-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathld-update
executable file
·536 lines (507 loc) · 14.7 KB
/
ld-update
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
#!/bin/bash
#ld-update
#===============================================================================
#
# FILE:
# ld-update
#
# REVISION:
# 001
#
# WHEN TO USE:
# When you are very sure you want to boot up the full Lockdown suite of
# utilities using the configuration files in the conf/ directory where
# ld-update is located.
#
# USAGE:
# ld-update [-d] [-n] [-s] [-v] [-y]
# ld-update [--dry-run] [--no-download] [--silent] [--verbose] [--yes]
#
# DESCRIPTION:
# This script will try to do all of the following things,
# once it starts running, and in the order specified:
# * Install extra packages for Enterprise Linux if required
# * Install iptables, ipset and fail2ban if required
# * Stop each of the three above services if running
# * Copy default configuration files into place
# * Start each of the three services
# * Enable each of the three services to run at boot
# * Stop nftables or firewalld
# * Disable nftables or firewalld from running at boot
#
# OPTIONS:
# -d | --dry-run
# Echos the commands that would be executed rather than executing them
# -h | --help
# Run help function and exit
# -n | --no-download
# Do not run commands to download latest blacklist & country CIDR lists
# -o | --out
# Output directory to save backup tarball
# -s | --silent
# Silent will attempt to prevent any and all output except in the event
# of failure. Silent operation implies --yes and will not ask permission
# for anything, you have been warned!
# Currently, any output from external programs will not be suppressed.
# -v | --verbose
# Output each line of the script after validations are parsed
# -x | --no-backup
# Do not back up any potentially pre-existing files
# -y | --yes
# Automatically say yes to everything
#
# TODO:
# Add -p|--ports option to open custom ports
# Add -s|--silent option
# Integrate pre/post processing rules
#
# AUTHOR: Jason (@iDoMeteor)
#===============================================================================
# Strict mode
set -euo pipefail
IFS=$'\n\t'
# Load configuration file
SRCDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
if [ ! -f "$SRCDIR/conf/lockdown-default.conf" ] \
&& [ ! -f "$SRCDIR/conf/lockdown.conf" ]
then
echo "Lockdown installation configuration file not found, cannot continue."
exit 1
fi
if [ -f "$SRCDIR/conf/lockdown-default.conf" ]
then
. "$SRCDIR/conf/lockdown-default.conf"
fi
if [ -f "$SRCDIR/conf/lockdown.conf" ]
then
. "$SRCDIR/conf/lockdown.conf"
fi
# Instantiate Variables
BACKUP=1
DATE=`date +%s`
DISTRO=''
DOWNLOAD=$update_lists
DRY_RUN=''
EPEL='epel-release'
FAIL2BAN='fail2ban'
GAMIN='gamin'
IPSET='ipset'
IPTABLES='iptables'
PACKAGE_MANAGER='yum'
PORTS=$ports
SAVE_PATH=`pwd`
SILENT=0
YES=''
# Save origin
ORIGIN=`pwd`
# Help function
help () {
echo "Description:"
echo " Running this program will install Lockdown and all related services,"
echo " configuration files and lists."
echo "Usage:"
echo " `basename $0` [-d] [-n] [-s] [-v] [-y]"
echo " `basename $0` [--dry-run] [--no-download] [--silent] [--verbose] [--yes]"
exit 0
}
# Load libraries
. lib/determine_linux_distro
. lib/lockdown_reinit
. lib/lockdown_installation_report
# Parse command line arguments into variables
while :
do
case ${1:-} in
-d | --dry-run)
DRY_RUN='echo'
shift 1
;;
-h | --help)
help
shift 1
;;
-n | --no-download)
DOWNLOAD=0
shift 1
;;
-s | --silent)
SILENT=1
YES='-y'
shift 1
;;
-o | --out)
SAVE_PATH=$2
shift 2
;;
-v | --verbose)
VERBOSE=true
shift 1
;;
-x | --no-backup)
BACKUP=0
shift 1
;;
-y | --yes)
YES='-y'
shift 1
;;
-*)
echo "Error: Unknown option: $1" >&2
exit 1
;;
*) # No more options
break
;;
esac
done
# Ensure distro is supported
determine_distro
if [ -z "$DISTRO" ]
then
echo "Could not determine distro, cannot continue."
echo "Please report this as a bug on Github, thanks!"
