Merge pull request #123 from robho/yate_banbrutes_using_iptables_recent

yate-scripts-perl: Add script to block phones which fail to authenticate
2017-08-13 21:26:56 +02:00 · 2017-08-13 21:26:56 +02:00 · 921a560832
commit 921a560832
parent 2f190f1b2a 2d4f799440
2 changed files with 51 additions and 0 deletions
--- a/net/yate/Makefile
+++ b/net/yate/Makefile
@ -146,6 +146,7 @@ endef
 define Package/$(PKG_NAME)-scripts-perl/install
 	$(INSTALL_DIR) $(1)/usr/share/yate/scripts
 	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/share/yate/scripts/Yate.pm $(1)/usr/share/yate/scripts/
+	$(INSTALL_BIN) ./files/banbrutes.pl $(1)/usr/share/yate/scripts/
 endef

 define Package/$(PKG_NAME)-sounds/install
--- a/net/yate/files/banbrutes.pl
+++ b/net/yate/files/banbrutes.pl
@ -0,0 +1,50 @@
+#!/usr/bin/perl
+
+# This yate module will monitor failed authentications and send the source
+# IP addresses of users who fail to authenticate to the iptables extension
+# "recent" for filtering.
+#
+# You have to have the iptables extension "recent" installed and you need to
+# create and reference a "recent" list in your firewall configuration.
+# For most people it's probably enough to add this custom firewall rule
+# to /etc/firewall.user:
+#
+#  iptables -A input_rule -m recent --name yate_auth_failures --rcheck --seconds 3600 --hitcount 5 -j DROP
+#
+# This line will drop all incoming traffic from users who have failed to
+# authenticate 5 consecutive times within the last hour.
+#
+# To enable this script in yate, add this script to the [scripts] section
+# in /etc/yate/extmodule.conf.
+
+
+use strict;
+use warnings;
+use lib '/usr/share/yate/scripts';
+use Yate;
+
+my $RECENT_LIST_NAME = '/proc/net/xt_recent/yate_auth_failures';
+
+sub OnAuthenticationRequest($) {
+  my $yate = shift;
+  my $remote_ip = $yate->param('ip_host');
+
+  if ($yate->header('processed') eq 'true') {
+    # Successful authentication, forget previous failures
+    `echo -$remote_ip > $RECENT_LIST_NAME`;
+    return;
+  }
+
+  `echo +$remote_ip > $RECENT_LIST_NAME`;
+}
+
+
+my $yate = new Yate();
+
+if (! -f $RECENT_LIST_NAME) {
+  $yate->output("iptables recent list $RECENT_LIST_NAME does not exist");
+  exit 1;
+}
+
+$yate->install_watcher('user.auth', \&OnAuthenticationRequest);
+$yate->listen();