github/myvesta
1
0
Fork 0
mirror of https://github.com/myvesta/vesta synced 2025-08-19 21:04:07 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Firewall with Fail2ban support

Browse source
This commit is contained in:
Serghey Rodin 2014-10-05 14:52:15 +03:00
commit 357eb42647
27 changed files with 936 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files

78
bin/v-add-firewall-ban Executable file
View file

@ -0,0 +1,78 @@
#!/bin/bash
# info: add firewall blocking rule
# options: IP CHAIN
#
# The function adds new blocking rule to system firewall
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Importing system variables
source /etc/profile
# Argument defenition
ip=$1
chain=$(echo $2|tr '[:lower:]' '[:upper:]')
# Defining absolute path for iptables and modprobe
iptables="/sbin/iptables"
# Includes
source $VESTA/func/main.sh
source $VESTA/conf/vesta.conf
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
check_args '2' "$#" 'IP CHAIN'
validate_format 'ip' 'chain'
is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Checking server ip
if [ -e "$VESTA/data/ips/$ip" ] || [ "$ip" = '127.0.0.1' ]; then
exit
fi
# Checking ip exclusions
excludes="$VESTA/data/firewall/excludes.conf"
check_excludes=$(grep "^$ip$" $excludes 2>/dev/null)
if [ ! -z "$check_excludes" ]; then
exit
fi
# Checking ip in banlist
conf="$VESTA/data/firewall/banlist.conf"
check_ip=$(grep "IP='$ip' CHAIN='$chain'" $conf 2>/dev/null)
if [ ! -z "$check_ip" ]; then
exit
fi
# Adding chain
$BIN/v-add-firewall-chain $chain
# Adding ip to banlist
echo "IP='$ip' CHAIN='$chain' TIME='$TIME' DATE='$DATE'" >> $conf
$iptables -I fail2ban-$chain 1 -s $ip \
-j REJECT --reject-with icmp-port-unreachable 2>/dev/null
# Changing permissions
chmod 660 $conf
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
# Logging
log_event "$OK" "$EVENT"
exit

83
bin/v-add-firewall-chain Executable file
View file

@ -0,0 +1,83 @@
#!/bin/bash
# info: add firewall chain
# options: CHAIN [PORT] [PROTOCOL] [PROTOCOL]
#
# The function adds new rule to system firewall
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Importing system variables
source /etc/profile
# Argument defenition
chain=$(echo $1 | tr '[:lower:]' '[:upper:]')
port=$2
protocol=${4-TCP}
protocol=$(echo $protocol|tr '[:lower:]' '[:upper:]')
# Defining absolute path to iptables
iptables="/sbin/iptables"
# Includes
source $VESTA/func/main.sh
source $VESTA/conf/vesta.conf
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
check_args '1' "$#" 'CHAIN [PORT] [PROTOCOL]'
validate_format 'chain'
is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Checking known chains
case $chain in
SSH) port=22; protocol=TCP ;;
FTP) port=21; protocol=TCP ;;
MAIL) port=25; protocol=TCP ;;
DNS) port=53; protocol=UDP ;;
HTTP) port=80; protocol=TCP ;;
HTTPS) port=443; protocol=TCP ;;
POP3) port=110; protocol=TCP ;;
IMAP) port=143; protocol=TCP ;;
MYSQL) port=3306; protocol=TCP ;;
POSTGRES) port=5432; protocol=TCP ;;
VESTA) port=8083; protocol=TCP ;;
*) check_args '2' "$#" 'CHAIN PORT' ;;
esac
# Adding chain
$iptables -N fail2ban-$chain 2>/dev/null
if [ $? -eq 0 ]; then
$iptables -A fail2ban-$chain -j RETURN
$iptables -I INPUT -p $protocol --dport $port -j fail2ban-$chain
fi
# Preserving chain
chains=$VESTA/data/firewall/chains.conf
check_chain=$(grep "CHAIN='$chain'" $chains 2>/dev/null)
if [ -z "$check_chain" ]; then
echo "CHAIN='$chain' PORT='$port' PROTOCOL='$protocol'" >> $chains
fi
# Changing permissions
chmod 660 $chains
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
# Logging
log_event "$OK" "$EVENT"
exit

