Создание основы проекта ban-server, prod-server и gateway

ban-server/ban.php

+//Где сменить IP-адреса серверов
+<?php
+$ip = $_SERVER['REMOTE_ADDR'];
+echo "You are banned!, Your IP: $ip <br>";
+
+$redis = new Redis;
+$redis->pconnect ('192.168.0.99',6379);
+$key = $redis->get($ip);
+?>
+
+<button onclick="unban()">Unban</button>
+
+<script type="text/javascript" src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.0/jquery.js"></script>
+
+<script>
+
+function unban(){
+    /*$.get("unban.php?&key=<?php echo $key;?>", function(data, status){
+        });*/
+    
+    window.location.href = "unban.php?key=<?php echo $key; ?>";
+}
+</script>
\ No newline at end of file

ban-server/default.conf

+//Создать файл /etc/nginx/sites-aviable.d/default.conf и ссылку на него в /etc/nginx/sites-enabled.d:
+server {
+        listen *:80;
+        
+        location / {
+                root /var/www/php;
+                #lingering_close off;
+                include /etc/nginx/fastcgi_params;
+                fastcgi_pass unix:/var/run/php5-fpm/php5-fpm.sock;
+                fastcgi_param SCRIPT_FILENAME /var/www/php/ban.php;
+        }
+        location =/unban.php {
+                root /var/www/php;
+                #lingering_close off;
+                #proxy_buffering off;
+                include /etc/nginx/fastcgi_params;
+                fastcgi_pass unix:/var/run/php5-fpm/php5-fpm.sock;
+                fastcgi_param SCRIPT_FILENAME /var/www/php/ban.php;
+        }
+
+}

ban-server/index.html

+<!DOCTYPE HTML>
+<html>
+ <head>
+  <meta charset="utf-8">
+  <title> You are banned </title>
+ </head>
+ <body>
+  <a href="/unban.php">Unban!</a>
+ </body>
+<html>
\ No newline at end of file

ban-server/nginx.conf

+# load dynamic nginx modules
+include /etc/nginx/modules-enabled.d/*.conf;
+
+# see http://nginx.net for info & docs
+
+worker_processes  10;
+
+error_log   /var/log/nginx/error.log;
+
+events {
+	worker_connections  1024;
+}
+
+include /etc/nginx/conf-enabled.d/*.conf;
+
+http {
+	index index.html;
+	server {
+	
+	    location / {
+		root /data/www;
+		}
+	    
+	    location ~ \.php$ {
+		try_files $uri =404;
+		root /data/www;
+		include /etc/nginx/fastcgi.conf;
+		fastcgi_pass unix:/var/run/php7-fpm/php7-fpm.sock;
+		}
+	}
+}

ban-server/unban.html

+YYYYYYYYYYYYYes
\ No newline at end of file

ban-server/unban.php

+<?php
+ $ip = $_SERVER['REMOTE_ADDR'];
+ $old_addr = $_SERVER['HTTP_REFERER'];
+ $host_redis = '192.168.101.101';
+ $redis = new Redis();
+ $redis->pconnect($host_redis,6379);
+ $redis->publish('unban', $ip);
+ $redis->close();
+ echo "Wait 5 secons, please"
+?>
+<script>
+ function update()
+ {
+  window.location.href = "/";
+ }
+ setTimeout("update()", 5000);
+
+</script>
\ No newline at end of file

gateway/action

+#Создать файл /etc/monit.d/action:
+check process action with pidfile /var/run/action.pid
+        start programm = "/path/to/action.py"
+        stop programm = "/bin/kill $(cat /var/run/action.pid)"
+                
\ No newline at end of file

gateway/action.py

+#!/usr/bin/python3
+import redis
+import subprocess
+import os
+
+pidfile = open ('/var/run/action.pid', 'w')
+pid = str(os.getpid()) + '\n'
+pidfile.write(pid)
+pidfile.close()
+
+
+IP_addr_gateway = '192.168.100.50'
+host_redis = '192.168.101.101'
+
+subprocess.call ('ipset create blacklist hash:ip', stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell = True)
+
+r = redis.Redis(host=host_redis)
+p = r.pubsub()
+
+p.subscribe('ban', 'unban')
+
+for message in p.listen():
+    if message is not None and  message['type']=='message' and message['channel'] == b'ban':
+        #print (message)
+        ip = message['data'].decode('utf-8')
+        #ban = 'ipset -A blacklist ' + ip
+        ban = 'fail2ban-client set blacklist  banip ' + ip
+        #subprocess.call (ban, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell = True)
+        subprocess.call (ban, shell = True)
+        tcp_drop = 'conntrack -D -s ' + ip
+        subprocess.Popen(tcp_drop, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell = True)
+        #subprocess.Popen(tcp_drop, shell = True)
+    elif message is not None and message['type'] =='message' and message['channel'] == b'unban' :
+        #print (message)
+        ip = message['data'].decode('utf-8')
+        #unban = 'ipset -D blacklist ' + ip
+        unban = 'fail2ban-client set blacklist unbanip ' + ip
+        subprocess.call (unban, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell = True)
+        #subprocess.call (unban, shell = True)
+        tcp_drop = 'conntrack -D -s ' + ip
+        subprocess.Popen(tcp_drop, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell = True)
+        #subprocess.Popen(tcp_drop, shell = True)
+    elif message is not None:
+        #print ("AHTUNG!!1!", message)
+        pass
+    else:
+        pass

