From df2fe54f2d1f9728975f3c86d583c2158649b7c9 Mon Sep 17 00:00:00 2001 From: Steven Haigh Date: Tue, 30 Jul 2024 20:51:53 +1000 Subject: [PATCH 01/31] Add abuseipdb plugin --- security/abuseipdb/Makefile | 7 + .../abuseipdb/Api/ServiceController.php | 73 ++++++ .../abuseipdb/Api/SettingsController.php | 92 ++++++++ .../Api/SimplifiedSettingsController.php | 43 ++++ .../OPNsense/abuseipdb/IndexController.php | 46 ++++ .../OPNsense/abuseipdb/forms/general.xml | 15 ++ .../app/models/OPNsense/abuseipdb/ACL/ACL.xml | 9 + .../models/OPNsense/abuseipdb/Menu/Menu.xml | 5 + .../models/OPNsense/abuseipdb/abuseipdb.php | 37 +++ .../models/OPNsense/abuseipdb/abuseipdb.xml | 19 ++ .../app/views/OPNsense/abuseipdb/index.volt | 68 ++++++ .../OPNsense/abuseipdb/abuseipdb_reporter.php | 215 ++++++++++++++++++ .../conf/actions.d/actions_abuseipdb.conf | 5 + .../templates/OPNsense/abuseipdb/+TARGETS | 1 + .../OPNsense/abuseipdb/abuseipdb.conf | 4 + 15 files changed, 639 insertions(+) create mode 100644 security/abuseipdb/Makefile create mode 100644 security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/ServiceController.php create mode 100644 security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/SettingsController.php create mode 100644 security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/SimplifiedSettingsController.php create mode 100644 security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/IndexController.php create mode 100644 security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/forms/general.xml create mode 100644 security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/ACL/ACL.xml create mode 100644 security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/Menu/Menu.xml create mode 100644 security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/abuseipdb.php create mode 100644 security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/abuseipdb.xml create mode 100644 security/abuseipdb/src/opnsense/mvc/app/views/OPNsense/abuseipdb/index.volt create mode 100755 security/abuseipdb/src/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php create mode 100644 security/abuseipdb/src/opnsense/service/conf/actions.d/actions_abuseipdb.conf create mode 100644 security/abuseipdb/src/opnsense/service/templates/OPNsense/abuseipdb/+TARGETS create mode 100644 security/abuseipdb/src/opnsense/service/templates/OPNsense/abuseipdb/abuseipdb.conf diff --git a/security/abuseipdb/Makefile b/security/abuseipdb/Makefile new file mode 100644 index 0000000000..742cd1b8cc --- /dev/null +++ b/security/abuseipdb/Makefile @@ -0,0 +1,7 @@ +PLUGIN_NAME= abuseipdb +PLUGIN_VERSION= 0.1 +PLUGIN_REVISION= 1 +PLUGIN_COMMENT= Block hosts based on incoming rules +PLUGIN_MAINTAINER= netwiz@crc.id.au + +.include "../../Mk/plugins.mk" diff --git a/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/ServiceController.php b/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/ServiceController.php new file mode 100644 index 0000000000..b43dddecf1 --- /dev/null +++ b/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/ServiceController.php @@ -0,0 +1,73 @@ +request->isPost()) { + $backend = new Backend(); + $bckresult = trim($backend->configdRun('template reload OPNsense/abuseipdb')); + if ($bckresult == "OK") { + $status = "ok"; + } + } + return array("status" => $status); + } + + /** + * test abuseipdb + */ + public function testAction() + { + if ($this->request->isPost()) { + $backend = new Backend(); + $bckresult = json_decode(trim($backend->configdRun("helloworld test")), true); + if ($bckresult !== null) { + // only return valid json type responses + return $bckresult; + } + } + return array("message" => "unable to run config action"); + } +} diff --git a/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/SettingsController.php b/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/SettingsController.php new file mode 100644 index 0000000000..d77ac8110d --- /dev/null +++ b/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/SettingsController.php @@ -0,0 +1,92 @@ +request->isGet()) { + $mdlabuseipdb = new abuseipdb(); + $result['helloworld'] = $mdlabuseipdb->getNodes(); + } + return $result; + } + + /** + * update abuseipdb settings + * @return array status + * @throws \OPNsense\Base\ModelException + * @throws \ReflectionException + */ + public function setAction() + { + $result = array("result" => "failed"); + if ($this->request->isPost()) { + // load model and update with provided data + $mdlabuseipdb = new abuseipdb(); + $mdlabuseipdb->setNodes($this->request->getPost("helloworld")); + + // perform validation + $valMsgs = $mdlabuseipdb->performValidation(); + foreach ($valMsgs as $field => $msg) { + if (!array_key_exists("validations", $result)) { + $result["validations"] = array(); + } + $result["validations"]["helloworld." . $msg->getField()] = $msg->getMessage(); + } + + // serialize model to config and save + if ($valMsgs->count() == 0) { + $mdlabuseipdb->serializeToConfig(); + Config::getInstance()->save(); + $result["result"] = "saved"; + } + } + return $result; + } +} diff --git a/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/SimplifiedSettingsController.php b/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/SimplifiedSettingsController.php new file mode 100644 index 0000000000..564bcd6d88 --- /dev/null +++ b/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/SimplifiedSettingsController.php @@ -0,0 +1,43 @@ +view->pick('OPNsense/abuseipdb/index'); + // fetch form data "general" in + $this->view->generalForm = $this->getForm("general"); + } +} diff --git a/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/forms/general.xml b/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/forms/general.xml new file mode 100644 index 0000000000..04d0cab09b --- /dev/null +++ b/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/forms/general.xml @@ -0,0 +1,15 @@ +
+ + abuseipdb.general.Enabled + + checkbox + Enable this feature + + + abuseipdb.general.api_key + + text + + API Key from abuseipdb.com + +
diff --git a/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/ACL/ACL.xml b/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/ACL/ACL.xml new file mode 100644 index 0000000000..6b9138b069 --- /dev/null +++ b/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/ACL/ACL.xml @@ -0,0 +1,9 @@ + + + Services: abuseipdb + + ui/abuseipdb/* + api/abuseipdb/* + + + diff --git a/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/Menu/Menu.xml b/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/Menu/Menu.xml new file mode 100644 index 0000000000..d2573cfcb8 --- /dev/null +++ b/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/Menu/Menu.xml @@ -0,0 +1,5 @@ + + + + + diff --git a/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/abuseipdb.php b/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/abuseipdb.php new file mode 100644 index 0000000000..ccf9125c54 --- /dev/null +++ b/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/abuseipdb.php @@ -0,0 +1,37 @@ + + //OPNsense/abuseipdb + + abuseipdb.com firewall / reporter daemon + + + + + + + 1 + Y + + + N + + + + diff --git a/security/abuseipdb/src/opnsense/mvc/app/views/OPNsense/abuseipdb/index.volt b/security/abuseipdb/src/opnsense/mvc/app/views/OPNsense/abuseipdb/index.volt new file mode 100644 index 0000000000..69ced13c62 --- /dev/null +++ b/security/abuseipdb/src/opnsense/mvc/app/views/OPNsense/abuseipdb/index.volt @@ -0,0 +1,68 @@ +{# + +OPNsense® is Copyright © 2014 – 2015 by Deciso B.V. +All rights reserved. + +Redistribution and use in source and binary forms, with or without modification, +are permitted provided that the following conditions are met: + +1. Redistributions of source code must retain the above copyright notice, +this list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright notice, +this list of conditions and the following disclaimer in the documentation +and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, +INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, +OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. + +#} + + + + + +
+ {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_GeneralSettings'])}} +
+ +
+ + +
