retronetworking
/
yate
12
0
Fork 2
Code Issues Pull Requests Projects Releases Wiki Activity

Added support for banning IPv6 addresses. 

Prevent banning the loopback address.


git-svn-id: http://voip.null.ro/svn/yate@6274 acf43c95-373e-0410-b603-e72c3f656dc1
This commit is contained in:
paulc 2017-10-30 14:54:16 +00:00
parent f5d88a7027
commit 90f118868e
1 changed files with 30 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
share/scripts/banbrutes.php
View File

@ -5,7 +5,7 @@
* This file is part of the YATE Project http://YATE.null.ro
*
* Yet Another Telephony Engine - a fully featured software PBX and IVR
* Copyright (C) 2011-2014 Null Team
* Copyright (C) 2011-2017 Null Team
*
* This software is distributed under multiple licenses;
* see the COPYING file in the main directory for licensing
@ -31,7 +31,7 @@
If you are using SIP proxies or clients with multiple subscriptions you will need to
allow more failures for each since each separate transaction will fail once
This script requires Yate to run as root or have permissions to run iptables
This script requires Yate to run as root or have permissions to run iptables / ip6tables
*/
// How many failures in a row cause a ban
@ -40,10 +40,16 @@ $ban_failures = 10;
$clear_gray = 10;
// In how many seconds to clear a blacklisted host
$clear_black = 600;
// Command to ban an address
$cmd_ban = "iptables -I INPUT -s \$addr -j DROP";
// Command to unban an address
$cmd_unban = "iptables -D INPUT -s \$addr -j DROP";
// Path prefix for commands, if needed
$cmd_path = ""; // "/usr/sbin/";
// Command to ban an IPv4 address
$cmd_ban4 = "${cmd_path}iptables -I INPUT -s \$addr -j DROP";
// Command to unban an IPv4 address
$cmd_unban4 = "${cmd_path}iptables -D INPUT -s \$addr -j DROP";
// Command to ban an IPv6 address
$cmd_ban6 = "${cmd_path}ip6tables -I INPUT -s \$addr -j DROP";
// Command to unban an IPv6 address
$cmd_unban6 = "${cmd_path}ip6tables -D INPUT -s \$addr -j DROP";
require_once("libyate.php");
@ -103,8 +109,14 @@ class Host
function updateAuth($addr,$ok)
{
global $hosts;
global $cmd_ban;
global $cmd_unban;
global $cmd_ban4, $cmd_ban6;
switch ($addr) {
case null:
case "":
case "127.0.0.1":
case "::1":
return;
}
if ($ok) {
if (isset($hosts[$addr]))
$hosts[$addr]->success();
@ -112,7 +124,8 @@ function updateAuth($addr,$ok)
}
if (isset($hosts[$addr])) {
if ($hosts[$addr]->failed()) {
$cmd = eval('return "'.$cmd_ban.'";');
$cmd = strstr($addr,":") ? $cmd_ban6 : $cmd_ban4;
$cmd = eval('return "' . $cmd . '";');
Yate::Output("banbrutes: $cmd");
shell_exec($cmd);
}
@ -126,12 +139,13 @@ function updateAuth($addr,$ok)
function onTimer()
{
global $hosts;
global $cmd_unban;
global $cmd_unban4, $cmd_unban6;
$now = time();
foreach ($hosts as $addr => &$host) {
if ($host->timer($now)) {
if ($host->banned()) {
$cmd = eval('return "'.$cmd_unban.'";');
$cmd = strstr($addr,":") ? $cmd_unban6 : $cmd_unban4;
$cmd = eval('return "' . $cmd . '";');
Yate::Output("banbrutes: $cmd");
shell_exec($cmd);
}
@ -146,7 +160,7 @@ function onCommand($l,&$retval)
{
global $hosts;
global $ban_failures;
global $cmd_unban;
global $cmd_unban4, $cmd_unban6;
if ($l == "banbrutes") {
$gray = 0;
$banned = 0;
@ -179,7 +193,8 @@ function onCommand($l,&$retval)
$addr = substr($l,16);
if (isset($hosts[$addr])) {
if ($hosts[$addr]->banned()) {
$cmd = eval('return "'.$cmd_unban.'";');
$cmd = strstr($addr,":") ? $cmd_unban6 : $cmd_unban4;
$cmd = eval('return "' . $cmd . '";');
Yate::Output("banbrutes: $cmd");
shell_exec($cmd);
unset($hosts[$addr]);
@ -308,14 +323,10 @@ for (;;) {
if ($ev->type == "answer") {
switch ($ev->name) {
case "user.auth":
$addr = $ev->GetValue("ip_host");
if ($addr != "")
updateAuth($addr,$ev->handled && ($ev->retval != "-"));
updateAuth($ev->GetValue("ip_host"),$ev->handled && ($ev->retval != "-"));
break;
case "user.authfail":
$addr = $ev->GetValue("ip_host");
if ($addr != "")
updateAuth($addr,false);
updateAuth($ev->GetValue("ip_host"),false);
break;
case "engine.timer":
onTimer();