gateway/ban.conf

+[Definition]
+
+actionban = ipset -A blacklist <ip>
+actionunban = ipset -D blacklist <ip>

gateway/blacklist.conf

+[blacklist]
+enabled = true
+filter = blacklist
+action = ban

gateway/iptables-rules.sh

+#!/bin/bash
+iptables -F -t nat
+iptables -X -t nat
+iptables -t nat -I PREROUTING  -i enp0s8 -m set --match-set blacklist src -j DNAT --to-destination 192.168.101.99
+iptables -t nat -I PREROUTING  -i enp0s8 -m set --match-set blacklist src -j LOG --log-prefix "REDIRECT blacklist entry PREROUTING"
+
+iptables -t nat -A PREROUTING -i enp0s8 -j DNAT --to-destination 192.168.101.101
+#iptables -t nat -A POSTROUTING -o enp0s9 -j SNAT --to-source 192.168.101.50
+#iptables -A FORWARD -i enp0s8 -o enp0s9 -d 192.168.101.101 -j ACCEPT
+#iptables -A FORWARD -i enp0s8 -o enp0s9 -d 192.168.101.99 -j ACCEPT
+#iptables -t nat -A PREROUTING -i enp0s9 -j DNAT --to-destination 192.168.100.100
+iptables -t nat -A POSTROUTING  -o enp0s8 -j SNAT --to-source 192.168.100.50
+iptables -P FORWARD ACCEPT
\ No newline at end of file

gateway/iptables.sh

+Добавить правило  в iptables:
+iptables -t nat -v -I PREROUTING -i INTERFACE -m set --match-set balscklist src -j DNAT --to-destination BAN_SERVER_ADDR
+
+Где INTERFACE и BAN_SERVER_ADDR надо указать пользователю.

prod-server/ban.py

+#!/usr/bin/python3
+mport sys, radom, redis
+host_redis = '192.168.101.101'
+r = redis.Redis (host=host_redis)
+r.publish ('ban', sys.argv[1])
\ No newline at end of file

prod-server/iptables-resend.conf

+[nginx-limit-req]
+enabled = true
+port = http
+filter = nginx-limit-req
+action = iptables-resend
+maxretry = 0
+bantime = 1
\ No newline at end of file

prod-server/just_do_it

+
+В jail.local в необходимых местах (всех banaction/action) изменить действие н
+а iptables-resend.conf, bantime = 30 
\ No newline at end of file

prod-server/unban.py

+#!/usr/bin/python3
+import redis
+import os
+import subprocess
+
+ban_list_name = 'nginx-limit-req'
+
+pid = str( os.getpid()) + '\n'
+pidfile = open ('/var/run/unban.pid', 'w')
+pidfile.write(pid)
+pidfile.close()
+
+host_redis = '192.168.101.101'
+r = redis.Redis ( host = host_redis)
+p = r.pubsub()
+p.subscribe( 'unban')
+
+for message in p.listen():
+    if message is not None and message['type'] =='message':
+        ip = message['data'].decode('utf-8')
+        unban = 'fail2ban-client set ' + ban_list_name + ' unbanip ' + ip
+        subprocess.Popen( unban, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell = True)
+        #subprocess.Popen( unban, shell = True)
+    else:
+        pass
\ No newline at end of file

