AnarchyPlanet/q2a-antispam
Archived
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

run with least privilege, support pf

Browse Source 
* run the service as a low privilege user and use sudo/doas to add
      the block rules
    * add support for pf firewall
    * write documentation for the above
    * add abort function for handling error logging and exit cleanup
This commit is contained in:
sceox 2020-09-06 15:20:12 -07:00
parent 49d1f7524d
commit 97bd5b000a
2 changed files with 69 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
README.md
View File

@ -7,9 +7,35 @@ To deploy:
* modify the configuration variables in the scripts * modify the configuration variables in the scripts
* copy the scripts to `/usr/local/bin` * copy the scripts to `/usr/local/bin`
* create the user
useradd -s /sbin/nologin _forumspam
* if using `pf`:
* create appropriate permissions for the file:
install -m 640 -o _forumspam -g wheel /dev/null /etc/pf-forumspam.txt
* add the following to `/etc/pf.conf`, preferably high up in the ruleset:
table <forumspam> persist file "/etc/pf-forumspam.txt"
block in quick on egress from <forumspam>
block out quick on egress to <forumspam>
* set up sudo or doas:
* for doas:
* add the following to `/etc/doas.conf`:
permit nopass _forumspam cmd pfctl args -nf /etc/pf.conf
permit nopass _forumspam cmd pfctl args -t forumspam -T replace -f /etc/pf-forumspam.txt
* for sudo:
* add to your sudo config file:
`Cmnd_Alias FIREWALL = /usr/sbin/ufw, /sbin/iptables`
and `_forumspam ALL = NOPASSWD: FIREWALL`
* register `q2a_usercheck.sh` as a systemd unit or rc script * register `q2a_usercheck.sh` as a systemd unit or rc script
TODO: TODO:
* also check against [botscout](http://botscout.com/api.htm) * also check against [botscout](http://botscout.com/api.htm)
* add support for pf * give the scripts more sensible names
* add support for iptables

60
forumspam.sh
View File

@ -2,31 +2,53 @@
# API reference: https://www.stopforumspam.com/usage # API reference: https://www.stopforumspam.com/usage
# user configuration area - change as needed
ostype="bsd" # allowed options are bsd, linux
logf=/var/log/forumspam.log
limit=0 # number of violations allowed before blocking the ip
case "$ostype" in
bsd)
getroot="doas"
fw_cmd="pfctl"
;;
linux)
getroot="sudo"
fw_cmd="ufw"
;;
esac
abort() {
echo `date` 'error:' $* >> $logf
rm $repl
exit 1
}
block_ip() {
case "$fw_cmd" in
ufw)
if [ "$getroot" ufw deny from $ip >/dev/null 2>>$logf ]; then
echo `date` blocked ip $ip with freq $freq >> $logf
else
abort "failed to block ip $ip"
fi
;;
pfctl)
"$getroot" pfctl -nf /etc/pf.conf || abort "pf config check failed" # Ensure proposed changes are valid before reloading table
"$getroot" pfctl -t forumspam -T replace -f /etc/pf-forumspam.txt
;;
esac
}
# we ignore all arguments except the first
ip=$1 ip=$1
repl=`mktemp` repl=`mktemp`
logf=/var/log/forumspam.log
curl 'http://api.stopforumspam.org/api?ip='$ip 2>/dev/null > $repl curl 'http://api.stopforumspam.org/api?ip='$ip 2>/dev/null > $repl
if ! grep -q '<response success="true">' $repl; then if ! grep -q '<response success="true">' $repl; then
echo error failed to query stopforumspam api >> $logf abort 'error failed to query stopforumspam api'
rm $repl
exit 1
fi
if ! grep -q '<appears>yes</appears>' $repl; then
rm $repl
exit 0
fi fi
freq=`grep '<frequency>' $repl | sed 's/<frequency>//; s!</frequency>!!'` freq=`grep '<frequency>' $repl | sed 's/<frequency>//; s!</frequency>!!'`
if [ "$freq" -ge 1 ]; then if grep -q '<appears>yes</appears>' $repl && [ "$freq" -gt "$limit" ]; then
if ufw deny from $ip >/dev/null 2>>$logf; then block_ip "$ip"
echo `date` blocked ip $ip with freq $freq >> $logf
rm $repl
exit 0
else
echo `date` "error failed to block ip $ip" >> $logf
rm $repl
exit 2
fi
fi fi
rm $repl rm $repl