blob: aefaa5eb3ca8c49600167c51904eec28c28a388d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
#!/usr/bin/perl
# This yate script will monitor authentication requests and update an
# nftables set with IP addresses of users who consistently fail to
# authenticate. The nftables set can then be used in OpenWrt's
# firewall configuration to block these IP addresses.
#
# The nftables set has to exist before launching yate.
#
# Here's an example configuration that creates an nftables set, where
# entries expire after 12 hours, and configures the OpenWrt firewall
# to drop packets where the source IP address is in the set. Put this
# in /etc/nftables.d/99-yate.nft:
#
# set yate_denylist {
# type ipv4_addr
# timeout 12h
# }
#
# chain yate_filter {
# type filter hook input priority -1; policy accept;
# ip saddr @yate_denylist counter drop comment "Drop packets from bad SIP clients"
# }
#
#
# To enable this script in yate, add it to the [scripts] section in
# /etc/yate/extmodule.conf.
#
# You can tweak how tolerant this script should be by modifying the
# constants below.
# A user's IP address will be added to the nftables set if there are
# more than MAX_AUTH_FAILURES consecutive authentication failures in
# MAX_AUTH_FAILURES_TIME_PERIOD seconds.
my $MAX_AUTH_FAILURES = 5;
my $MAX_AUTH_FAILURES_TIME_PERIOD = 3600; # seconds
# The name of the nftables table and set where IP addresses are added.
my $NFTABLES_TABLE = 'inet fw4';
my $NFTABLES_SET = 'yate_denylist';
use strict;
use warnings;
use lib '/usr/share/yate/scripts';
use Yate;
my %ip_auth_failures = ();
sub OnAuthenticationRequest($) {
my $yate = shift;
# Forget any expired failed authentications
foreach my $ip (keys(%ip_auth_failures)) {
my $failures = \@{$ip_auth_failures{$ip}};
while (@$failures &&
time() - @$failures[0] > $MAX_AUTH_FAILURES_TIME_PERIOD) {
shift(@$failures);
}
if (!@$failures) {
delete $ip_auth_failures{$ip};
}
}
my $remote_ip = $yate->param('ip_host');
my $remote_device = $yate->param('device') || '<unknown>';
if ($yate->header('processed') eq 'true') {
$yate->output("banbrutes: Successful authentication from $remote_ip");
delete $ip_auth_failures{$remote_ip};
return;
}
$yate->output("banbrutes: Failed authentication from $remote_ip");
push(@{$ip_auth_failures{$remote_ip}}, time());
if (scalar(@{$ip_auth_failures{$remote_ip}}) > $MAX_AUTH_FAILURES) {
$yate->output("banbrutes: Adding $remote_ip to nftables set $NFTABLES_SET (remote device: $remote_device)");
`nft add element $NFTABLES_TABLE $NFTABLES_SET { $remote_ip }`;
delete $ip_auth_failures{$remote_ip};
}
}
my $yate = new Yate();
$yate->install_watcher("user.auth", \&OnAuthenticationRequest);
$yate->listen();
|