Необходимые действия

+NormalServer:
+NormalServer:
+0. Проверить установленность fail2ban
+
+1. Создать файл /etc/fail2ban/action.d/iptables-resend.conf:
+[INCLUDES]
+Before = iptables-common.conf
+
+[Defenition]
+actionban = /path/to/ban.py <ip> 
+
+[Init]
+
+2. В jail.local в необходимых местах (всех banaction/action) изменить действие на iptables-resend.conf, bantime = 30 
+
+3. Создать файл /path/to/ban.py
+#!/usr/bin/python
+import os, sys, random, redis
+
+pid = str(os.getpid()+'\n'
+pidfile = open ('/var/run/ban.pid','w')
+pidfile.write (pid)
+pidfile.close()
+
+r = redis.StrictRedis (host=REDIS_ADDR)
+r.publish ('ban', sys.argv[1])
+r.set (sys.argv[1], random.randint(0, 9999999999))
+
+Где в качестве REDIS_ADDR пользователь должен будет ввести адрес redis-server.
+-------------------------------------------------------------------------
+Gateway:
+
+Создать файл /path/to/action.py:
+#!/usr/bin/python
+
+import redis
+import subprocess
+import os
+
+pidfile = open ('/var/run/action.pid', 'w')
+pid = str(os.getpid())+'\n'
+pidfile.write (pid)
+pidfile.close()
+
+r = redis.StrictRedis (host= REDIS_ADDR)
+p = r.pubsub()
+p.subscribe('ban','unban')
+
+subprocess.call ('ipset -N blacklist hash:ip' , shell = True)
+
+for message in p.listen():
+ #print message
+ if message['type']=='message' and message['channel']=='ban':
+  
+  ip = str (message['data'])
+  ban = 'ipset -A blacklist ' + ip 
+  subprocess.call (ban, shell = True)
+  print 'ban ', ip 
+ 
+ elif message['type']=='message' and message ['channel']=='unban':
+  ip = str (message['data'])
+  unban = 'ipset -D blacklist ' + ip 
+  
+  subprocess.call (unban, shell = True)
+  print 'unban ', ip 
+  
+  tcp_drop = 'conntrack -D -s ' + ip + ' -d 192.168.1.100'
+  subprocess.Popen(tcp_drop, stdout=subprocess.PIPE, stderr=subprocess.PIPE,shell = True)
+
+
+Создать файл /etc/monit.d/action:
+check process action with pidfile /var/run/action.pid
+	start programm = "/path/to/action.py"
+	stop programm = "/bin/kill $(cat /var/run/action.pid)"
+
+Добавить правило  в iptables:
+iptables -t nat -v -I PREROUTING -i INTERFACE -m set --match-set balscklist src -j DNAT --to-destination BAN_SERVER_ADDR
+
+Где INTERFACE и BAN_SERVER_ADDR надо указать пользователю.
+-------------------------------------------------------------------------
+
+BanServer:
+Создать файл /etc/nginx/sites-aviable.d/default.conf и ссылку на него в /etc/nginx/sites-enabled.d:
+server {
+	listen *:80;
+	
+	location / {
+		root /var/www/php;
+		#lingering_close off;
+		include /etc/nginx/fastcgi_params;
+		fastcgi_pass unix:/var/run/php5-fpm/php5-fpm.sock;
+		fastcgi_param SCRIPT_FILENAME /var/www/php/ban.php;
+	}
+	location =/unban.php {
+		root /var/www/php;
+		#lingering_close off;
+		#proxy_buffering off;
+		include /etc/nginx/fastcgi_params;
+		fastcgi_pass unix:/var/run/php5-fpm/php5-fpm.sock;
+		fastcgi_param SCRIPT_FILENAME /var/www/php/ban.php;
+	}
+}
+
+Создать /var/www/php/ban.php:
+<?php
+$ip = $_SERVER['REMOTE_ADDR'];
+echo "You are banned!, Your IP: $ip <br>";
+
+$redis = new Redis;
+$redis->pconnect ('192.168.0.99',6379);
+$key = $redis->get($ip);
+?>
+
+<button onclick="unban()">Unban</button>
+
+<script type="text/javascript" src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.0/jquery.js"></script>
+
+<script>
+
+function unban(){
+    /*$.get("unban.php?&key=<?php echo $key;?>", function(data, status){
+    });*/
+    
+    window.location.href = "unban.php?key=<?php echo $key; ?>";
+}
+</script>
+
+Создать /var/www/php/unban.php:
+<?php
+$key = $_GET['key'];
+$ip = $_SERVER['REMOTE_ADDR'];
+$old_addr = $_SERVER['HTTP_REFERER'];
+
+$redis = new Redis();
+$redis->pconnect('192.168.0.99',6379);
+
+if ($redis->get($ip) == $key)
+{
+?>
+ <script type="text/javascript" src="cdnjs.cloudeflare.com/ajax/libs/jquery/2.2.0/jquery.js"> </script>
+ 
+ <script>
+ 
+ function update()
+ {
+  window.location.href = "<?php echo $old_addr;?>";
+ }
+ setInterval("update()", 200);
+ </script>
+
+<?php
+ $redis->publish('unban', $ip);
+ $redis->del ($ip);
+
+} else {
+  echo "Pls, don`t brute force";
+}
+$redis->close();
+?>
+