diff --git a/security/abuseipdb/src/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php b/security/abuseipdb/src/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php new file mode 100755 index 0000000000..fa3e582fef --- /dev/null +++ b/security/abuseipdb/src/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php @@ -0,0 +1,215 @@ +#!/usr/local/bin/php +seek(PHP_INT_MAX); +$eof = $file->key(); +$file = null; + +## Init known hosts array +$known_ips = array(); + +## Handle 429 responses from abuseipdb. +$ratelimit_delay = 5; +$ratelimit_delay_max = 180; +$ratelimit_expires = 0; + +## Init the last log time. +$log_last = 0; + +## Prime the blocklist if we have an API Key. +if ( $api_key != "" ) { + get_blocklist($api_key, $flush_on_start); +} + +while (1) { + sleep(1); + + ## If the log file doesn't exist, just sleep. + if ( ! file_exists($log) ) { continue; } + + ## Process from the last EOF marker... + $file = new SplFileObject($log); + $file->seek($eof); + + ## Seek to last eof... + while (!$file->eof()) { + $elements = explode(',', $file->current()); + + ## Check if this is our drop rule.. + if ( $elements[3] == $filter_id ) { + ## Process IPv4 line. + if ( $elements[8] == 4 && ( $elements[16] == 'tcp' || $elements[16] == 'udp' ) ) { + $src = $elements[18]; + $src_port = $elements[20]; + $dest = $elements[19]; + $dest_port = $elements[21]; + $prot = $elements[16]; + } + + ## Process IPv6 line. + if ( $elements[8] == 6 ) { + $src = $elements[15]; + $src_port = $elements[17]; + $dest = $elements[16]; + $dest_port = $elements[18]; + } + + if ( ! $known_ips[$src] ) { + $known_ips[$src] = array(); + } + + if ( filter_var($src, FILTER_VALIDATE_IP) ) { + array_push($known_ips[$src], time()); + } + } + $file->next(); + } + $eof = $file->key(); + $file = null; + + $compare_time = time(); + $known_ips_new = array(); + ## Expire any old timestamps + foreach ( $known_ips as $ip => $timestamps ) { + $index = 0; + foreach ( $timestamps as $timestamp ) { + if ( $timestamp + $hits_time > $compare_time ) { + if ( ! $known_ips_new[$ip] ) { + $known_ips_new[$ip] = array(); + } + array_push($known_ips_new[$ip], $timestamp); + } + } + } + $known_ips = $known_ips_new; + unset($known_ips_new); + + $reports_outstanding = 0; + foreach ( $known_ips as $ip => $timestamps ) { + ## Process anything with more than $hits_num entries. + if ( count($timestamps) > $hits_num ) { + ## Add to the firewall alias. + shell_exec("pfctl -q -t abuseipdb -T add $ip"); + + if ( $api_key != "" ) { + if ( time() > $ratelimit_expires ) { + ## Send the report to adbuseipdb.com + $duration = $known_ips[$ip][count($known_ips[$ip]) -1] - $known_ips[$ip][0] + 1; + $data = [ + 'ip' => $ip, + 'timestamp' => date('c', $known_ips[$ip][0]), + 'categories' => "14", + 'comment' => "Honeypot hits: " . count($timestamps) . " hits in $duration second(s)" + ]; + $headers = ["Key: $api_key", "Accept: application/json"]; + $url = "https://api.abuseipdb.com/api/v2/report"; + list($result, $ret_code) = http_req("POST", $url, $headers, $data); + if ( $ret_code == 200 ) { + unset($known_ips[$ip]); + echo "Reported $ip successfully\n"; + $ratelimit_expires = 0; + $ratelimit_delay= 5; + } else { + echo "abuseipdb: Got status code: $ret_code - Ratelimiting active...\n"; + $ratelimit_delay *= 2; + if ( $ratelimit_delay >= $ratelimit_delay_max ) { + $ratelimit_delay = $ratelimit_delay_max; + } + $ratelimit_expires = time() + $ratelimit_delay; + $reports_outstanding++; + } + } else { + $reports_outstanding++; + } + } + } + } + + if ( time() > $log_last + $log_interval ) { + $log_last = time(); + if ( time() < $ratelimit_expires && $reports_outstanding != 0 ) { + echo "abuseipdb: Ratelimit active. $reports_outstanding reports outstanding\n"; + } + echo "Tracking " . count($known_ips) . " hosts\n"; + } +} + +function get_blocklist($api_key, $flush_on_start) { + echo "Downloading initial blocklist...\n"; + $data = [ 'confidenceMinimum' => 100, 'limit' => 9999999 ]; + $headers = ["Key: $api_key", "Accept: application/json"]; + $url = "https://api.abuseipdb.com/api/v2/blacklist"; + list($result, $resp_code) = http_req("GET", $url, $headers, $data); + + ## Process the list if we got one back. + if ( $resp_code == 200 ) { + ## Clear the current table... + if ( $flush_on_start == 1 ) { + echo "Clearing current table for initial priming...\n"; + shell_exec("pfctl -t abuseipdb -T flush"); + } + $addresses = array(); + $blocklist = json_decode($result, true); + foreach ($blocklist["data"] as $entry) { + if ( $entry["ipAddress"] ) { + ## Ensure we have a valid IP and no surprises + if ( filter_var($entry["ipAddress"], FILTER_VALIDATE_IP) ) { + array_push($addresses, $entry["ipAddress"]); + } + } + + if ( count($addresses) >= 500 ) { + shell_exec("pfctl -q -t abuseipdb -T add " . implode(" ", $addresses)); + $addresses = array(); + } + } + + ## Flush any left over entries to pfctl... + if ( count($addresses) != 0 ) { + shell_exec("pfctl -q -t abuseipdb -T add " . implode(" ", $addresses)); + } + echo "Imported " . count($blocklist["data"]) . " entries on startup...\n"; + } else { + echo "abuseipdb: Got reply code: $resp_code. Not importing anything...\n"; + } +} + +function http_req($method, $url, &$headers, &$data) { + if ( $method == "GET" ) { + $url = sprintf("%s?%s", $url, http_build_query($data)); + } + $ch = curl_init($url); + if ( $method == "POST" ) { + curl_setopt($ch,CURLOPT_POST, true); + curl_setopt($ch,CURLOPT_POSTFIELDS, http_build_query($data)); + } + curl_setopt($ch,CURLOPT_HTTPHEADER, $headers); + curl_setopt($ch,CURLOPT_RETURNTRANSFER, true); + $result = curl_exec($ch); + + return array($result, curl_getinfo($ch, CURLINFO_HTTP_CODE)); +} + +?> diff --git a/security/abuseipdb/src/opnsense/service/conf/actions.d/actions_abuseipdb.conf b/security/abuseipdb/src/opnsense/service/conf/actions.d/actions_abuseipdb.conf new file mode 100644 index 0000000000..347487886d --- /dev/null +++ b/security/abuseipdb/src/opnsense/service/conf/actions.d/actions_abuseipdb.conf @@ -0,0 +1,5 @@ +[abuseipdb] +command:/usr/local/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php +parameters: +type:script_output +message:abuseipdb.com reporting & firewall daemon diff --git a/security/abuseipdb/src/opnsense/service/templates/OPNsense/abuseipdb/+TARGETS b/security/abuseipdb/src/opnsense/service/templates/OPNsense/abuseipdb/+TARGETS new file mode 100644 index 0000000000..cb949302a9 --- /dev/null +++ b/security/abuseipdb/src/opnsense/service/templates/OPNsense/abuseipdb/+TARGETS @@ -0,0 +1 @@ +abuseipdb.conf:/usr/local/etc/abuseipdb/abuseipdb.conf diff --git a/security/abuseipdb/src/opnsense/service/templates/OPNsense/abuseipdb/abuseipdb.conf b/security/abuseipdb/src/opnsense/service/templates/OPNsense/abuseipdb/abuseipdb.conf new file mode 100644 index 0000000000..c53ee7fec5 --- /dev/null +++ b/security/abuseipdb/src/opnsense/service/templates/OPNsense/abuseipdb/abuseipdb.conf @@ -0,0 +1,4 @@ +{% if helpers.exists('OPNsense.abuseipdb.general') and OPNsense.abuseipdb.general.Enabled|default("0") == "1" %} +[general] +api_key={{ OPNsense.abuseipdb.general.api_key|default("") }} +{% endif %} From e910dc066a55f7cade696726d0c02f291e0db5a3 Mon Sep 17 00:00:00 2001 From: Steven Haigh Date: Tue, 30 Jul 2024 21:44:10 +1000 Subject: [PATCH 02/31] Update rc.d script and actions file --- .../opnsense-abuseipdb/opnsense-abuseipdb | 48 +++++++++++++++++++ .../conf/actions.d/actions_abuseipdb.conf | 24 ++++++++-- 2 files changed, 69 insertions(+), 3 deletions(-) create mode 100644 security/abuseipdb/src/etc/rc.d/opnsense-abuseipdb/opnsense-abuseipdb diff --git a/security/abuseipdb/src/etc/rc.d/opnsense-abuseipdb/opnsense-abuseipdb b/security/abuseipdb/src/etc/rc.d/opnsense-abuseipdb/opnsense-abuseipdb new file mode 100644 index 0000000000..55b711d8ed --- /dev/null +++ b/security/abuseipdb/src/etc/rc.d/opnsense-abuseipdb/opnsense-abuseipdb @@ -0,0 +1,48 @@ +#!