Hi!
I purpose you into this article to configure and improve power of SHOREWALL via my script’s. I write it to control and block attack comming from the WEB and also i need some Firewall Log history into a MYSQL DB.
I’ve develop this little system with PHP/BASH/GEOIP libs, the script use FW database to log events and also create some DROP action for few days.
The system is very simple it based on two script’s witch run via CRON regulary.
=> First script is : the log parsor and MYSQL sync.
=> Second script is : the main system witch can view DB, request some IP, bloc some IP and view statistics.
=> The second script can also run manualy ( the CRON mode is only for attack detection and auto blacklist )
Another script can be use for GEOIP database udpate.
Note here i’m using DEBIAN LINUX in last version with SHOREWALL and MARIADB and PHP7.
1) Setup SHOREWALL log and DB parsing script.
Here you need, your SHOREWALL setup, an empty MYSQL database.
Into SHOREWALL, install « ulog » daemon and configure SHOREWALL to log, here i use :
/var/log/firewallaccess.log
For ulog, simply add this bloc ( /etc/ulogd.conf ) :
For SHOREWALL here is :
Of course, your SHOREWALL policy file contain directive $LOG
here i want LOG for REJECT/DROP paquet from the Internet :
At the end, with $LOG option.
Now you can download and install CRX-FW script you need this ZIP file here : CRX-FW-0.1
Create also directory to unzip files :
The parsor script name is, do a chmod+x on it : log2mysql
Configure your database by :
Create a database for the FW, import crx_fw_events.sql and crx_fw_events_actions.sql inside.
Configure your DB user and PASSWORD for this base via the file : config.php
From SHOREWALL part, now you must have the event log (ulog) with entrie like this format :
Wait few minutes, to have some entries into your SHOREWALL log, after that simply launch manualy the parsor like this :
All is ok here, we can configure now WHITELIST part, CRON part will be the last step.
2) Configure the whitelist for services and IP adress, and launch the engine !
Whitelist is simple, you have a file for :
Service : whitlist_services.php
IP adress : whitlist_ip.php
Start with IP adress and put your public IP.
The format must be :
For service :
All is ok, now we can launch the main engine script analyseAndAction :
Without argument it look like this :
The program display the number of FW event’s in the last 30min.
Note that the ban period is 4 days, you can configure it with the config.php.
3) Configure the CRON
Here i’ve configure it like this ( you can ajust frequency depending to your SGBD configuration/capacity and server LOAD ).
Note the -d ‘all’ is update all event’s inside DB and decide to UBAN some of these if needed.
Wraper.sh is a simple script to launch every XX second some task witch not possible via classic CRON.
Here is the script :
4) Display info and also BAN/UBAN IP Adress :
Exemple i need top 5 country bloc by the FW :
Same for @IP ( -i « all » -l 5 ) :
You can also search by IP adress into events ( ./analyseAndAction -p 77.72.85.XX -l 5 ) :
To BAN/UBAN IP adress simply do :
-m « @ip » => DROP IP ( add event into MYSQL and call SHOREWALL DROP IP ).
-r « @IP » => ALLOW IP ( remove event from MYSQL and call SHOREWALL ALLOW IP ).
Note that you can also view the FW DROP table content via :
This command is the same as :
That all for now,
Hope you find it usefull, all feedback is welcome !