34
bin/v-add-sys-firewall-rule → bin/v-add-firewall-rule
View file

@ -1,6 +1,6 @@
#!/bin/bash
# info: add firewall rule
# options: ACTION PROTOCOL PORT IP [COMMENT] [RULE]
# options: ACTION IP PORT [PROTOCOL] [COMMENT] [RULE]
#
# The function adds new rule to system firewall
@ -9,11 +9,15 @@
# Variable&Function #
#----------------------------------------------------------#
# Importing system variables
source /etc/profile
# Argument defenition
action=$(echo $1|tr '[:lower:]' '[:upper:]')
protocol=$(echo $2|tr '[:lower:]' '[:upper:]')
ip=$2
port_ext=$3
ip=$4
protocol=${4-TCP}
protocol=$(echo $protocol|tr '[:lower:]' '[:upper:]')
comment=$5
rule=$6
@ -24,17 +28,17 @@ source $VESTA/conf/vesta.conf
# Get next firewall rule id
get_next_fw_rule() {
if [ -z "$rule" ]; then
curr_str=$(grep "RULE=" $VESTA/data/firewall/rules_ipv4.conf |\
curr_str=$(grep "RULE=" $VESTA/data/firewall/rules.conf |\
cut -f 2 -d \' | sort -n | tail -n1)
rule="$((curr_str +1))"
fi
}
sort_fw_rules() {
cat $VESTA/data/firewall/rules_ipv4.conf |\
sort -n -k 2 -t \' > $VESTA/data/firewall/rules_ipv4.conf.tmp
mv -f $VESTA/data/firewall/rules_ipv4.conf.tmp \
$VESTA/data/firewall/rules_ipv4.conf
cat $VESTA/data/firewall/rules.conf |\
sort -n -k 2 -t \' > $VESTA/data/firewall/rules.conf.tmp
mv -f $VESTA/data/firewall/rules.conf.tmp \
$VESTA/data/firewall/rules.conf
}
@ -42,12 +46,12 @@ sort_fw_rules() {
# Verifications #
#----------------------------------------------------------#
check_args '4' "$#" 'ACTION PROTOCOL PORT IP [COMMENT] [RULE]'
check_args '3' "$#" 'ACTION IP PORT [PROTOCOL] [COMMENT] [RULE]'
validate_format 'action' 'protocol' 'port_ext' 'ip'
is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
get_next_fw_rule
validate_format 'rule'
is_object_new '../../data/firewall/rules_ipv4' 'RULE' "$rule"
is_object_new '../../data/firewall/rules' 'RULE' "$rule"
if [ ! -z "$comment"]; then
validate_format 'comment'
fi
@ -57,22 +61,22 @@ fi
# Action #
#----------------------------------------------------------#
# Concatenating cron string
# Concatenating rule
str="RULE='$rule' ACTION='$action' PROTOCOL='$protocol' PORT='$port_ext'"
str="$str IP='$ip' COMMENT='$comment' SUSPENDED='no'"
str="$str TIME='$TIME' DATE='$DATE'"
# Adding to crontab
echo "$str" >> $VESTA/data/firewall/rules_ipv4.conf
# Adding to config
echo "$str" >> $VESTA/data/firewall/rules.conf
# Changing permissions
chmod 660 $VESTA/data/firewall/rules_ipv4.conf
chmod 660 $VESTA/data/firewall/rules.conf
# Sorting firewall rules by id number
sort_fw_rules
# Updating system firewall
$BIN/v-update-sys-firewall
$BIN/v-update-firewall
#----------------------------------------------------------#

33
bin/v-change-sys-firewall-rule → bin/v-change-firewall-rule
View file

@ -1,6 +1,6 @@
#!/bin/bash
# info: change firewall rule
# options: RULE ACTION PROTOCOL PORT IP [COMMENT]
# options: RULE ACTION IP PORT [PROTOCOL] [COMMENT]
#
# The function is used for changing existing firewall rule.
# It fully replace rule with new one but keeps same id.
@ -10,12 +10,16 @@
# Variable&Function #
#----------------------------------------------------------#
# Importing system variables
source /etc/profile
# Argument defenition
rule=$1
action=$(echo $2|tr '[:lower:]' '[:upper:]')
protocol=$(echo $3|tr '[:lower:]' '[:upper:]')
ip=$3
port_ext=$4
ip=$5
protocol=${5-TCP}
protocol=$(echo $protocol|tr '[:lower:]' '[:upper:]')
comment=$6
# Includes
@ -24,10 +28,10 @@ source $VESTA/conf/vesta.conf
# Sort function
sort_fw_rules() {
cat $VESTA/data/firewall/rules_ipv4.conf |\
sort -n -k 2 -t \' > $VESTA/data/firewall/rules_ipv4.conf.tmp
mv -f $VESTA/data/firewall/rules_ipv4.conf.tmp \
$VESTA/data/firewall/rules_ipv4.conf
cat $VESTA/data/firewall/rules.conf |\
sort -n -k 2 -t \' > $VESTA/data/firewall/rules.conf.tmp
mv -f $VESTA/data/firewall/rules.conf.tmp \
$VESTA/data/firewall/rules.conf
}
@ -35,10 +39,13 @@ sort_fw_rules() {
# Verifications #
#----------------------------------------------------------#
check_args '5' "$#" 'RULE ACTION PROTOCOL PORT IP [COMMENT]'
validate_format 'rule' 'action' 'protocol' 'port_ext' 'ip' 'comment'
check_args '5' "$#" 'RULE ACTION IP PORT [PROTOCOL] [COMMENT]'
validate_format 'rule' 'action' 'protocol' 'port_ext' 'ip'
if [ ! -z "$comment" ]; then
validate_format 'comment'
fi
is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
is_object_valid '../../data/firewall/rules_ipv4' 'RULE' "$rule"
is_object_valid '../../data/firewall/rules' 'RULE' "$rule"
#----------------------------------------------------------#
@ -51,16 +58,16 @@ str="$str IP='$ip' COMMENT='$comment' SUSPENDED='no'"
str="$str TIME='$TIME' DATE='$DATE'"
# Deleting old rule
sed -i "/RULE='$rule' /d" $VESTA/data/firewall/rules_ipv4.conf
sed -i "/RULE='$rule' /d" $VESTA/data/firewall/rules.conf
# Adding new
echo "$str" >> $VESTA/data/firewall/rules_ipv4.conf
echo "$str" >> $VESTA/data/firewall/rules.conf
# Sorting firewall rules by id number
sort_fw_rules
# Updating system firewall
$BIN/v-update-sys-firewall
$BIN/v-update-firewall
#----------------------------------------------------------#