/bin/sh +# +# PROVIDE: opnsense-abuseipdb +# REQUIRE: SERVERS +# KEYWORD: shutdown + +. /etc/rc.subr + +name=abuseipdb + +stop_cmd=abuseipdb_stop +start_cmd=abuseipdb_start +status_cmd=abuseipdb_status +rcvar=abuseipdb_enable + +load_rc_config opnsense-abuseipdb +pidfile=/var/run/${name}.pid + +[ -z "$abuseipdb_enable" ] && abuseipdb_enable="NO" + +abuseipdb_status() +{ + if [ -n "$rc_pid" ]; then + echo "${name} is running as pid $rc_pid." + return 0 + else + echo "${name} is not running." + fi +} + +abuseipdb_stop() +{ + if [ -n "$rc_pid" ]; then + echo "stopping abuseipdb" + kill -2 ${rc_pid} + else + echo "${name} is not running." + fi +} + +abuseipdb_start() +{ + echo "starting abuseipdb" + /usr/local/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php & + return 0 +} + +run_rc_command $1 diff --git a/security/abuseipdb/src/opnsense/service/conf/actions.d/actions_abuseipdb.conf b/security/abuseipdb/src/opnsense/service/conf/actions.d/actions_abuseipdb.conf index 347487886d..6cd3c2a332 100644 --- a/security/abuseipdb/src/opnsense/service/conf/actions.d/actions_abuseipdb.conf +++ b/security/abuseipdb/src/opnsense/service/conf/actions.d/actions_abuseipdb.conf @@ -1,5 +1,23 @@ -[abuseipdb] -command:/usr/local/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php +[stop] +command:/usr/local/etc/rc.d/ipabusedb onestop; exit 0 parameters: type:script_output -message:abuseipdb.com reporting & firewall daemon +message:stop abuseipdb + +[start] +command:/usr/local/etc/rc.d/ipabusedb onestart; exit 0 +parameters: +type:script_output +message:start abuseipdb + +[restart] +command:/usr/local/etc/rc.d/ipabusedb onestop; /usr/local/etc/rc.d/ipabusedb onestart; exit 0 +parameters: +type:script_output +message:restart abuseipdb + +[status] +command:/usr/local/etc/rc.d/ipabusedb status; exit 0 +parameters: +type:script_output +message:abuseipdb status From dbfa66739064b84113a4f792bd29c9055f66b625 Mon Sep 17 00:00:00 2001 From: Steven Haigh Date: Tue, 30 Jul 2024 21:46:06 +1000 Subject: [PATCH 03/31] Fix rc.d location --- .../src/etc/rc.d/{opnsense-abuseipdb => }/opnsense-abuseipdb | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename security/abuseipdb/src/etc/rc.d/{opnsense-abuseipdb => }/opnsense-abuseipdb (100%) diff --git a/security/abuseipdb/src/etc/rc.d/opnsense-abuseipdb/opnsense-abuseipdb b/security/abuseipdb/src/etc/rc.d/opnsense-abuseipdb similarity index 100% rename from security/abuseipdb/src/etc/rc.d/opnsense-abuseipdb/opnsense-abuseipdb rename to security/abuseipdb/src/etc/rc.d/opnsense-abuseipdb From b31143f4a49a545481cb8aeabcc4c8ade857a3f2 Mon Sep 17 00:00:00 2001 From: Steven Haigh Date: Tue, 30 Jul 2024 22:17:52 +1000 Subject: [PATCH 04/31] Update scripts --- .../abuseipdb/Api/ServiceController.php | 2 +- .../abuseipdb/Api/SettingsController.php | 6 +++--- .../Api/SimplifiedSettingsController.php | 2 +- .../OPNsense/abuseipdb/forms/general.xml | 17 +++++++++++++++-- .../app/models/OPNsense/abuseipdb/abuseipdb.php | 4 ++-- .../app/models/OPNsense/abuseipdb/abuseipdb.xml | 12 ++++++++++-- 6 files changed, 32 insertions(+), 11 deletions(-) diff --git a/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/ServiceController.php b/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/ServiceController.php index b43dddecf1..b9cb49aab8 100644 --- a/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/ServiceController.php +++ b/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/ServiceController.php @@ -62,7 +62,7 @@ public function testAction() { if ($this->request->isPost()) { $backend = new Backend(); - $bckresult = json_decode(trim($backend->configdRun("helloworld test")), true); + $bckresult = json_decode(trim($backend->configdRun("abuseipdb")), true); if ($bckresult !== null) { // only return valid json type responses return $bckresult; diff --git a/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/SettingsController.php b/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/SettingsController.php index d77ac8110d..a7b6df5a4c 100644 --- a/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/SettingsController.php +++ b/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/SettingsController.php @@ -52,7 +52,7 @@ public function getAction() $result = array(); if ($this->request->isGet()) { $mdlabuseipdb = new abuseipdb(); - $result['helloworld'] = $mdlabuseipdb->getNodes(); + $result['abuseipdb'] = $mdlabuseipdb->getNodes(); } return $result; } @@ -69,7 +69,7 @@ public function setAction() if ($this->request->isPost()) { // load model and update with provided data $mdlabuseipdb = new abuseipdb(); - $mdlabuseipdb->setNodes($this->request->getPost("helloworld")); + $mdlabuseipdb->setNodes($this->request->getPost("abuseipdb")); // perform validation $valMsgs = $mdlabuseipdb->performValidation(); @@ -77,7 +77,7 @@ public function setAction() if (!array_key_exists("validations", $result)) { $result["validations"] = array(); } - $result["validations"]["helloworld." . $msg->getField()] = $msg->getMessage(); + $result["validations"]["abuseipdb." . $msg->getField()] = $msg->getMessage(); } // serialize model to config and save diff --git a/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/SimplifiedSettingsController.php b/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/SimplifiedSettingsController.php index 564bcd6d88..3c6928d014 100644 --- a/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/SimplifiedSettingsController.php +++ b/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/SimplifiedSettingsController.php @@ -38,6 +38,6 @@ */ class SimplifiedSettingsController extends ApiMutableModelControllerBase { - protected static $internalModelName = 'helloworld'; + protected static $internalModelName = 'abuseipdb'; protected static $internalModelClass = 'OPNsense\abuseipdb\abuseipdb'; } diff --git a/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/forms/general.xml b/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/forms/general.xml index 04d0cab09b..2348cabb6e 100644 --- a/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/forms/general.xml +++ b/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/forms/general.xml @@ -1,7 +1,13 @@
- abuseipdb.general.Enabled - + abuseipdb.general.enabled + + checkbox + Enable this feature + + + abuseipdb.general.flush_on_start + checkbox Enable this feature @@ -12,4 +18,11 @@ API Key from abuseipdb.com + + abuseipdb.general.log_interval + + text + + Log status every X seconds +
diff --git a/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/abuseipdb.php b/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/abuseipdb.php index ccf9125c54..a7068590cc 100644 --- a/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/abuseipdb.php +++ b/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/abuseipdb.php @@ -28,10 +28,10 @@ * */ -namespace OPNsense\HelloWorld; +namespace OPNsense\abuseipdb; use OPNsense\Base\BaseModel; -class HelloWorld extends BaseModel +class abuseipdb extends BaseModel { } diff --git a/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/abuseipdb.xml b/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/abuseipdb.xml index fbc545d335..f915a7afaf 100644 --- a/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/abuseipdb.xml +++ b/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/abuseipdb.xml @@ -7,13 +7,21 @@ - + 1 Y - + + + 0 + Y + N + + 60 + N + From c86ad1cdd068e908660c80379e193edbc33e2d92 Mon Sep 17 00:00:00 2001 From: Steven Haigh Date: Tue, 30 Jul 2024 22:33:09 +1000 Subject: [PATCH 05/31] Add more fields to the UI --- .../OPNsense/abuseipdb/forms/general.xml | 16 +++++++++++++++- .../app/models/OPNsense/abuseipdb/abuseipdb.xml | 8 ++++++++ .../mvc/app/views/OPNsense/abuseipdb/index.volt | 9 --------- 3 files changed, 23 insertions(+), 10 deletions(-) diff --git a/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/forms/general.xml b/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/forms/general.xml index 2348cabb6e..14bd3eb239 100644 --- a/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/forms/general.xml +++ b/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/forms/general.xml @@ -18,9 +18,23 @@ API Key from abuseipdb.com + + abuseipdb.general.packet_count + + text + + Number of packets before triggering a report / block in threshold seconds + + + abuseipdb.general.packet_timeframe + + text + + How long to track packets in seconds. + abuseipdb.general.log_interval - + text Log status every X seconds diff --git a/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/abuseipdb.xml b/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/abuseipdb.xml index f915a7afaf..24991f988d 100644 --- a/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/abuseipdb.xml +++ b/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/abuseipdb.xml @@ -18,6 +18,14 @@ N + + 10 + Y + + + 120 + Y + 60 N diff --git a/security/abuseipdb/src/opnsense/mvc/app/views/OPNsense/abuseipdb/index.volt b/security/abuseipdb/src/opnsense/mvc/app/views/OPNsense/abuseipdb/index.volt index 69ced13c62..fd3025ef12 100644 --- a/security/abuseipdb/src/opnsense/mvc/app/views/OPNsense/abuseipdb/index.volt +++ b/security/abuseipdb/src/opnsense/mvc/app/views/OPNsense/abuseipdb/index.volt @@ -43,14 +43,6 @@ POSSIBILITY OF SUCH DAMAGE. }); }); - $("#testAct").click(function(){ - $("#responseMsg").removeClass("hidden"); - ajaxCall(url="/api/abuseipdb/service/test", sendData={},callback=function(data,status) { - // action to run after reload - $("#responseMsg").html(data['message']); - }); - }); - }); @@ -64,5 +56,4 @@ POSSIBILITY OF SUCH DAMAGE.
