_fw WHERE servername='{$servername}'"));
$md5 = md5("{$zDate}{$servername}{$HTTP_X_REAL_IP}");
$md5L = md5("{$servername}{$HTTP_X_REAL_IP}");
$maxaccess = $ligne["maxaccess"];
$sendlogs = $ligne["sendlogs"];
if (!is_numeric($maxaccess)) {
$maxaccess = 0;
}
$_SESSION["nginx_exploits_fw"][$servername]["maxaccess"] = $maxaccess;
$_SESSION["nginx_exploits_fw"][$servername]["sendlogs"] = $sendlogs;
Debuglogs("{$servername}, maxaccess={$maxaccess}, sendlogs={$ligne["sendlogs"]} table={$table}", __FUNCTION__, __LINE__);
} else {
$maxaccess = $_SESSION["nginx_exploits_fw"][$servername]["maxaccess"];
$sendlogs = $_SESSION["nginx_exploits_fw"][$servername]["sendlogs"];
}
if (!isset($_SESSION["nginx_exploits_fw"]["BLOCKED"])) {
if ($maxaccess > 0) {
$sendlogs = 1;
$ligne = mysql_fetch_array($q->QUERY_SQL("SELECT COUNT(keyr) as tcount FROM `{$table}` WHERE ipaddr='{$HTTP_X_REAL_IP}' and `servername`='{$servername}'"));
if (!$q->ok) {
Debuglogs("{$q->mysql_error}");
}
$Count = $ligne["tcount"];
Debuglogs("Current {$Count} time(s)/{$maxaccess}", __FUNCTION__, __LINE__);
$Count++;
$ligne = mysql_fetch_array($q->QUERY_SQL("SELECT `ipaddr` FROM `nginx_exploits_fwev` WHERE zmd5='{$md5L}'"));
Debuglogs("{$md5L} = `{$ligne["ipaddr"]}", __FUNCTION__, __LINE__);
if ($ligne["ipaddr"] == null) {
if ($Count > $maxaccess) {
$hostname = gethostbyaddr($HTTP_X_REAL_IP);
Debuglogs("{$HTTP_X_REAL_IP} -> BAN !!! ( count {$Count} <-> {$maxaccess} )");
$ipchain = new iptables_chains();
$ipchain->servername = gethostbyaddr($HTTP_X_REAL_IP);
$ipchain->serverip = $HTTP_X_REAL_IP;
$ipchain->EventsToAdd = "Reverse Proxy 403 error";
$ipchain->add_xchain($ports, "ArticaInstantNginx");
$sock = new sockets();
$sock->getFrameWork("cmd.php?iptables-nginx-compile=yes");
$country = mysql_escape_string2(GeoLoc($HTTP_X_REAL_IP));
$sql = "INSERT IGNORE INTO nginx_exploits_fwev (`zmd5`,`servername`,`zDate`,`ipaddr`,`hostname`,`country`)\n\t\t\t\tVALUES('{$md5L}','{$servername}','{$zDate}','{$HTTP_X_REAL_IP}','{$hostname}','{$country}');";
Debuglogs($sql);
$q->QUERY_SQL($sql);
if (!$q->ok) {
Debuglogs($q->mysql_error);
}
if ($q->ok) {
$_SESSION["nginx_exploits_fw"]["BLOCKED"] = true;
}
}
}
}
}
if ($sendlogs == 1) {
if ($country == null) {
$country = mysql_escape_string2(GeoLoc($HTTP_X_REAL_IP));
}
if ($hostname == null) {
$hostname = gethostbyaddr($HTTP_X_REAL_IP);
}
$family = $q->GetFamilySites($hostname);
$q->check_nginx_attacks_RT($timekey);
$sql = "INSERT IGNORE INTO {$table} (`keyr`,`servername`,`zDate`,`ipaddr`,`familysite`,`hostname`,`country`)\n\t\tVALUES('{$md5}','{$servername}','{$zDate}','{$HTTP_X_REAL_IP}','{$family}','{$hostname}','{$country}');";
Debuglogs("{$servername}: Attack from {$hostname} [{$HTTP_X_REAL_IP}] - {$country} ");
$q->QUERY_SQL($sql);
if (!$q->ok) {
Debuglogs($q->mysql_error);
}
}
}