63
bin/v-delete-firewall-ban Executable file
View file

@ -0,0 +1,63 @@
#!/bin/bash
# info: delete firewall blocking rule
# options: IP CHAIN
#
# The function deletes blocking rule from system firewall
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Importing system variables
source /etc/profile
# Argument defenition
ip=$1
chain=$(echo $2|tr '[:lower:]' '[:upper:]')
# Defining absolute path for iptables and modprobe
iptables="/sbin/iptables"
# Includes
source $VESTA/func/main.sh
source $VESTA/conf/vesta.conf
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
check_args '2' "$#" 'IP CHAIN'
validate_format 'ip' 'chain'
is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Checking ip in banlist
conf="$VESTA/data/firewall/banlist.conf"
check_ip=$(grep "IP='$ip' CHAIN='$chain'" $conf 2>/dev/null)
if [ -z "$check_ip" ]; then
exit
fi
# Deleting ip from banlist
sed -i "/IP='$ip' CHAIN='$chain'/d" $conf
$iptables -D fail2ban-$chain -s $ip \
-j REJECT --reject-with icmp-port-unreachable 2>/dev/null
# Changing permissions
chmod 660 $conf
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
# Logging
log_event "$OK" "$EVENT"
exit

66
bin/v-delete-firewall-chain Executable file
View file

@ -0,0 +1,66 @@
#!/bin/bash
# info: delete firewall chain
# options: CHAIN
#
# The function adds new rule to system firewall
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Importing system variables
source /etc/profile
# Argument defenition
chain=$(echo $1 | tr '[:lower:]' '[:upper:]')
# Defining absolute path to iptables
iptables="/sbin/iptables"
# Includes
source $VESTA/func/main.sh
source $VESTA/conf/vesta.conf
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
check_args '1' "$#" 'CHAIN'
validate_format 'chain'
is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Deleting chain
chains=$VESTA/data/firewall/chains.conf
banlist=$VESTA/data/firewall/banlist.conf
chain_param=$(grep "CHAIN='$chain'" $chains 2>/dev/null)
if [ ! -z "$chain_param" ]; then
eval $chain_param
sed -i "/CHAIN='$chain'/d" $chains
sed -i "/CHAIN='$chain'/d" $banlist
$iptables -D INPUT -p $PROTOCOL \
--dport $PORT -j fail2ban-$CHAIN 2>/dev/null
fi
# Deleting iptables chain
$iptables -F fail2ban-$CHAIN 2>/dev/null
$iptables -X fail2ban-$CHAIN 2>/dev/null
# Changing permissions
chmod 660 $chains
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
# Logging
log_event "$OK" "$EVENT"
exit

9
bin/v-delete-sys-firewall-rule → bin/v-delete-firewall-rule
View file

@ -9,6 +9,9 @@
# Variable&Function #
#----------------------------------------------------------#
# Importing system variables
source /etc/profile
# Argument defenition
rule=$1
@ -24,7 +27,7 @@ source $VESTA/conf/vesta.conf
check_args '1' "$#" 'RULE'
validate_format 'rule'
is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
is_object_valid '../../data/firewall/rules_ipv4' 'RULE' "$rule"
is_object_valid '../../data/firewall/rules' 'RULE' "$rule"
#----------------------------------------------------------#
@ -32,10 +35,10 @@ is_object_valid '../../data/firewall/rules_ipv4' 'RULE' "$rule"
#----------------------------------------------------------#
# Deleting rule
sed -i "/RULE='$rule' /d" $VESTA/data/firewall/rules_ipv4.conf
sed -i "/RULE='$rule' /d" $VESTA/data/firewall/rules.conf
# Updating system firewall
$BIN/v-update-sys-firewall
$BIN/v-update-firewall
#----------------------------------------------------------#