-
From 2f88070cac22b203d8173447afb8b3f2dc8dd3d0 Mon Sep 17 00:00:00 2001 From: Steven Haigh Date: Tue, 30 Jul 2024 23:08:14 +1000 Subject: [PATCH 06/31] More updates --- .../OPNsense/abuseipdb/Api/ServiceController.php | 16 ---------------- .../templates/OPNsense/abuseipdb/abuseipdb.conf | 7 ++++--- 2 files changed, 4 insertions(+), 19 deletions(-) diff --git a/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/ServiceController.php b/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/ServiceController.php index b9cb49aab8..e010b2c10f 100644 --- a/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/ServiceController.php +++ b/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/ServiceController.php @@ -54,20 +54,4 @@ public function reloadAction() } return array("status" => $status); } - - /** - * test abuseipdb - */ - public function testAction() - { - if ($this->request->isPost()) { - $backend = new Backend(); - $bckresult = json_decode(trim($backend->configdRun("abuseipdb")), true); - if ($bckresult !== null) { - // only return valid json type responses - return $bckresult; - } - } - return array("message" => "unable to run config action"); - } } diff --git a/security/abuseipdb/src/opnsense/service/templates/OPNsense/abuseipdb/abuseipdb.conf b/security/abuseipdb/src/opnsense/service/templates/OPNsense/abuseipdb/abuseipdb.conf index c53ee7fec5..15eef2be8b 100644 --- a/security/abuseipdb/src/opnsense/service/templates/OPNsense/abuseipdb/abuseipdb.conf +++ b/security/abuseipdb/src/opnsense/service/templates/OPNsense/abuseipdb/abuseipdb.conf @@ -1,4 +1,5 @@ -{% if helpers.exists('OPNsense.abuseipdb.general') and OPNsense.abuseipdb.general.Enabled|default("0") == "1" %} -[general] -api_key={{ OPNsense.abuseipdb.general.api_key|default("") }} +{% if helpers.exists('OPNsense.abuseipdb.general.enabled') and OPNsense.abuseipdb.general.enabled|default("0") == "1" %} +abuseipdb_enable="YES" +{% else %} +abuseipdb_enable="NO" {% endif %} From 1c16971b65edc18b0f8772373a3527b1babf2700 Mon Sep 17 00:00:00 2001 From: Steven Haigh Date: Tue, 30 Jul 2024 23:11:42 +1000 Subject: [PATCH 07/31] Fix indenting --- .../abuseipdb/src/etc/rc.d/opnsense-abuseipdb | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/security/abuseipdb/src/etc/rc.d/opnsense-abuseipdb b/security/abuseipdb/src/etc/rc.d/opnsense-abuseipdb index 55b711d8ed..c3c5bd9150 100644 --- a/security/abuseipdb/src/etc/rc.d/opnsense-abuseipdb +++ b/security/abuseipdb/src/etc/rc.d/opnsense-abuseipdb @@ -20,27 +20,27 @@ pidfile=/var/run/${name}.pid abuseipdb_status() { - if [ -n "$rc_pid" ]; then - echo "${name} is running as pid $rc_pid." - return 0 - else - echo "${name} is not running." - fi + if [ -n "$rc_pid" ]; then + echo "${name} is running as pid $rc_pid." + return 0 + else + echo "${name} is not running." + fi } abuseipdb_stop() { - if [ -n "$rc_pid" ]; then - echo "stopping abuseipdb" - kill -2 ${rc_pid} - else - echo "${name} is not running." - fi + if [ -n "$rc_pid" ]; then + echo "stopping abuseipdb" + kill -2 ${rc_pid} + else + echo "${name} is not running." + fi } abuseipdb_start() { - echo "starting abuseipdb" + echo "starting abuseipdb" /usr/local/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php & return 0 } From e75bbf86dfdc6e5ac7b3cb819fe606b4c2daf438 Mon Sep 17 00:00:00 2001 From: Steven Haigh Date: Wed, 31 Jul 2024 01:18:37 +1000 Subject: [PATCH 08/31] Add inc file --- security/abuseipdb/src/etc/inc/abuseipdb.inc | 52 +++++++++++++++++++ .../abuseipdb/src/etc/rc.d/opnsense-abuseipdb | 48 ----------------- 2 files changed, 52 insertions(+), 48 deletions(-) create mode 100644 security/abuseipdb/src/etc/inc/abuseipdb.inc delete mode 100644 security/abuseipdb/src/etc/rc.d/opnsense-abuseipdb diff --git a/security/abuseipdb/src/etc/inc/abuseipdb.inc b/security/abuseipdb/src/etc/inc/abuseipdb.inc new file mode 100644 index 0000000000..e23bd640ba --- /dev/null +++ b/security/abuseipdb/src/etc/inc/abuseipdb.inc @@ -0,0 +1,52 @@ + + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +function abuseipdb_services() +{ + global $config; + + $services = array(); + + if ( + isset($config['OPNsense']['abuseipdb']['general']['enabled']) && + $config['OPNsense']['abuseipdb']['general']['enabled'] == 1 + ) { + $services[] = array( + 'description' => gettext('abuseipdb Daemon'), + 'configd' => array( + 'restart' => array('abuseipdb restart'), + 'start' => array('abuseipdb start'), + 'stop' => array('abuseipdb stop'), + ), + 'name' => 'abuseipdb', + 'pidfile' => '/var/run/abuseipdb.pid' + ); + } + + return $services; +} diff --git a/security/abuseipdb/src/etc/rc.d/opnsense-abuseipdb b/security/abuseipdb/src/etc/rc.d/opnsense-abuseipdb deleted file mode 100644 index c3c5bd9150..0000000000 --- a/security/abuseipdb/src/etc/rc.d/opnsense-abuseipdb +++ /dev/null @@ -1,48 +0,0 @@ -#!/bin/sh -# -# PROVIDE: opnsense-abuseipdb -# REQUIRE: SERVERS -# KEYWORD: shutdown - -. /etc/rc.subr - -name=abuseipdb - -stop_cmd=abuseipdb_stop -start_cmd=abuseipdb_start -status_cmd=abuseipdb_status -rcvar=abuseipdb_enable - -load_rc_config opnsense-abuseipdb -pidfile=/var/run/${name}.pid - -[ -z "$abuseipdb_enable" ] && abuseipdb_enable="NO" - -abuseipdb_status() -{ - if [ -n "$rc_pid" ]; then - echo "${name} is running as pid $rc_pid." - return 0 - else - echo "${name} is not running." - fi -} - -abuseipdb_stop() -{ - if [ -n "$rc_pid" ]; then - echo "stopping abuseipdb" - kill -2 ${rc_pid} - else - echo "${name} is not running." - fi -} - -abuseipdb_start() -{ - echo "starting abuseipdb" - /usr/local/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php & - return 0 -} - -run_rc_command $1 From bbaa4f961af79f2efab1522615fef20f89a6a73d Mon Sep 17 00:00:00 2001 From: Steven Haigh Date: Wed, 31 Jul 2024 01:30:42 +1000 Subject: [PATCH 09/31] More fixes... --- security/abuseipdb/src/etc/rc.d/abuseipdb | 48 +++++++++++++++++++ .../conf/actions.d/actions_abuseipdb.conf | 8 ++-- 2 files changed, 52 insertions(+), 4 deletions(-) create mode 100755 security/abuseipdb/src/etc/rc.d/abuseipdb diff --git a/security/abuseipdb/src/etc/rc.d/abuseipdb b/security/abuseipdb/src/etc/rc.d/abuseipdb new file mode 100755 index 0000000000..c3c5bd9150 --- /dev/null +++ b/security/abuseipdb/src/etc/rc.d/abuseipdb @@ -0,0 +1,48 @@ +#!/bin/sh +# +# PROVIDE: opnsense-abuseipdb +# REQUIRE: SERVERS +# KEYWORD: shutdown + +. /etc/rc.subr + +name=abuseipdb + +stop_cmd=abuseipdb_stop +start_cmd=abuseipdb_start +status_cmd=abuseipdb_status +rcvar=abuseipdb_enable + +load_rc_config opnsense-abuseipdb +pidfile=/var/run/${name}.pid + +[ -z "$abuseipdb_enable" ] && abuseipdb_enable="NO" + +abuseipdb_status() +{ + if [ -n "$rc_pid" ]; then + echo "${name} is running as pid $rc_pid." + return 0 + else + echo "${name} is not running." + fi +} + +abuseipdb_stop() +{ + if [ -n "$rc_pid" ]; then + echo "stopping abuseipdb" + kill -2 ${rc_pid} + else + echo "${name} is not running." + fi +} + +abuseipdb_start() +{ + echo "starting abuseipdb" + /usr/local/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php & + return 0 +} + +run_rc_command $1 diff --git a/security/abuseipdb/src/opnsense/service/conf/actions.d/actions_abuseipdb.conf b/security/abuseipdb/src/opnsense/service/conf/actions.d/actions_abuseipdb.conf index 6cd3c2a332..8b555614e5 100644 --- a/security/abuseipdb/src/opnsense/service/conf/actions.d/actions_abuseipdb.conf +++ b/security/abuseipdb/src/opnsense/service/conf/actions.d/actions_abuseipdb.conf @@ -1,23 +1,23 @@ [stop] -command:/usr/local/etc/rc.d/ipabusedb onestop; exit 0 +command:/usr/local/etc/rc.d/abuseipdb onestop; exit 0 parameters: type:script_output message:stop abuseipdb [start] -command:/usr/local/etc/rc.d/ipabusedb onestart; exit 0 +command:/usr/local/etc/rc.d/abuseipdb onestart; exit 0 parameters: type:script_output message:start abuseipdb [restart] -command:/usr/local/etc/rc.d/ipabusedb onestop; /usr/local/etc/rc.d/ipabusedb onestart; exit 0 +command:/usr/local/etc/rc.d/abuseipdb onestop; /usr/local/etc/rc.d/abuseipdb onestart; exit 0 parameters: type:script_output message:restart abuseipdb [status] -command:/usr/local/etc/rc.d/ipabusedb status; exit 0 +command:/usr/local/etc/rc.d/abuseipdb status; exit 0 parameters: type:script_output message:abuseipdb status From d0e384b2b7e54d288869c43b294d8fda94dcf329 Mon Sep 17 00:00:00 2001 From: Steven Haigh Date: Wed, 31 Jul 2024 01:45:25 +1000 Subject: [PATCH 10/31] Import config from OPNsense vars --- .../OPNsense/abuseipdb/abuseipdb_reporter.php | 26 +++++++++---------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/security/abuseipdb/src/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php b/security/abuseipdb/src/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php index fa3e582fef..73034cca76 100755 --- a/security/abuseipdb/src/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php +++ b/security/abuseipdb/src/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php @@ -1,22 +1,20 @@ #!