exit 1
elif (( ! SILENT ))
then
echo "$DISTRO discovered, proceeding with $PACKAGE_MANAGER"
echo
fi
# Warn user unless they've agreed to everything
if [ -z $YES ]
then
echo "Lockdown is a sophisticated control system for a suite of sophisticated software."
echo "It's misuse or breakage can cause your system to become unusable or unable to"
echo "accept incoming traffic or send any out. In the case of failures, you must be"
echo "capable of diagnosing and repairing any problems. Lockdown is free software"
echo "provided as is and you are responsible for any effects or side-effects of it's"
echo "existence on your systems."
echo
echo "You are about to perform this installation on `hostname` with"
echo "IP `curl -s whatip.gzo.com`."
echo
read -p "Proceed with installation and configuration of Lockdown and all related services? [y/N] " -n 1 -r REPLY
if [[ $REPLY =~ ^[Yy]$ ]] ; then
echo
echo "Locking down `hostname`!"
else
echo "Exiting without making any changes."
exit 2
fi
fi
# Check verbosity
if [ -v VERBOSE ]
then
set -v
fi
# Attempt to back up pre-existing configuration files, this is similar
# to what ld-export does but does not attempt to save a running configuration.
if [ ! -d /etc/fail2ban ] && \
[ ! -f /etc/ipset.conf ] && \
[ ! -d /etc/lockdown ] && \
[ ! -f /etc/sysconfig/ip?tables.* ]
then
BACKUP=0
fi
if (( BACKUP ))
then
# Check temp location
if [ ! -d "$SAVE_PATH" ]
then
if (( ! SILENT )) ; then echo "Output location $SAVE_PATH does not exist, creating"; fi
mkdir -p "$SAVE_PATH"
fi
$DRY_RUN tar czf "$SAVE_PATH/ld-pre-install-backup-$DATE.tar.gz" \
/etc/fail2ban* \
/etc/ipset* \
/etc/lockdown* \
/etc/sysconfig/ip?tables*
fi
## Begin Installations!!
if [ 'Amazon Linux 2' != $DISTRO ] \
&& [ 'yum' = $PACKAGE_MANAGER ] \
|| [ 'dnf' = $PACKAGE_MANAGER ]
then
$DRY_RUN $PACKAGE_MANAGER install $YES $EPEL
fi
if [ ! -f /usr/bin/iptables ]
then
$DRY_RUN $PACKAGE_MANAGER install $YES $IPTABLES
fi
if [ 'dnf' = $PACKAGE_MANAGER ]
then
$DRY_RUN $PACKAGE_MANAGER install $YES iptables-services iptables-utils
fi
if [ ! -f /usr/sbin/ipset ]
then
$DRY_RUN $PACKAGE_MANAGER install $YES $IPSET
fi
if [ 'dnf' = $PACKAGE_MANAGER ]
then
$DRY_RUN $PACKAGE_MANAGER install $YES ipset-service
fi
if [ ! -f /usr/bin/fail2ban-server ]
then
if [ 'Amazon Linux 2' = $DISTRO ]
then
wget https://github.com/fail2ban/fail2ban/archive/0.9.4.tar.gz
mv 0.9.4.tar.gz fail2ban-0.9.4.tar.gz
tar xzf fail2ban-0.9.4.tar.gz
cd fail2ban-0.9.4/
./setup.py build
./setup.py install
else
$DRY_RUN $PACKAGE_MANAGER install $YES $FAIL2BAN
fi
fi
if [ ! -f /usr/lib64/libgamin-1.so.0 ]
then
$DRY_RUN $PACKAGE_MANAGER install $YES $GAMIN
fi
$DRY_RUN lockdown_reinit $YES
## Manipulate system daemons!!
# This is done in the following order for maximum safety
# Start required services
# Stop conflicting services
# Enable required services
# Disable conflicting services
##
if (( ! SILENT )) ; then echo; fi
case $DISTRO in
"Amazon Linux"|"CentOS")
# Amazon Linux, CentOS
# service x start|stop|etc
# chkconfig x on|off
# Begin starting services
if (( ! SILENT )) ; then echo "Starting services for $DISTRO"; fi
$DRY_RUN service fail2ban start
if [ 0 -ne $? ] && [ -z $DRY_RUN ]
then
echo "Failed to start fail2ban, exiting."
