Added support for banning IPv6 addresses.
Prevent banning the loopback address. git-svn-id: http://voip.null.ro/svn/yate@6274 acf43c95-373e-0410-b603-e72c3f656dc1
This commit is contained in:
parent
f5d88a7027
commit
90f118868e
|
@ -5,7 +5,7 @@
|
||||||
* This file is part of the YATE Project http://YATE.null.ro
|
* This file is part of the YATE Project http://YATE.null.ro
|
||||||
*
|
*
|
||||||
* Yet Another Telephony Engine - a fully featured software PBX and IVR
|
* Yet Another Telephony Engine - a fully featured software PBX and IVR
|
||||||
* Copyright (C) 2011-2014 Null Team
|
* Copyright (C) 2011-2017 Null Team
|
||||||
*
|
*
|
||||||
* This software is distributed under multiple licenses;
|
* This software is distributed under multiple licenses;
|
||||||
* see the COPYING file in the main directory for licensing
|
* see the COPYING file in the main directory for licensing
|
||||||
|
@ -31,7 +31,7 @@
|
||||||
If you are using SIP proxies or clients with multiple subscriptions you will need to
|
If you are using SIP proxies or clients with multiple subscriptions you will need to
|
||||||
allow more failures for each since each separate transaction will fail once
|
allow more failures for each since each separate transaction will fail once
|
||||||
|
|
||||||
This script requires Yate to run as root or have permissions to run iptables
|
This script requires Yate to run as root or have permissions to run iptables / ip6tables
|
||||||
*/
|
*/
|
||||||
|
|
||||||
// How many failures in a row cause a ban
|
// How many failures in a row cause a ban
|
||||||
|
@ -40,10 +40,16 @@ $ban_failures = 10;
|
||||||
$clear_gray = 10;
|
$clear_gray = 10;
|
||||||
// In how many seconds to clear a blacklisted host
|
// In how many seconds to clear a blacklisted host
|
||||||
$clear_black = 600;
|
$clear_black = 600;
|
||||||
// Command to ban an address
|
// Path prefix for commands, if needed
|
||||||
$cmd_ban = "iptables -I INPUT -s \$addr -j DROP";
|
$cmd_path = ""; // "/usr/sbin/";
|
||||||
// Command to unban an address
|
// Command to ban an IPv4 address
|
||||||
$cmd_unban = "iptables -D INPUT -s \$addr -j DROP";
|
$cmd_ban4 = "${cmd_path}iptables -I INPUT -s \$addr -j DROP";
|
||||||
|
// Command to unban an IPv4 address
|
||||||
|
$cmd_unban4 = "${cmd_path}iptables -D INPUT -s \$addr -j DROP";
|
||||||
|
// Command to ban an IPv6 address
|
||||||
|
$cmd_ban6 = "${cmd_path}ip6tables -I INPUT -s \$addr -j DROP";
|
||||||
|
// Command to unban an IPv6 address
|
||||||
|
$cmd_unban6 = "${cmd_path}ip6tables -D INPUT -s \$addr -j DROP";
|
||||||
|
|
||||||
|
|
||||||
require_once("libyate.php");
|
require_once("libyate.php");
|
||||||
|
@ -103,8 +109,14 @@ class Host
|
||||||
function updateAuth($addr,$ok)
|
function updateAuth($addr,$ok)
|
||||||
{
|
{
|
||||||
global $hosts;
|
global $hosts;
|
||||||
global $cmd_ban;
|
global $cmd_ban4, $cmd_ban6;
|
||||||
global $cmd_unban;
|
switch ($addr) {
|
||||||
|
case null:
|
||||||
|
case "":
|
||||||
|
case "127.0.0.1":
|
||||||
|
case "::1":
|
||||||
|
return;
|
||||||
|
}
|
||||||
if ($ok) {
|
if ($ok) {
|
||||||
if (isset($hosts[$addr]))
|