/usr/local/bin/php Date: Wed, 31 Jul 2024 01:51:27 +1000 Subject: [PATCH 11/31] Write PID to /var/run/abuseipdb.pid --- .../scripts/OPNsense/abuseipdb/abuseipdb_reporter.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/security/abuseipdb/src/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php b/security/abuseipdb/src/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php index 73034cca76..162c0eeb33 100755 --- a/security/abuseipdb/src/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php +++ b/security/abuseipdb/src/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php @@ -3,7 +3,7 @@ include "config.inc"; if ( $config['OPNsense']['abuseipdb']["general"]["enabled"] != 1 ) { - exit 0; + exit; } ## Import config @@ -13,6 +13,10 @@ $hits_time = $config['OPNsense']['abuseipdb']["general"]["packet_timeframe"]; $log_interval = $config['OPNsense']['abuseipdb']["general"]["log_interval"]; +## Write the PID to disk. +file_put_contents("/var/run/abuseipdb.pid", getmypid()); +register_shutdown_function('unlink', "/var/run/abuseipdb.pid"); + ## Filter ID to report... $filter_id = "1033271e831bc05b5ee99c101f944dd6"; From a6ed7afd28f0332aa4d31a28be8cf93d81488be8 Mon Sep 17 00:00:00 2001 From: Steven Haigh Date: Fri, 2 Aug 2024 02:21:20 +1000 Subject: [PATCH 12/31] Minor init script fixes --- security/abuseipdb/src/etc/rc.d/abuseipdb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/abuseipdb/src/etc/rc.d/abuseipdb b/security/abuseipdb/src/etc/rc.d/abuseipdb index c3c5bd9150..e0337556f5 100755 --- a/security/abuseipdb/src/etc/rc.d/abuseipdb +++ b/security/abuseipdb/src/etc/rc.d/abuseipdb @@ -1,6 +1,6 @@ #!/bin/sh # -# PROVIDE: opnsense-abuseipdb +# PROVIDE: abuseipdb # REQUIRE: SERVERS # KEYWORD: shutdown @@ -13,7 +13,7 @@ start_cmd=abuseipdb_start status_cmd=abuseipdb_status rcvar=abuseipdb_enable -load_rc_config opnsense-abuseipdb +load_rc_config abuseipdb pidfile=/var/run/${name}.pid [ -z "$abuseipdb_enable" ] && abuseipdb_enable="NO" From 29a9d3cd1134389ca36c310e923cfa8b1a293be0 Mon Sep 17 00:00:00 2001 From: Steven Haigh Date: Sat, 3 Aug 2024 01:03:14 +1000 Subject: [PATCH 13/31] Add filter_id to web UI and script --- .../OPNsense/abuseipdb/forms/general.xml | 14 ++++++++++---- .../app/models/OPNsense/abuseipdb/abuseipdb.xml | 3 +++ .../OPNsense/abuseipdb/abuseipdb_reporter.php | 10 +++++++--- 3 files changed, 20 insertions(+), 7 deletions(-) diff --git a/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/forms/general.xml b/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/forms/general.xml index 14bd3eb239..47d90cfa9c 100644 --- a/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/forms/general.xml +++ b/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/forms/general.xml @@ -3,13 +3,13 @@ abuseipdb.general.enabled checkbox - Enable this feature + Enable the service abuseipdb.general.flush_on_start checkbox - Enable this feature + Flush the abuseipdb Firewall Alias group when starting. If an API Key is set, will pre-populate with a download from abuseipdb.com abuseipdb.general.api_key @@ -18,12 +18,18 @@ API Key from abuseipdb.com + + abuseipdb.general.filter_id + + text + + Firewall Rule ID + abuseipdb.general.packet_count text - - Number of packets before triggering a report / block in threshold seconds + abuseipdb.general.packet_timeframe diff --git a/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/abuseipdb.xml b/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/abuseipdb.xml index 24991f988d..4f43e892c8 100644 --- a/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/abuseipdb.xml +++ b/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/abuseipdb.xml @@ -18,6 +18,9 @@ N + + Y + 10 Y diff --git a/security/abuseipdb/src/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php b/security/abuseipdb/src/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php index 162c0eeb33..916e03ee0c 100755 --- a/security/abuseipdb/src/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php +++ b/security/abuseipdb/src/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php @@ -2,24 +2,28 @@ Date: Sat, 3 Aug 2024 01:44:09 +1000 Subject: [PATCH 14/31] Update inc file to create firewall rule --- security/abuseipdb/src/etc/inc/abuseipdb.inc | 86 +++++++++++++++----- 1 file changed, 64 insertions(+), 22 deletions(-) diff --git a/security/abuseipdb/src/etc/inc/abuseipdb.inc b/security/abuseipdb/src/etc/inc/abuseipdb.inc index e23bd640ba..40c7760f1d 100644 --- a/security/abuseipdb/src/etc/inc/abuseipdb.inc +++ b/security/abuseipdb/src/etc/inc/abuseipdb.inc @@ -1,5 +1,4 @@ * All rights reserved. @@ -25,28 +24,71 @@ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */ +use OPNsense\Core\Config; +use OPNsense\Firewall\Alias; +use OPNsense\Firewall\Plugin; + +function add_alias_if_not_exist($name, $description, $proto) +{ + $model = new Alias(); + + if ($model->getByName($name) != null) { + return; + } + + $new_alias = $model->aliases->alias->Add(); + $new_alias->name = $name; + $new_alias->description = $description; + $new_alias->proto = $proto; + $new_alias->type = 'external'; + $model->serializeToConfig(); + Config::getInstance()->save(); +} + +function crowdsec_firewall(Plugin $fw) +{ + global $config; + if ( + isset($config['OPNsense']['abuseipdb']['general']['enabled']) && + $config['OPNsense']['abuseipdb']['general']['enabled'] == 1 + ) { + add_alias_if_not_exist('abuseipdb', 'abuseipdb blocklist', 'IPv4'); + $fw->registerFilterRule( + 1, /* priority */ + array( + 'ipprotocol' => 'inet', + 'descr' => 'abuseipdb blocklist', + 'from' => '$abuseipdb', # $ to reference an alias + 'direction' => 'in', + 'type' => 'block', + 'log' => $rules_log_enabled, + 'tag' => $rules_tag, + 'quick' => true + ) + ); + } function abuseipdb_services() { - global $config; - - $services = array(); - - if ( - isset($config['OPNsense']['abuseipdb']['general']['enabled']) && - $config['OPNsense']['abuseipdb']['general']['enabled'] == 1 - ) { - $services[] = array( - 'description' => gettext('abuseipdb Daemon'), - 'configd' => array( - 'restart' => array('abuseipdb restart'), - 'start' => array('abuseipdb start'), - 'stop' => array('abuseipdb stop'), - ), - 'name' => 'abuseipdb', - 'pidfile' => '/var/run/abuseipdb.pid' - ); - } - - return $services; + global $config; + $services = array(); + + if ( + isset($config['OPNsense']['abuseipdb']['general']['enabled']) && + $config['OPNsense']['abuseipdb']['general']['enabled'] == 1 + ) { + $services[] = array( + 'description' => 'abuseipdb Daemon', + 'configd' => array( + 'restart' => array('abuseipdb restart'), + 'start' => array('abuseipdb start'), + 'stop' => array('abuseipdb stop'), + ), + 'name' => 'abuseipdb', + 'pidfile' => '/var/run/abuseipdb.pid' + ); + } + + return $services; } + From c9ee2df26ddccc25254b01d289062745015e471b Mon Sep 17 00:00:00 2001 From: Steven Haigh Date: Sat, 3 Aug 2024 01:47:19 +1000 Subject: [PATCH 15/31] Fix pid file cleanup on exit --- .../scripts/OPNsense/abuseipdb/abuseipdb_reporter.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/security/abuseipdb/src/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php b/security/abuseipdb/src/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php index 916e03ee0c..33639c0e65 100755 --- a/security/abuseipdb/src/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php +++ b/security/abuseipdb/src/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php @@ -22,7 +22,7 @@ ## Write the PID to disk. file_put_contents("/var/run/abuseipdb.pid", getmypid()); -register_shutdown_function('unlink', "/var/run/abuseipdb.pid"); +register_shutdown_function('cleanup_on_exit'); ## Open up the pf log - /var/log/filter/latest.log $log = "/var/log/filter/latest.log"; @@ -218,4 +218,9 @@ function http_req($method, $url, &$headers, &$data) { return array($result, curl_getinfo($ch, CURLINFO_HTTP_CODE)); } +function cleanup_on_exit() { + unlink "/var/run/abuseipdb.pid"; + exit; +} + ?