2
bin/v-list-sys-firewall → bin/v-list-firewall
View file

@ -21,7 +21,7 @@ source $VESTA/func/main.sh
#----------------------------------------------------------#
# Defining config
conf=$VESTA/data/firewall/rules_ipv4.conf
conf=$VESTA/data/firewall/rules.conf
# Defining fileds to select
fields="\$RULE \$ACTION \$PROTOCOL \$PORT \$IP \$COMMENT"

43
bin/v-list-firewall-ban Executable file
View file

@ -0,0 +1,43 @@
#!/bin/bash
# info: list firewall block list
# options: [FORMAT]
#
# The function of obtaining the list of currently blocked ips.
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Argument defenition
format=${1-shell}
# Includes
source $VESTA/func/main.sh
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Defining config
conf=$VESTA/data/firewall/banlist.conf
# Defining fileds to select
fields="\$IP:\$CHAIN \$TIME \$DATE"
# Listing domains
case $format in
json) json_list ;;
plain) nohead=1; shell_list ;;
shell) fields='$IP $CHAIN $TIME $DATE';
shell_list | column -t ;;
*) check_args '1' '0' 'USER [FORMAT]'
esac
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
exit

4
bin/v-list-sys-firewall-rule → bin/v-list-firewall-rule
View file

@ -61,7 +61,7 @@ shell_list_fw_rule() {
#----------------------------------------------------------#
check_args '1' "$#" 'RULE [FORMAT]'
is_object_valid '../../data/firewall/rules_ipv4' 'RULE' "$rule"
is_object_valid '../../data/firewall/rules' 'RULE' "$rule"
#----------------------------------------------------------#
@ -69,7 +69,7 @@ is_object_valid '../../data/firewall/rules_ipv4' 'RULE' "$rule"
#----------------------------------------------------------#
# Defining config and fields to select
conf=$VESTA/data/firewall/rules_ipv4.conf
conf=$VESTA/data/firewall/rules.conf
fields="\$RULE \$ACTION \$PROTOCOL \$PORT \$IP \$COMMENT"
fields="$fields \$RULE \$SUSPENDED \$TIME \$DATE"

49
bin/v-suspend-firewall-rule Executable file
View file

@ -0,0 +1,49 @@
#!/bin/bash
# info: suspend firewall rule
# options: RULE
#
# The function suspends a certain firewall rule.
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Argument defenition
rule=$1
# Inlcudes
source $VESTA/func/main.sh
source $VESTA/conf/vesta.conf
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
check_args '1' "$#" 'RULE'
validate_format 'rule'
is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
is_object_valid '../../data/firewall/rules' 'RULE' "$rule"
is_object_unsuspended '../../data/firewall/rules' 'RULE' "$rule"
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Suspending rule
update_object_value ../../data/firewall/rules RULE $rule '$SUSPENDED' yes
# Updating system firewall
$BIN/v-update-firewall
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
# Logging
log_event "$OK" "$EVENT"
exit

49
bin/v-unsuspend-firewall-rule Executable file
View file

@ -0,0 +1,49 @@
#!/bin/bash
# info: unsuspend firewall rule
# options: RULE
#
# The function unsuspends a certain firewall rule.
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Argument defenition
rule=$1
# Inlcudes
source $VESTA/func/main.sh
source $VESTA/conf/vesta.conf
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
check_args '1' "$#" 'RULE'
validate_format 'rule'
is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
is_object_valid '../../data/firewall/rules' 'RULE' "$rule"
is_object_suspended '../../data/firewall/rules' 'RULE' "$rule"
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Suspending rule
update_object_value ../../data/firewall/rules RULE $rule '$SUSPENDED' no
# Updating system firewall
$BIN/v-update-firewall
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
# Logging
log_event "$OK" "$EVENT"
exit

33
bin/v-update-sys-firewall → bin/v-update-firewall
View file

@ -31,7 +31,10 @@ is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
#----------------------------------------------------------#
# Checking local IPv4 rules
rules="$VESTA/data/firewall/rules_ipv4.conf"
rules="$VESTA/data/firewall/rules.conf"
ports="$VESTA/data/firewall/ports.conf"
fail2ban="$VESTA/data/firewall/fail2ban.conf"
if [ ! -e "$rules" ]; then
exit
fi
@ -87,13 +90,18 @@ for line in $(sort -r -n -k 2 -t \' $rules); do
done
# Handling local traffic
echo "$iptables -A INPUT -p udp --sport 53 -j ACCEPT" >> $tmp
echo "$iptables -A INPUT -s 127.0.0.1 -j ACCEPT" >> $tmp
for ip in $(ls $VESTA/data/ips); do
echo "$iptables -A INPUT -s $ip -j ACCEPT" >> $tmp
done
echo "$iptables -A INPUT -s 127.0.0.1 -j ACCEPT" >> $tmp
IFS=$'\n'
for p_rule in $(cat $ports); do
eval $p_rule
rule="$iptables -A INPUT -p $PROTOCOL"
echo "$rule --sport $PORT -j ACCEPT" >> $tmp
done
# Enabling stateful firewall
# Enabling stateful support
if [ "$stateful" != 'no' ]; then
str="$iptables -A INPUT -p tcp -m state"
str="$str --state ESTABLISHED,RELATED -j ACCEPT"
@ -103,12 +111,27 @@ fi
# Switching chain policy to DROP
echo "$iptables -P INPUT DROP" >> $tmp
# Adding vesta chain
echo "$iptables -N vesta" >> $tmp
# Applying rules
bash $tmp
bash $tmp 2>/dev/null
# Deleting temporary file
rm -f $tmp
# Checking custom trigger
if [ -x "$VESTA/data/firewall/custom.sh" ]; then
bash $VESTA/data/firewall/custom.sh
fi
# Checking fail2ban support
chains=$VESTA/data/firewall/chains.conf
for chain in $(cat $chains 2>/dev/null); do
eval $chain
$iptables -I INPUT -p $PROTOCOL --dport $PORT -j fail2ban-$CHAIN
done
# Saving rules to the master iptables file
if [ -e "/etc/redhat-release" ]; then
/sbin/iptables-save > /etc/sysconfig/iptables