if (isset($hosts[$addr]))
|
||||||
$hosts[$addr]->success();
|
$hosts[$addr]->success();
|
||||||
|
@ -112,7 +124,8 @@ function updateAuth($addr,$ok)
|
||||||
}
|
}
|
||||||
if (isset($hosts[$addr])) {
|
if (isset($hosts[$addr])) {
|
||||||
if ($hosts[$addr]->failed()) {
|
if ($hosts[$addr]->failed()) {
|
||||||
$cmd = eval('return "'.$cmd_ban.'";');
|
$cmd = strstr($addr,":") ? $cmd_ban6 : $cmd_ban4;
|
||||||
|
$cmd = eval('return "' . $cmd . '";');
|
||||||
Yate::Output("banbrutes: $cmd");
|
Yate::Output("banbrutes: $cmd");
|
||||||
shell_exec($cmd);
|
shell_exec($cmd);
|
||||||
}
|
}
|
||||||
|
@ -126,12 +139,13 @@ function updateAuth($addr,$ok)
|
||||||
function onTimer()
|
function onTimer()
|
||||||
{
|
{
|
||||||
global $hosts;
|
global $hosts;
|
||||||
global $cmd_unban;
|
global $cmd_unban4, $cmd_unban6;
|
||||||
$now = time();
|
$now = time();
|
||||||
foreach ($hosts as $addr => &$host) {
|
foreach ($hosts as $addr => &$host) {
|
||||||
if ($host->timer($now)) {
|
if ($host->timer($now)) {
|
||||||
if ($host->banned()) {
|
if ($host->banned()) {
|
||||||
$cmd = eval('return "'.$cmd_unban.'";');
|
$cmd = strstr($addr,":") ? $cmd_unban6 : $cmd_unban4;
|
||||||
|
$cmd = eval('return "' . $cmd . '";');
|
||||||
Yate::Output("banbrutes: $cmd");
|
Yate::Output("banbrutes: $cmd");
|
||||||
shell_exec($cmd);
|
shell_exec($cmd);
|
||||||
}
|
}
|
||||||
|
@ -146,7 +160,7 @@ function onCommand($l,&$retval)
|
||||||
{
|
{
|
||||||
global $hosts;
|
global $hosts;
|
||||||
global $ban_failures;
|
global $ban_failures;
|
||||||
global $cmd_unban;
|
global $cmd_unban4, $cmd_unban6;
|
||||||
if ($l == "banbrutes") {
|
if ($l == "banbrutes") {
|
||||||
$gray = 0;
|
$gray = 0;
|
||||||
$banned = 0;
|
$banned = 0;
|
||||||
|
@ -179,7 +193,8 @@ function onCommand($l,&$retval)
|
||||||
$addr = substr($l,16);
|
$addr = substr($l,16);
|
||||||
if (isset($hosts[$addr])) {
|
if (isset($hosts[$addr])) {
|
||||||
if ($hosts[$addr]->banned()) {
|
if ($hosts[$addr]->banned()) {
|
||||||
$cmd = eval('return "'.$cmd_unban.'";');
|
$cmd = strstr($addr,":") ? $cmd_unban6 : $cmd_unban4;
|
||||||
|
$cmd = eval('return "' . $cmd . '";');
|
||||||
Yate::Output("banbrutes: $cmd");
|
Yate::Output("banbrutes: $cmd");
|
||||||
shell_exec($cmd);
|
shell_exec($cmd);
|
||||||
unset($hosts[$addr]);
|
unset($hosts[$addr]);
|
||||||
|
@ -308,14 +323,10 @@ for (;;) {
|
||||||
if ($ev->type == "answer") {
|
if ($ev->type == "answer") {
|
||||||
switch ($ev->name) {
|
switch ($ev->name) {
|
||||||
case "user.auth":
|
case "user.auth":
|
||||||
$addr = $ev->GetValue("ip_host");
|
updateAuth($ev->GetValue("ip_host"),$ev->handled && ($ev->retval != "-"));
|
||||||
if ($addr != "")
|
|
||||||
updateAuth($addr,$ev->handled && ($ev->retval != "-"));
|
|
||||||
break;
|
break;
|
||||||
case "user.authfail":
|
case "user.authfail":
|
||||||
$addr = $ev->GetValue("ip_host");
|
updateAuth($ev->GetValue("ip_host"),false);
|
||||||
if ($addr != "")
|
|
||||||
updateAuth($addr,false);
|
|
||||||
break;
|
break;
|
||||||
case "engine.timer":
|
case "engine.timer":
|
||||||
onTimer();
|
onTimer();
|
||||||
|
|
Loading…
Reference in New Issue