> From 2dd1f52a9b5c6e4d7359984814bdd5a5bdc61a8a Mon Sep 17 00:00:00 2001 From: Steven Haigh Date: Sat, 3 Aug 2024 01:55:09 +1000 Subject: [PATCH 16/31] Fix inc file --- .../etc/inc/{ => plugins.inc.d}/abuseipdb.inc | 16 ++++++++-------- .../OPNsense/abuseipdb/abuseipdb_reporter.php | 1 + 2 files changed, 9 insertions(+), 8 deletions(-) rename security/abuseipdb/src/etc/inc/{ => plugins.inc.d}/abuseipdb.inc (89%) diff --git a/security/abuseipdb/src/etc/inc/abuseipdb.inc b/security/abuseipdb/src/etc/inc/plugins.inc.d/abuseipdb.inc similarity index 89% rename from security/abuseipdb/src/etc/inc/abuseipdb.inc rename to security/abuseipdb/src/etc/inc/plugins.inc.d/abuseipdb.inc index 40c7760f1d..9eda7d3c00 100644 --- a/security/abuseipdb/src/etc/inc/abuseipdb.inc +++ b/security/abuseipdb/src/etc/inc/plugins.inc.d/abuseipdb.inc @@ -1,4 +1,5 @@ * All rights reserved. @@ -28,7 +29,7 @@ use OPNsense\Core\Config; use OPNsense\Firewall\Alias; use OPNsense\Firewall\Plugin; -function add_alias_if_not_exist($name, $description, $proto) +function add_alias_if_not_exist($name, $description) { $model = new Alias(); @@ -39,34 +40,34 @@ function add_alias_if_not_exist($name, $description, $proto) $new_alias = $model->aliases->alias->Add(); $new_alias->name = $name; $new_alias->description = $description; - $new_alias->proto = $proto; $new_alias->type = 'external'; $model->serializeToConfig(); Config::getInstance()->save(); } -function crowdsec_firewall(Plugin $fw) +function abuseipdb_firewall(Plugin $fw) { global $config; if ( isset($config['OPNsense']['abuseipdb']['general']['enabled']) && $config['OPNsense']['abuseipdb']['general']['enabled'] == 1 ) { - add_alias_if_not_exist('abuseipdb', 'abuseipdb blocklist', 'IPv4'); + add_alias_if_not_exist('abuseipdb', 'abuseipdb blocklist'); $fw->registerFilterRule( 1, /* priority */ array( - 'ipprotocol' => 'inet', + 'ipprotocol' => 'inet46', 'descr' => 'abuseipdb blocklist', 'from' => '$abuseipdb', # $ to reference an alias 'direction' => 'in', 'type' => 'block', - 'log' => $rules_log_enabled, - 'tag' => $rules_tag, + 'log' => false, + 'tag' => "", 'quick' => true ) ); } +} function abuseipdb_services() { @@ -91,4 +92,3 @@ function abuseipdb_services() return $services; } - diff --git a/security/abuseipdb/src/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php b/security/abuseipdb/src/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php index 33639c0e65..c8691aa173 100755 --- a/security/abuseipdb/src/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php +++ b/security/abuseipdb/src/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php @@ -1,5 +1,6 @@ #!/usr/local/bin/php Date: Sat, 3 Aug 2024 02:55:17 +1000 Subject: [PATCH 17/31] Remove unneeded template --- .../opnsense/service/templates/OPNsense/abuseipdb/+TARGETS | 1 - .../service/templates/OPNsense/abuseipdb/abuseipdb.conf | 5 ----- 2 files changed, 6 deletions(-) delete mode 100644 security/abuseipdb/src/opnsense/service/templates/OPNsense/abuseipdb/+TARGETS delete mode 100644 security/abuseipdb/src/opnsense/service/templates/OPNsense/abuseipdb/abuseipdb.conf diff --git a/security/abuseipdb/src/opnsense/service/templates/OPNsense/abuseipdb/+TARGETS b/security/abuseipdb/src/opnsense/service/templates/OPNsense/abuseipdb/+TARGETS deleted file mode 100644 index cb949302a9..0000000000 --- a/security/abuseipdb/src/opnsense/service/templates/OPNsense/abuseipdb/+TARGETS +++ /dev/null @@ -1 +0,0 @@ -abuseipdb.conf:/usr/local/etc/abuseipdb/abuseipdb.conf diff --git a/security/abuseipdb/src/opnsense/service/templates/OPNsense/abuseipdb/abuseipdb.conf b/security/abuseipdb/src/opnsense/service/templates/OPNsense/abuseipdb/abuseipdb.conf deleted file mode 100644 index 15eef2be8b..0000000000 --- a/security/abuseipdb/src/opnsense/service/templates/OPNsense/abuseipdb/abuseipdb.conf +++ /dev/null @@ -1,5 +0,0 @@ -{% if helpers.exists('OPNsense.abuseipdb.general.enabled') and OPNsense.abuseipdb.general.enabled|default("0") == "1" %} -abuseipdb_enable="YES" -{% else %} -abuseipdb_enable="NO" -{% endif %} From cb6b733f1d899673794085bb1e970346bbf03782 Mon Sep 17 00:00:00 2001 From: Steven Haigh Date: Sat, 3 Aug 2024 03:06:23 +1000 Subject: [PATCH 18/31] Remove rc.d script and use configd instead --- security/abuseipdb/src/etc/rc.d/abuseipdb | 48 ----------------------- 1 file changed, 48 deletions(-) delete mode 100755 security/abuseipdb/src/etc/rc.d/abuseipdb diff --git a/security/abuseipdb/src/etc/rc.d/abuseipdb b/security/abuseipdb/src/etc/rc.d/abuseipdb deleted file mode 100755 index e0337556f5..0000000000 --- a/security/abuseipdb/src/etc/rc.d/abuseipdb +++ /dev/null @@ -1,48 +0,0 @@ -#!/bin/sh -# -# PROVIDE: abuseipdb -# REQUIRE: SERVERS -# KEYWORD: shutdown - -. /etc/rc.subr - -name=abuseipdb - -stop_cmd=abuseipdb_stop -start_cmd=abuseipdb_start -status_cmd=abuseipdb_status -rcvar=abuseipdb_enable - -load_rc_config abuseipdb -pidfile=/var/run/${name}.pid - -[ -z "$abuseipdb_enable" ] && abuseipdb_enable="NO" - -abuseipdb_status() -{ - if [ -n "$rc_pid" ]; then - echo "${name} is running as pid $rc_pid." - return 0 - else - echo "${name} is not running." - fi -} - -abuseipdb_stop() -{ - if [ -n "$rc_pid" ]; then - echo "stopping abuseipdb" - kill -2 ${rc_pid} - else - echo "${name} is not running." - fi -} - -abuseipdb_start() -{ - echo "starting abuseipdb" - /usr/local/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php & - return 0 -} - -run_rc_command $1 From 492a7b617499e83e409beceb85a5ddf2dec3ea85 Mon Sep 17 00:00:00 2001 From: Steven Haigh Date: Sat, 3 Aug 2024 03:11:11 +1000 Subject: [PATCH 19/31] Move main daemon to a proper location --- .../scripts/{OPNsense => }/abuseipdb/abuseipdb_reporter.php | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename security/abuseipdb/src/opnsense/scripts/{OPNsense => }/abuseipdb/abuseipdb_reporter.php (100%) diff --git a/security/abuseipdb/src/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php b/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb_reporter.php similarity index 100% rename from security/abuseipdb/src/opnsense/scripts/OPNsense/abuseipdb/abuseipdb_reporter.php rename to security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb_reporter.php From ce79bd4c249ca4d587ac053fee98139c6fd91e8f Mon Sep 17 00:00:00 2001 From: Steven Haigh Date: Sat, 3 Aug 2024 03:41:16 +1000 Subject: [PATCH 20/31] Update rc.d file and references --- .../src/etc/inc/plugins.inc.d/abuseipdb.inc | 17 ++++++++- security/abuseipdb/src/etc/rc.d/abuseipdb | 38 +++++++++++++++++++ .../scripts/abuseipdb/abuseipdb_reporter.php | 2 +- .../conf/actions.d/actions_abuseipdb.conf | 6 +-- 4 files changed, 58 insertions(+), 5 deletions(-) create mode 100755 security/abuseipdb/src/etc/rc.d/abuseipdb diff --git a/security/abuseipdb/src/etc/inc/plugins.inc.d/abuseipdb.inc b/security/abuseipdb/src/etc/inc/plugins.inc.d/abuseipdb.inc index 9eda7d3c00..19cc807b2a 100644 --- a/security/abuseipdb/src/etc/inc/plugins.inc.d/abuseipdb.inc +++ b/security/abuseipdb/src/etc/inc/plugins.inc.d/abuseipdb.inc @@ -58,7 +58,7 @@ function abuseipdb_firewall(Plugin $fw) array( 'ipprotocol' => 'inet46', 'descr' => 'abuseipdb blocklist', - 'from' => '$abuseipdb', # $ to reference an alias + 'from' => '', 'direction' => 'in', 'type' => 'block', 'log' => false, @@ -92,3 +92,18 @@ function abuseipdb_services() return $services; } + +/** + * register legacy syslog facilities + * @return array + */ +function abuseipdb_syslog() +{ + $syslogconf = array(); + + $syslogconf['abuseipdb'] = array( + 'facility' => array('abuseipdb'), + ); + + return $syslogconf; +} diff --git a/security/abuseipdb/src/etc/rc.d/abuseipdb b/security/abuseipdb/src/etc/rc.d/abuseipdb new file mode 100755 index 0000000000..9662257c8b --- /dev/null +++ b/security/abuseipdb/src/etc/rc.d/abuseipdb @@ -0,0 +1,38 @@ +#!