66
web/add/firewall/banlist/index.php Normal file
View file

@ -0,0 +1,66 @@
<?php
// Init
error_reporting(NULL);
ob_start();
session_start();
$TAB = 'FIREWALL';
// Main include
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
// Check user
if ($_SESSION['user'] != 'admin') {
header("Location: /list/user");
exit;
}
// Check POST request
if (!empty($_POST['ok'])) {
// Check empty fields
if (empty($_POST['v_chain'])) $errors[] = __('banlist');
if (empty($_POST['v_ip'])) $errors[] = __('ip address');
if (!empty($errors[0])) {
foreach ($errors as $i => $error) {
if ( $i == 0 ) {
$error_msg = $error;
} else {
$error_msg = $error_msg.", ".$error;
}
}
$_SESSION['error_msg'] = __('Field "%s" can not be blank.',$error_msg);
}
// Protect input
$v_chain = escapeshellarg($_POST['v_chain']);
$v_ip = escapeshellarg($_POST['v_ip']);
// Add firewall ban
if (empty($_SESSION['error_msg'])) {
exec (VESTA_CMD."v-add-firewall-ban ".$v_ip." ".$v_chain, $output, $return_var);
check_return_code($return_var,$output);
unset($output);
}
// Flush field values on success
if (empty($_SESSION['error_msg'])) {
$_SESSION['ok_msg'] = __('BANLIST_CREATED_OK');
unset($v_ip);
}
}
// Header
include($_SERVER['DOCUMENT_ROOT'].'/templates/header.html');
// Panel
top_panel($user,$TAB);
// Display body
include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/add_firewall_banlist.html');
// Flush session messages
unset($_SESSION['error_msg']);
unset($_SESSION['ok_msg']);
// Footer
include($_SERVER['DOCUMENT_ROOT'].'/templates/footer.html');

2
web/add/firewall/index.php
View file

@ -45,7 +45,7 @@ if (!empty($_POST['ok'])) {
// Add firewall rule
if (empty($_SESSION['error_msg'])) {
exec (VESTA_CMD."v-add-sys-firewall-rule ".$v_action." ".$v_protocol." ".$v_port." ".$v_ip." ".$v_comment, $output, $return_var);
exec (VESTA_CMD."v-add-firewall-rule ".$v_action." ".$v_ip." ".$v_port." ".$v_protocol." ".$v_comment, $output, $return_var);
check_return_code($return_var,$output);
unset($output);
}

36
web/bulk/firewall/banlist/index.php Normal file
View file

@ -0,0 +1,36 @@
<?php
// Init
error_reporting(NULL);
ob_start();
session_start();
// Main include
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
// Check user
if ($_SESSION['user'] != 'admin') {
header("Location: /list/user");
exit;
}
if (!empty($_POST['ipchain'])) {
$ipchain = $_POST['ipchain'];
list($ip,$chain) = split(":",$ipchain);
$v_ip = escapeshellarg($ip);
$v_chain = escapeshellarg($chain);
}
$action = $_POST['action'];
switch ($action) {
case 'delete': $cmd='v-delete-firewall-ban';
break;
default: header("Location: /list/firewall/banlist/"); exit;
}
foreach ($ipchain as $value) {
exec (VESTA_CMD.$cmd." ".$v_ip." ".$v_chain, $output, $return_var);
}
header("Location: /list/firewall/banlist");

6
web/bulk/firewall/index.php
View file

@ -18,11 +18,11 @@ $rule = $_POST['rule'];
$action = $_POST['action'];
switch ($action) {
case 'delete': $cmd='v-delete-sys-firewall-rule';
case 'delete': $cmd='v-delete-firewall-rule';
break;
case 'suspend': $cmd='v-suspend-sys-firewall-rule';
case 'suspend': $cmd='v-suspend-firewall-rule';
break;
case 'unsuspend': $cmd='v-unsuspend-sys-firewall-rule';
case 'unsuspend': $cmd='v-unsuspend-firewall-rule';
break;
default: header("Location: /list/firewall/"); exit;
}