exit 1
else
echo "Started fail2ban"
fi
$DRY_RUN service ipset start
if [ 0 -ne $? ] && [ -z $DRY_RUN ]
then
echo "Failed to start ipset, exiting."
exit 1
else
echo "Started ipset"
fi
$DRY_RUN service iptables start && echo
if [ 1 -eq $? ] && [ -z $DRY_RUN ]
then
echo "Failed to start iptables, exiting."
exit 1
else
echo "Started iptables"
fi
# Begin stopping & disabling conflicting services
if [ `pidof nftables` ]
then
if (( ! SILENT )) ; then echo "Stopping & disabling nftables"; fi
$DRY_RUN service nftables stop
$DRY_RUN chkconfig nftables off
fi
if [ `pidof firewalld` ]
then
if (( ! SILENT )) ; then echo "Stopping & disabling firewalld"; fi
$DRY_RUN service firewalld stop
$DRY_RUN chkconfig firewalld off
fi
# Begin enabling services
if (( ! SILENT )) ; then echo "Enabling services for $DISTRO"; fi
$DRY_RUN chkconfig fail2ban on
if [ 0 -ne $? ] && [ -z $DRY_RUN ]
then
echo "Failed to enable fail2ban, exiting."
fi
$DRY_RUN chkconfig ipset on
if [ 0 -ne $? ] && [ -z $DRY_RUN ]
then
echo "Failed to enable ipset, exiting."
fi
$DRY_RUN chkconfig iptables on
if [ 0 -ne $? ] && [ -z $DRY_RUN ]
then
echo "Failed to enable iptables, exiting."
fi
if (( ! SILENT )) ; then echo "Service configuration completed successfully!"; fi
;;
"Amazon Linux 2"|"Fedora"|"RHEL"|"Ubuntu")
# Fedora, RHEL, Ubuntu
# systemctl start|stop|etc x
# systemctl enable|disable x
# Begin starting services
if (( ! SILENT )) ; then echo "Starting systemctl starts for $DISTRO"; fi
$DRY_RUN systemctl daemon-reload
$DRY_RUN systemctl start fail2ban
if [ 0 -ne $? ] && [ -z $DRY_RUN ]
then
echo "Failed to start fail2ban, exiting."
exit 1
fi
$DRY_RUN systemctl start ipset
if [ 0 -ne $? ] && [ -z $DRY_RUN ]
then
echo "Failed to start ipset, exiting."
exit 1
fi
$DRY_RUN systemctl start iptables
if [ 0 -ne $? ] && [ -z $DRY_RUN ]
then
echo "Failed to start iptables, exiting."
exit 1
fi
# Begin stopping & disabling conflicting services
if [ `pidof nftables` ]
then
if (( ! SILENT )) ; then echo "Stopping & disabling nftables"; fi
$DRY_RUN systemctl stop nftables
$DRY_RUN systemctl disable nftables
fi
if [ `pidof firewalld` ]
then
if (( ! SILENT )) ; then echo "Stopping & disabling firewalld"; fi
$DRY_RUN systemctl stop nftables
$DRY_RUN systemctl disable nftables
fi
# Begin enabling services
if (( ! SILENT )) ; then echo "Enabling services for $DISTRO"; fi
$DRY_RUN systemctl enable fail2ban
test=$(systemctl is-enabled fail2ban)
if [ 'enabled' != "$test" ] && [ -z $DRY_RUN ]
then
echo "Failed to enable fail2ban, exiting."
fi
$DRY_RUN systemctl enable ipset
test=$(systemctl is-enabled ipset)
if [ 'enabled' != "$test" ] && [ -z $DRY_RUN ]
then
echo "Failed to enable fail2ban, exiting."
fi
$DRY_RUN systemctl enable iptables
test=$(systemctl is-enabled iptables)
if [ 'enabled' != "$test" ] && [ -z $DRY_RUN ]
then
echo "Failed to enable fail2ban, exiting."
fi
if (( ! SILENT )) ; then echo "Service configuration completed successfully!"; fi
;;
*) # No more options
echo "Unsupported distro, exiting."
exit 1
;;
esac
if (( ! SILENT )) ; then echo; fi
# Download latest lists
if (( DOWNLOAD ))
then
if (( ! SILENT ))
then
echo "Downloading latest blacklists & country CIDRs."
