Browse Source

Final testing commit

master
Stefatorus 3 years ago
parent
commit
d3a321a0d9
  1. 18
      Tools/firewall.sh
  2. 37
      Tools/whitelister.sh

18
Tools/firewall.sh

@ -29,7 +29,8 @@
# (!): You can also set it to share your found proxies so they can be blocked later mainstream.
echo "Installing required dependencies: curl, iptables-persistent, ipset"
apt -y -qq install curl iptables-persistent ipset > /dev/null
apt -y -qq install curl iptables-persistent ipset conntrack > /dev/null
yum -y install curl iptables-service ipset-service conntrack > /dev/null
echo "Installed required depends."
# The port you want to protect. for ranges, use FROM:TO
protect_port=20003
@ -46,7 +47,7 @@ graylist_concurrent=3
checker_minconn=26214400
# MISC. THESE VALUES MAY CHANGE IN THE FUTURE
target_chain=INPUT
country_list="https://raw.githubusercontent.com/herrbischoff/country-ip-blocks/master/ipv4/"
safety_list="https://api.entryrise.com/minewall/"
@ -87,8 +88,6 @@ done
# The blacklist makes sure any "smart bots" are blocked in time on your server after a while.
# Off the table just allow the whitelisted users and drop the blacklisted ones.
iptables -A MineWall -p tcp --tcp-flags FIN FIN --dport $protect_port -m connbytes --connbytes $checker_minconn --connbytes-dir reply --connbytes-mode bytes -j SET --add-set mw_checklist src
iptables -A MineWall -p tcp --dport $protect_port -m set --match-set mw_whitelist src -j ACCEPT
iptables -A MineWall -p tcp --dport $protect_port -m set --match-set mw_blacklist src -j DROP
@ -99,7 +98,14 @@ iptables -A MineWall -p tcp --dport $protect_port --syn -m connlimit ! --connlim
iptables -A MineWall -p tcp --dport $protect_port --syn -j DROP
# Add MineWall to iptables and remove it just in case it is already there.
iptables -D DOCKER -p tcp -j MineWall
iptables -I DOCKER -p tcp -j MineWall
iptables -D $target_chain -p tcp -j MineWall
iptables -I $target_chain -p tcp -j MineWall
# REDHAT BASED
iptables-save > /etc/sysconfig/iptables
# DEBIAN BASED
iptables-save > /etc/iptables/rules.v4
# Having 2 files is not ideal but not an issue
# TODO: Check OS and apply specific commands only.
echo "Firewall applied successfully. Please add the whitelister script to crontab (each minute) to finish installation"

37
Tools/whitelister.sh

@ -1,2 +1,39 @@
#!/bin/bash
safety_list="https://api.entryrise.com/minewall/"
# Make sure to change protect port to your own protect port.
# $6 > X means the packet count before validating user.
# Recommending a value for X between 10k (~100 seconds) and 50k (~500 seconds) for validation)
command_check=$(conntrack -L | awk '{if ($6 > 10000 && $4 == "ESTABLISHED" && $8 == "dport=20003") print $5}');
#command_check=$(conntrack -L | awk '{if ($6 > PACKETS_TO_WHITELIST && $4 == "CONNECTION FULLY RUNNING" && $8 == "dport=PORT OF SERVER") print $5}');
echo "Updating blacklist for firewall."
for ip in $(curl -L $safety_list/{others}.iplist); do
ipset -A mw_blacklist $ip
done
echo "Updating whitelist for the firewall."
for ip in $(curl -L $safety_list/{wireless,residential,business}.iplist); do
ipset -A mw_whitelist $ip
done
echo "Sending actual players to remote database."
for data in $command_check; do
if [[ $data == "src="* ]]
then
curl -X POST -d 'ip='$(echo $data | cut -c 5-) $safety_list
fi
done
echo "Done"
#
#
#
#
#
# PUT THIS ON A CRONTAB TO RUN EACH 5 MINUTES!!!!
Loading…
Cancel
Save