31
web/delete/firewall/banlist/index.php Normal file
View file

@ -0,0 +1,31 @@
<?php
// Init
error_reporting(NULL);
ob_start();
session_start();
// Main include
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
// Check user
if ($_SESSION['user'] != 'admin') {
header("Location: /list/user");
exit;
}
if ((!empty($_GET['ip'])) && (!empty($_GET['chain']))) {
$v_ip = escapeshellarg($_GET['ip']);
$v_chain = escapeshellarg($_GET['chain']);
exec (VESTA_CMD."v-delete-firewall-ban ".$v_ip." ".$v_chain, $output, $return_var);
}
check_return_code($return_var,$output);
unset($output);
$back = $_SESSION['back'];
if (!empty($back)) {
header("Location: ".$back);
exit;
}
header("Location: /list/firewall/banlist/");
exit;

2
web/delete/firewall/index.php
View file

@ -15,7 +15,7 @@ if ($_SESSION['user'] != 'admin') {
if (!empty($_GET['rule'])) {
$v_rule = escapeshellarg($_GET['rule']);
exec (VESTA_CMD."v-delete-sys-firewall-rule ".$v_rule, $output, $return_var);
exec (VESTA_CMD."v-delete-firewall-rule ".$v_rule, $output, $return_var);
}
check_return_code($return_var,$output);
unset($output);

4
web/edit/firewall/index.php
View file

@ -22,7 +22,7 @@ if (empty($_GET['rule'])) {
// List rule
$v_rule = escapeshellarg($_GET['rule']);
exec (VESTA_CMD."v-list-sys-firewall-rule ".$v_rule." 'json'", $output, $return_var);
exec (VESTA_CMD."v-list-firewall-rule ".$v_rule." 'json'", $output, $return_var);
check_return_code($return_var,$output);
$data = json_decode(implode('', $output), true);
unset($output);
@ -56,7 +56,7 @@ if (!empty($_POST['save'])) {
$v_comment = escapeshellarg($_POST['v_comment']);
// Change Status
exec (VESTA_CMD."v-change-sys-firewall-rule ".$v_rule." ".$v_action." ".$v_protocol." ".$v_port." ".$v_ip." ".$v_comment, $output, $return_var);
exec (VESTA_CMD."v-change-firewall-rule ".$v_rule." ".$v_action." ".$v_ip." ".$v_port." ".$v_protocol."".$v_comment, $output, $return_var);
check_return_code($return_var,$output);
unset($output);

33
web/list/firewall/banlist/index.php Normal file
View file

@ -0,0 +1,33 @@
<?php
session_start();
$TAB = 'FIREWALL';
// Main include
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
// Check user
if ($_SESSION['user'] != 'admin') {
header("Location: /list/user");
exit;
}
// Header
include($_SERVER['DOCUMENT_ROOT'].'/templates/header.html');
// Panel
top_panel($user,$TAB);
// Data
exec (VESTA_CMD."v-list-firewall-ban json", $output, $return_var);
$data = json_decode(implode('', $output), true);
$data = array_reverse($data, true);
unset($output);
include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_firewall_banlist.html');
// Back uri
$_SESSION['back'] = $_SERVER['REQUEST_URI'];
// Footer
include($_SERVER['DOCUMENT_ROOT'].'/templates/footer.html');

2
web/list/firewall/index.php
View file

@ -19,7 +19,7 @@ include($_SERVER['DOCUMENT_ROOT'].'/templates/header.html');
top_panel($user,$TAB);
// Data
exec (VESTA_CMD."v-list-sys-firewall json", $output, $return_var);
exec (VESTA_CMD."v-list-firewall json", $output, $return_var);
$data = json_decode(implode('', $output), true);
$data = array_reverse($data, true);
unset($output);

28
web/suspend/firewall/index.php Normal file
View file

@ -0,0 +1,28 @@
<?php
// Init
error_reporting(NULL);
ob_start();
session_start();
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
// Check user
if ($_SESSION['user'] != 'admin') {
header("Location: /list/user");
exit;
}
if (!empty($_GET['rule'])) {
$v_rule = escapeshellarg($_GET['rule']);
exec (VESTA_CMD."v-suspend-firewall-rule ".$v_rule, $output, $return_var);
}
check_return_code($return_var,$output);
unset($output);
$back=getenv("HTTP_REFERER");
if (!empty($back)) {
header("Location: ".$back);
exit;
}
header("Location: /list/firewall/");
exit;