fi
$DRY_RUN /usr/sbin/ld-update-lists -f
fi
if (( ! SILENT )) ; then echo; fi
# Clear IP set
$DRY_RUN service iptables stop && echo
$DRY_RUN ipset -F
$DRY_RUN ipset -X
$DRY_RUN service iptables start && echo
# Process IP Set pre-process rules
if [ -f "$SRCDIR/pre-process/ipset.rules" ]
then
. "$SRCDIR/pre-process/ipset.rules" $SILENT
elif (( ! SILENT ))
then
echo "Rules file $1 not found, skipping"
fi
# Create sets
$DRY_RUN ipset create blacklist-f2b hash:net
$DRY_RUN ipset create blacklist-ips hash:net
$DRY_RUN ipset create blacklist-net hash:net
$DRY_RUN ipset create whitelist-ips hash:net
$DRY_RUN ipset create whitelist-net hash:net
$DRY_RUN ipset create blacklist-countries hash:net
$DRY_RUN ipset create whitelist-countries hash:net
# Load list data into sets
$DRY_RUN $location_bin/ld-load-lists -y
# Process IP Set post-process rules
if [ -f "$SRCDIR/post-process/ipset.rules" ]
then
. "$SRCDIR/post-process/ipset.rules" $SILENT
elif (( ! SILENT ))
then
echo "Rules file $1 not found, skipping"
fi
# Flush nat, mangle, all chains
#$DRY_RUN iptables -t nat -F # Cloud stuff might rely on this! :x
#$DRY_RUN iptables -t mangle -F # Cloud stuff might rely on this! :x
$DRY_RUN iptables -F
# Delete non-default chains
$DRY_RUN iptables -X
# Process IP Tables pre-process rules
if [ -f "$SRCDIR/pre-process/iptables.rules" ]
then
. "$SRCDIR/pre-process/iptables.rules" $SILENT
elif (( ! SILENT ))
then
echo "Rules file $1 not found, skipping"
fi
# Drop invalid packets
$DRY_RUN iptables -I INPUT 1 -m conntrack --ctstate INVALID -j DROP
# Allow all to/from loopback (lo)
$DRY_RUN iptables -I INPUT 2 -i lo -j ACCEPT
# Allow established & related incoming, for outgoing
# connections initiated from server
$DRY_RUN iptables -I INPUT 3 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Create set matching rules
$DRY_RUN iptables -I INPUT 4 -m set --match-set whitelist-ips src -j ACCEPT
$DRY_RUN iptables -I INPUT 5 -m set --match-set blacklist-ips src -j DROP
$DRY_RUN iptables -I INPUT 6 -m set --match-set whitelist-net src -j ACCEPT
$DRY_RUN iptables -I INPUT 7 -m set --match-set blacklist-net src -j DROP
$DRY_RUN iptables -I INPUT 8 -m set --match-set whitelist-countries src -j ACCEPT
$DRY_RUN iptables -I INPUT 9 -m set --match-set blacklist-countries src -j DROP
# Create global inlets
for port in ${PORTS[@]}
do
# This rule avoids connection tracking in favor of optimal processing
# speed which is the same reason we allow all outgoing traffic rather
# than just related - at small scale this would be a non-issue but at
# scale would definitely add a lot of extra cpu cycles in the long term
$DRY_RUN iptables -A INPUT -p tcp --dport $port -j ACCEPT
# If you were to use a drop target in the default outgoing policy, then
# you would want to add an established/related output rule here as well.
done
# Set default drop policies
$DRY_RUN iptables -P INPUT DROP
$DRY_RUN iptables -P FORWARD DROP
$DRY_RUN iptables -P OUTPUT ACCEPT
# Process IP Tables post-process rules
if [ -f "$SRCDIR/post-process/iptables.rules" ]
then
. "$SRCDIR/post-process/iptables.rules" $SILENT
elif (( ! SILENT ))
then
echo "Rules file $1 not found, skipping"
fi
# Installation complete, present results to user if applicable
if [ $DRY_RUN ]
then
# Dry run notification
echo
echo "*Notice*"
echo "You have run ld-update in dry run mode."
echo "If you run the same command line without -d or --dry-run again,"
echo "the commands above will be executed and permanent changes will be made."
echo
echo "Nothing has *not* been updated and your system has not been altered!"
elif (( ! SILENT ))
then
# Checking installation
installation_report
fi
## w00t!
exit 0