93
web/templates/admin/add_firewall_banlist.html Normal file
View file

@ -0,0 +1,93 @@
<?php
$back = $_SESSION['back'];
if (empty($back)) {
$back = "location.href='/list/firewall/banlist/'";
} else {
$back = "location.href='".$back."'";
}
?>
<table class="submenu">
<tr>
<td style="padding: 20px 10px;" ><a class="name"><b><?php print __('Adding IP Address to Banlist');?></b></a>
<?php
if (!empty($_SESSION['error_msg'])) {
echo "<span class=\"vst-error\"> → ".$_SESSION['error_msg']."</span>";
} else {
if (!empty($_SESSION['ok_msg'])) {
echo "<span class=\"vst-ok\"> → ".$_SESSION['ok_msg']."</span>";
}
}
?>
</td>
</tr>
</table>
</div>
<form id="vstobjects" name="v_add_ip" method="post">
<script type="text/javascript">
function elementHideShow(elementToHideOrShow) {
var el = document.getElementById(elementToHideOrShow);
if (el.style.display == "block") {
el.style.display = "none";
} else {
el.style.display = "block";
}
}
</script>
<table class="data mode-add">
<tr class="data-add">
<td class="data-dotted">
<table class="data-col1">
<tr><td></td></tr>
</table>
</td>
<td class="data-dotted">
<table class="data-col2" width="600px">
<tr>
<td class="vst-text step-top">
<?php print __('Banlist') ?>
</td>
</tr>
<tr>
<td>
<select class="vst-list" name="v_chain">
<option value="SSH" <?php if ((!empty($v_chain)) && ( $v_chain == "'SSH'" )) echo 'selected'?>><?php print __('SSH') ?></option>
<option value="FTP" <?php if ((!empty($v_chain)) && ( $v_chain == "'FTP'" )) echo 'selected'?>><?php print __('FTP') ?></option>
<option value="MAIL" <?php if ((!empty($v_chain)) && ( $v_chain == "'MAIL'" )) echo 'selected'?>><?php print __('MAIL') ?></option>
<option value="DNS" <?php if ((!empty($v_chain)) && ( $v_chain == "'DNS'" )) echo 'selected'?>><?php print __('DNS') ?></option>
<option value="HTTP" <?php if ((!empty($v_chain)) && ( $v_chain == "'HTTP'" )) echo 'selected'?>><?php print __('HTTP') ?></option>
<option value="HTTPS" <?php if ((!empty($v_chain)) && ( $v_chain == "'HTTPS'" )) echo 'selected'?>><?php print __('HTPS') ?></option>
<option value="POP3" <?php if ((!empty($v_chain)) && ( $v_chain == "'POP3'" )) echo 'selected'?>><?php print __('POP3') ?></option>
<option value="IMAP" <?php if ((!empty($v_chain)) && ( $v_chain == "'IMAP'" )) echo 'selected'?>><?php print __('IMAP') ?></option>
<option value="MYSQL" <?php if ((!empty($v_chain)) && ( $v_chain == "'MYSQL'" )) echo 'selected'?>><?php print __('MYSQL') ?></option>
<option value="POSTGRES" <?php if ((!empty($v_chain)) && ( $v_chain == "'POSTGRES'" )) echo 'selected'?>><?php print __('POSTGRES') ?></option>
<option value="VESTA" <?php if ((!empty($v_chain)) && ( $v_chain == "'VESTA'" )) echo 'selected'?>><?php print __('VESTA') ?></option>
</select>
</td>
</tr>
<tr>
<td class="vst-text input-label">
<?php print __('IP Address');?> <span class="optional">(<?php print __('CDIR format is supported');?>)</span>
</td>
</tr>
<tr>
<td>
<input type="text" size="20" class="vst-input" name="v_ip" <?php if (!empty($v_ip)) echo "value=".$v_ip; ?>>
</td>
</tr>
</table>
<table class="data-col2">
<tr>
<td class="step-top" width="116px">
<input type="submit" name="ok" value="<?php print __('Add');?>" class="button">
</td>
<td class="step-top">
<input type="button" class="button" value="<?php print __('Back');?>" onclick="<?php echo $back ?>">
</td>
</tr>
</table>
</td>
</tr>
</table>
</from>

21
web/templates/admin/list_firewall.html
View file

@ -19,6 +19,11 @@
</select>
<input type="submit" name="ok" value="" class="submenu-button-select">
</div>
<?php if(!empty($_SESSION['FIREWALL_EXTENSION'])) { ?>
<div class="submenu-select-block">
<a class="submenu-select-link" href="/list/firewall/banlist/">[ <?php print __('list fail2ban');?> ]</a>
</div>
<?php } ?>
<?php display_error_block(); ?>
</td>
</tr>
@ -37,10 +42,10 @@
} else {
$status = 'active';
$spnd_action = 'suspend' ;
$spnd_confirmation = 'UNSUSPEND_RULE_CONFIRMATION' ;
$spnd_confirmation = 'SUSPEND_RULE_CONFIRMATION' ;
}
?>
<tr class="data-row">
<tr class="data-row <? if($status == 'suspended') echo 'suspended';?>">
<td class="data-dotted">
<table class="data-col1">
<tr><td><input type="checkbox" class="ch-toggle" name="rule[]" value="<?php echo $data[$key]['RULE']?>" > </td></tr>
@ -58,7 +63,17 @@
</div>
</span>
</a>
<a href="/edit/firewall/?rule=<?php echo $data[$key]['RULE'] ?>" class="data-controls">
<a id="<?php echo $spnd_action ?>_link_<?php echo $i ?>" class="data-controls do_<?php echo $spnd_action ?>">
<span class="do_<?php echo $spnd_action ?>">
<img src="/images/suspend.png" width="7px" height="8px">
<?php echo __($spnd_action); ?>
<input type="hidden" name="<?php echo $spnd_action ?>_url" value="/<?php echo $spnd_action ?>/firewall/?rule=<?php echo $data[$key]['RULE'] ?>" />
<div id="<?php echo $spnd_action ?>_dialog_<?php echo $i ?>" class="confirmation-text-suspention hidden" title="<?php print __('Confirmation');?>">
<p class="counter-value"><?php print __($spnd_confirmation,$key);?></p>
</div>
</span>
</a>
<a href="/edit/firewall/?rule=<?php echo $key ?>" class="data-controls">
<span>
<img src="/images/edit.png" width="8px" height="8px">
<?php print __('edit');?>

88
web/templates/admin/list_firewall_banlist.html Normal file
View file

@ -0,0 +1,88 @@
<table class="submenu">
<tr>
<td class="wrapper">
<div class="submenu-button-block">
<button class="submenu-button-main" onclick="location.href='/add/firewall/banlist/'"> <?php print __('Ban IP Address');?> </button>
</div>
<div class="submenu-search-block">
<form action="/search/" method="get">
<input type="text" name="q" class="submenu-search-field">
<input type="submit" value="<?php print __('Search');?>" class="submenu-button-search">
</form>
</div>
<div class="submenu-select-block">
<form action="/bulk/firewall/banlist/" method="post" id="objects">
<a class="submenu-select-link" href='javascript:checkedAll("objects");'> <?php print __('toggle all');?> </a>
<select class="submenu-select-dropdown" name="action">
<option value=""><?php print __('apply to selected');?></option>
<option value="delete"><?php print __('delete');?></option>
</select>
<input type="submit" name="ok" value="" class="submenu-button-select">
</div>
<?php display_error_block(); ?>
</td>
</tr>
</table>
</div>
<div id="vstobjects">
<table class="data" style="background: #ebe9dc;">
<tr>
<td style="padding: 10px 4px">
<a class="name" style="color: #555; font-size: 10pt;"><b><?php print __('Listing');?> Fail2ban</b></a>
</td>
</tr>
</table>
<table class="data">
<?php
foreach ($data as $key => $value) {
++$i;
list($ip,$chain) = split(":",$key);
?>
<tr class="data-row">
<td class="data-dotted">
<table class="data-col1">
<tr><td><input type="checkbox" class="ch-toggle" name="ipchain[]" value="<?php echo $key ?>"</td></tr>
<tr><td></td></tr>
</table>
</td>
<td class="data-dotted">
<a id="delete_link_<?php echo $i ?>" class="data-controls do_delete">
<span class="do_delete">
<img src="/images/delete.png" width="7px" height="7px">
<?php print __('delete');?>
<input type="hidden" name="delete_url" value="/delete/firewall/banlist/?ip=<?php echo $ip ?>&chain=<?php echo $chain ?>"/>
<div id="delete_dialog_<?php echo $i ?>" class="confirmation-text-delete hidden" title="<?php print __('Confirmation');?>">
<p class="counter-value"><?php print __('DELETE_IP_CONFIRMATION',$ip);?></p>
</div>
</span>
</a>
<table class="data-col5">
<tr>
<td class="log" width="119px"><?php echo $data[$key]['TIME'] ?></td>
<td class="log" width="119px"><?php echo $data[$key]['DATE']?></td>
<td class="log" width="232px"><?php echo $chain ?></td>
<td class="log" ><?php echo $ip ?></td>
</tr>
</table>
</td>
</tr>
<?php
}
?>
</table>
</form>
<div class="data-count">
<?php
if ( $i == 0) {
echo __('There is no currently banned IP addresses');
}
if ( $i == 1) {
echo __('1 IP address');
}
if ( $i > 1) {
echo __('%s IP addresses',$i);
}
?>
</div>
</div>

28
web/unsuspend/firewall/index.php Normal file
View file

@ -0,0 +1,28 @@
<?php
// Init
error_reporting(NULL);
ob_start();
session_start();
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
// Check user
if ($_SESSION['user'] != 'admin') {
header("Location: /list/user");
exit;
}
if (!empty($_GET['rule'])) {
$v_rule = escapeshellarg($_GET['rule']);
exec (VESTA_CMD."v-unsuspend-firewall-rule ".$v_rule, $output, $return_var);
}
check_return_code($return_var,$output);
unset($output);
$back=getenv("HTTP_REFERER");
if (!empty($back)) {
header("Location: ".$back);
exit;
}
header("Location: /list/firewall/");
exit;