/bin/sh +# PROVIDE: abuseipdb +# REQUIRE: DAEMON NETWORKING syslogd + +. /etc/rc.subr + +name="abuseipdb" +rcvar="abuseipdb_enable" + +load_rc_config $name + +: "${abuseipdb_enable="NO"}" + +case $1 in + start) + /usr/local/opnsense/scripts/abuseipdb/abuseipdb_reporter.php & + exit $? + ;; + stop) + read pid < /var/run/abuseipdb.pid + kill -TERM $pid + ;; + restart) + stop + start + ;; + status) + if [ -f /var/run/abuseipdb.pid ]; then + read pid < /var/run/abuseipdb.pid + ps $pid > /dev/null + if [ "$?" == "0" ]; then + echo "Process is running: $(ps $pid)" + exit 0 + fi + fi + echo "Process is not running..." + ;; +esac diff --git a/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb_reporter.php b/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb_reporter.php index c8691aa173..e3ff98dd2a 100755 --- a/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb_reporter.php +++ b/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb_reporter.php @@ -220,7 +220,7 @@ function http_req($method, $url, &$headers, &$data) { } function cleanup_on_exit() { - unlink "/var/run/abuseipdb.pid"; + unlink("/var/run/abuseipdb.pid"); exit; } diff --git a/security/abuseipdb/src/opnsense/service/conf/actions.d/actions_abuseipdb.conf b/security/abuseipdb/src/opnsense/service/conf/actions.d/actions_abuseipdb.conf index 8b555614e5..230b66a1a4 100644 --- a/security/abuseipdb/src/opnsense/service/conf/actions.d/actions_abuseipdb.conf +++ b/security/abuseipdb/src/opnsense/service/conf/actions.d/actions_abuseipdb.conf @@ -1,17 +1,17 @@ [stop] -command:/usr/local/etc/rc.d/abuseipdb onestop; exit 0 +command:/usr/local/etc/rc.d/abuseipdb stop; exit 0 parameters: type:script_output message:stop abuseipdb [start] -command:/usr/local/etc/rc.d/abuseipdb onestart; exit 0 +command:/usr/local/etc/rc.d/abuseipdb start; exit 0 parameters: type:script_output message:start abuseipdb [restart] -command:/usr/local/etc/rc.d/abuseipdb onestop; /usr/local/etc/rc.d/abuseipdb onestart; exit 0 +command:/usr/local/etc/rc.d/abuseipdb restart; exit 0 parameters: type:script_output message:restart abuseipdb From 73561a65cb1315183349573d1f152d0ea4651073 Mon Sep 17 00:00:00 2001 From: Steven Haigh Date: Sat, 3 Aug 2024 12:51:03 +1000 Subject: [PATCH 21/31] Move echo logs to syslog --- .../scripts/abuseipdb/abuseipdb_reporter.php | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb_reporter.php b/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb_reporter.php index e3ff98dd2a..0c0ec72614 100755 --- a/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb_reporter.php +++ b/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb_reporter.php @@ -135,11 +135,11 @@ list($result, $ret_code) = http_req("POST", $url, $headers, $data); if ( $ret_code == 200 ) { unset($known_ips[$ip]); - echo "Reported $ip successfully\n"; + syslog(LOG_INFO, "Reported $ip successfully"); $ratelimit_expires = 0; $ratelimit_delay= 5; } else { - echo "abuseipdb: Got status code: $ret_code - Ratelimiting active...\n"; + syslog(LOG_NOTICE, "Got status code: $ret_code - Ratelimiting active..."); $ratelimit_delay *= 2; if ( $ratelimit_delay >= $ratelimit_delay_max ) { $ratelimit_delay = $ratelimit_delay_max; @@ -157,14 +157,14 @@ if ( time() > $log_last + $log_interval ) { $log_last = time(); if ( time() < $ratelimit_expires && $reports_outstanding != 0 ) { - echo "abuseipdb: Ratelimit active. $reports_outstanding reports outstanding\n"; + syslog(LOG_NOTICE, "abuseipdb: Ratelimit active. $reports_outstanding reports outstanding"); } - echo "Tracking " . count($known_ips) . " hosts\n"; + syslog(LOG_INFO, "Tracking " . count($known_ips) . " hosts"); } } function get_blocklist($api_key, $flush_on_start) { - echo "Downloading initial blocklist...\n"; + syslog(LOG_INFO, "Downloading initial blocklist..."); $data = [ 'confidenceMinimum' => 100, 'limit' => 9999999 ]; $headers = ["Key: $api_key", "Accept: application/json"]; $url = "https://api.abuseipdb.com/api/v2/blacklist"; @@ -174,7 +174,7 @@ function get_blocklist($api_key, $flush_on_start) { if ( $resp_code == 200 ) { ## Clear the current table... if ( $flush_on_start == 1 ) { - echo "Clearing current table for initial priming...\n"; + syslog(LOG_NOTICE, "Clearing current table for initial priming..."); shell_exec("pfctl -t abuseipdb -T flush"); } $addresses = array(); @@ -197,9 +197,9 @@ function get_blocklist($api_key, $flush_on_start) { if ( count($addresses) != 0 ) { shell_exec("pfctl -q -t abuseipdb -T add " . implode(" ", $addresses)); } - echo "Imported " . count($blocklist["data"]) . " entries on startup...\n"; + syslog(LOG_INFO, "Imported " . count($blocklist["data"]) . " entries on startup..."); } else { - echo "abuseipdb: Got reply code: $resp_code. Not importing anything...\n"; + syslog(LOG_NOTICE, "Got reply code: $resp_code. Not importing anything..."); } } From ae876547c9ec49cd13077d0390339da80620eb1a Mon Sep 17 00:00:00 2001 From: Steven Haigh Date: Sat, 3 Aug 2024 13:22:47 +1000 Subject: [PATCH 22/31] Add Log Files entry to menu --- .../mvc/app/models/OPNsense/abuseipdb/Menu/Menu.xml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/Menu/Menu.xml b/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/Menu/Menu.xml index d2573cfcb8..429a405dc7 100644 --- a/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/Menu/Menu.xml +++ b/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/Menu/Menu.xml @@ -1,5 +1,12 @@ - + + + + + + + + From 6fddc53a38a58bd8ed242470ef41cb649fa88ff0 Mon Sep 17 00:00:00 2001 From: Steven Haigh Date: Sat, 3 Aug 2024 13:35:58 +1000 Subject: [PATCH 23/31] Rename main daemon script & hopefully fix syslog --- .../src/etc/inc/plugins.inc.d/abuseipdb.inc | 15 --------------- security/abuseipdb/src/etc/rc.d/abuseipdb | 2 +- .../{abuseipdb_reporter.php => abuseipdb} | 0 .../OPNsense/Syslog/local/abuseipdb.conf | 6 ++++++ 4 files changed, 7 insertions(+), 16 deletions(-) rename security/abuseipdb/src/opnsense/scripts/abuseipdb/{abuseipdb_reporter.php => abuseipdb} (100%) create mode 100644 security/abuseipdb/src/opnsense/service/templates/OPNsense/Syslog/local/abuseipdb.conf diff --git a/security/abuseipdb/src/etc/inc/plugins.inc.d/abuseipdb.inc b/security/abuseipdb/src/etc/inc/plugins.inc.d/abuseipdb.inc index 19cc807b2a..f13ae6a40e 100644 --- a/security/abuseipdb/src/etc/inc/plugins.inc.d/abuseipdb.inc +++ b/security/abuseipdb/src/etc/inc/plugins.inc.d/abuseipdb.inc @@ -92,18 +92,3 @@ function abuseipdb_services() return $services; } - -/** - * register legacy syslog facilities - * @return array - */ -function abuseipdb_syslog() -{ - $syslogconf = array(); - - $syslogconf['abuseipdb'] = array( - 'facility' => array('abuseipdb'), - ); - - return $syslogconf; -} diff --git a/security/abuseipdb/src/etc/rc.d/abuseipdb b/security/abuseipdb/src/etc/rc.d/abuseipdb index 9662257c8b..c9807c7a61 100755 --- a/security/abuseipdb/src/etc/rc.d/abuseipdb +++ b/security/abuseipdb/src/etc/rc.d/abuseipdb @@ -13,7 +13,7 @@ load_rc_config $name case $1 in start) - /usr/local/opnsense/scripts/abuseipdb/abuseipdb_reporter.php & + /usr/local/opnsense/scripts/abuseipdb/abuseipdb & exit $? ;; stop) diff --git a/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb_reporter.php b/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb similarity index 100% rename from security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb_reporter.php rename to security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb diff --git a/security/abuseipdb/src/opnsense/service/templates/OPNsense/Syslog/local/abuseipdb.conf b/security/abuseipdb/src/opnsense/service/templates/OPNsense/Syslog/local/abuseipdb.conf new file mode 100644 index 0000000000..01635f7e9f --- /dev/null +++ b/security/abuseipdb/src/opnsense/service/templates/OPNsense/Syslog/local/abuseipdb.conf @@ -0,0 +1,6 @@ +################################################################### +# Local syslog-ng configuration filter definition [abuseipdb]. +################################################################### +filter f_local_abuseipdb { + program("abuseipdb"); +}; From e2f4e67a8f89e5c57e849cd3ae4bfeeed05a8655 Mon Sep 17 00:00:00 2001 From: Steven Haigh Date: Sat, 3 Aug 2024 13:45:17 +1000 Subject: [PATCH 24/31] Fix initscript --- security/abuseipdb/src/etc/rc.d/abuseipdb | 38 +++++++++++++++-------- 1 file changed, 25 insertions(+), 13 deletions(-) diff --git a/security/abuseipdb/src/etc/rc.d/abuseipdb b/security/abuseipdb/src/etc/rc.d/abuseipdb index c9807c7a61..44ff3ab313 100755 --- a/security/abuseipdb/src/etc/rc.d/abuseipdb +++ b/security/abuseipdb/src/etc/rc.d/abuseipdb @@ -11,28 +11,40 @@ load_rc_config $name : "${abuseipdb_enable="NO"}" +start() { + /usr/local/opnsense/scripts/abuseipdb/abuseipdb & + exit $? +} + +stop() { + read pid < /var/run/abuseipdb.pid + kill -TERM $pid +} + +status() { + if [ -f /var/run/abuseipdb.pid ]; then + read pid < /var/run/abuseipdb.pid + ps $pid > /dev/null + if [ "$?" == "0" ]; then + echo "Process is running: $(ps $pid)" + exit 0 + fi + fi + echo "Process is not running..." +} + case $1 in start) - /usr/local/opnsense/scripts/abuseipdb/abuseipdb & - exit $? + start ;; stop) - read pid < /var/run/abuseipdb.pid - kill -TERM $pid + stop ;; restart) stop start ;; status) - if [ -f /var/run/abuseipdb.pid ]; then - read pid < /var/run/abuseipdb.pid - ps $pid > /dev/null - if [ "$?" == "0" ]; then - echo "Process is running: $(ps $pid)" - exit 0 - fi - fi - echo "Process is not running..." + status ;; esac From d84d588ca1e3ccfdd6e384d25eb194c11c79fe5e Mon Sep 17 00:00:00 2001 From: Steven Haigh Date: Sat, 3 Aug 2024 13:56:56 +1000 Subject: [PATCH 25/31] Actually open the syslog before we log to it --- security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb b/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb index 0c0ec72614..1a7c6456cf 100755 --- a/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb +++ b/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb @@ -2,6 +2,7 @@ Date: Sat, 3 Aug 2024 14:32:16 +1000 Subject: [PATCH 26/31] Add more logging on adding IPs to blocklist --- .../abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb b/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb index 1a7c6456cf..fbae7de550 100755 --- a/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb +++ b/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb @@ -120,6 +120,7 @@ while (1) { if ( count($timestamps) > $hits_num ) { ## Add to the firewall alias. shell_exec("pfctl -q -t abuseipdb -T add $ip"); + syslog(LOG_INFO, "Added $ip to blocklist"); if ( $api_key != "" ) { if ( time() > $ratelimit_expires ) { @@ -136,11 +137,11 @@ while (1) { list($result, $ret_code) = http_req("POST", $url, $headers, $data); if ( $ret_code == 200 ) { unset($known_ips[$ip]); - syslog(LOG_INFO, "Reported $ip successfully"); + syslog(LOG_INFO, "API: Reported $ip successfully"); $ratelimit_expires = 0; $ratelimit_delay= 5; } else { - syslog(LOG_NOTICE, "Got status code: $ret_code - Ratelimiting active..."); + syslog(LOG_NOTICE, "API: Got status code: $ret_code - Ratelimiting active..."); $ratelimit_delay *= 2; if ( $ratelimit_delay >= $ratelimit_delay_max ) { $ratelimit_delay = $ratelimit_delay_max; @@ -158,7 +159,7 @@ while (1) { if ( time() > $log_last + $log_interval ) { $log_last = time(); if ( time() < $ratelimit_expires && $reports_outstanding != 0 ) { - syslog(LOG_NOTICE, "abuseipdb: Ratelimit active. $reports_outstanding reports outstanding"); + syslog(LOG_NOTICE, "API: Ratelimit active. $reports_outstanding reports outstanding"); } syslog(LOG_INFO, "Tracking " . count($known_ips) . " hosts"); } @@ -200,7 +201,7 @@ function get_blocklist($api_key, $flush_on_start) { } syslog(LOG_INFO, "Imported " . count($blocklist["data"]) . " entries on startup..."); } else { - syslog(LOG_NOTICE, "Got reply code: $resp_code. Not importing anything..."); + syslog(LOG_NOTICE, "API: Got reply code: $resp_code. Not importing anything..."); } } From a59962580444f011daaf7beb7c67ca97b5e81eaa Mon Sep 17 00:00:00 2001 From: Steven Haigh Date: Sat, 3 Aug 2024 17:22:48 +1000 Subject: [PATCH 27/31] Rework daemon a little --- .../src/opnsense/scripts/abuseipdb/abuseipdb | 57 ++++++++++++------- 1 file changed, 36 insertions(+), 21 deletions(-) diff --git a/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb b/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb index fbae7de550..850cf26d31 100755 --- a/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb +++ b/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb @@ -37,9 +37,10 @@ $file = null; ## Init known hosts array $known_ips = array(); +$report_queue = array(); ## Handle 429 responses from abuseipdb. -$ratelimit_delay = 5; +$ratelimit_delay = 2; $ratelimit_delay_max = 180; $ratelimit_expires = 0; @@ -114,7 +115,6 @@ while (1) { $known_ips = $known_ips_new; unset($known_ips_new); - $reports_outstanding = 0; foreach ( $known_ips as $ip => $timestamps ) { ## Process anything with more than $hits_num entries. if ( count($timestamps) > $hits_num ) { @@ -123,45 +123,60 @@ while (1) { syslog(LOG_INFO, "Added $ip to blocklist"); if ( $api_key != "" ) { + $duration = $known_ips[$ip][count($known_ips[$ip]) -1] - $known_ips[$ip][0] + 1; + $data = [ + 'ip' => $ip, + 'timestamp' => date('c', $known_ips[$ip][0]), + 'categories' => "14", + 'comment' => "Honeypot hits: " . count($timestamps) . " hits in $duration second(s)" + ]; + array_push($report_queue, $data); + } + unset($known_ips[$ip]); + } + } + + ## Process any reports. + if ( $api_key != "" ) { + if ( time() > $ratelimit_expires ) { + $report_queue_new = array(); + + foreach ( $report_queue as $report ) { if ( time() > $ratelimit_expires ) { - ## Send the report to adbuseipdb.com - $duration = $known_ips[$ip][count($known_ips[$ip]) -1] - $known_ips[$ip][0] + 1; - $data = [ - 'ip' => $ip, - 'timestamp' => date('c', $known_ips[$ip][0]), - 'categories' => "14", - 'comment' => "Honeypot hits: " . count($timestamps) . " hits in $duration second(s)" - ]; $headers = ["Key: $api_key", "Accept: application/json"]; $url = "https://api.abuseipdb.com/api/v2/report"; - list($result, $ret_code) = http_req("POST", $url, $headers, $data); + list($result, $ret_code) = http_req("POST", $url, $headers, $report); if ( $ret_code == 200 ) { - unset($known_ips[$ip]); - syslog(LOG_INFO, "API: Reported $ip successfully"); + syslog(LOG_INFO, "API: Reported " . $report["ip"] . " successfully"); $ratelimit_expires = 0; - $ratelimit_delay= 5; + $ratelimit_delay= 2; } else { - syslog(LOG_NOTICE, "API: Got status code: $ret_code - Ratelimiting active..."); - $ratelimit_delay *= 2; + array_push($report_queue_new, $report); + $ratelimit_delay *= 1.5; if ( $ratelimit_delay >= $ratelimit_delay_max ) { $ratelimit_delay = $ratelimit_delay_max; } $ratelimit_expires = time() + $ratelimit_delay; - $reports_outstanding++; + syslog(LOG_NOTICE, "API: Got status code: $ret_code - Waiting " . ( $ratelimit_expires - time()) . " seconds before retry..."); } } else { - $reports_outstanding++; + ## We're still rate limited, just push the report back into the queue + array_push($report_queue_new, $report); } } + + $report_queue = $report_queue_new; + unset($report_queue_new); } } if ( time() > $log_last + $log_interval ) { $log_last = time(); - if ( time() < $ratelimit_expires && $reports_outstanding != 0 ) { - syslog(LOG_NOTICE, "API: Ratelimit active. $reports_outstanding reports outstanding"); + if ( count($report_queue) != 0 ) { + syslog(LOG_NOTICE, "Tracking " . count($known_ips) . " hosts, API ratelimit active. " . count($report_queue) . " report(s) outstanding"); + } else { + syslog(LOG_INFO, "Tracking " . count($known_ips) . " hosts"); } - syslog(LOG_INFO, "Tracking " . count($known_ips) . " hosts"); } } From 8e5f81879a1e8e1025142b2efd86fc4d52147ad2 Mon Sep 17 00:00:00 2001 From: Steven Haigh Date: Sat, 3 Aug 2024 23:31:30 +1000 Subject: [PATCH 28/31] Add option to toggle logging for auto-firewall rule --- .../abuseipdb/src/etc/inc/plugins.inc.d/abuseipdb.inc | 2 +- .../app/controllers/OPNsense/abuseipdb/forms/general.xml | 6 ++++++ .../mvc/app/models/OPNsense/abuseipdb/abuseipdb.xml | 4 ++++ .../opnsense/mvc/app/views/OPNsense/abuseipdb/index.volt | 2 +- .../abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb | 8 ++++---- 5 files changed, 16 insertions(+), 6 deletions(-) diff --git a/security/abuseipdb/src/etc/inc/plugins.inc.d/abuseipdb.inc b/security/abuseipdb/src/etc/inc/plugins.inc.d/abuseipdb.inc index f13ae6a40e..e717174fb6 100644 --- a/security/abuseipdb/src/etc/inc/plugins.inc.d/abuseipdb.inc +++ b/security/abuseipdb/src/etc/inc/plugins.inc.d/abuseipdb.inc @@ -61,7 +61,7 @@ function abuseipdb_firewall(Plugin $fw) 'from' => '', 'direction' => 'in', 'type' => 'block', - 'log' => false, + 'log' => $config['OPNsense']['abuseipdb']['general']['log_denies'], 'tag' => "", 'quick' => true ) diff --git a/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/forms/general.xml b/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/forms/general.xml index 47d90cfa9c..d65a038a37 100644 --- a/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/forms/general.xml +++ b/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/forms/general.xml @@ -11,6 +11,12 @@ checkbox Flush the abuseipdb Firewall Alias group when starting. If an API Key is set, will pre-populate with a download from abuseipdb.com + + abuseipdb.general.log_denies + + checkbox + Log packets that are denied by the abuseipdb firewall rule to the firewall logs + abuseipdb.general.api_key diff --git a/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/abuseipdb.xml b/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/abuseipdb.xml index 4f43e892c8..c6ccd31e25 100644 --- a/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/abuseipdb.xml +++ b/security/abuseipdb/src/opnsense/mvc/app/models/OPNsense/abuseipdb/abuseipdb.xml @@ -15,6 +15,10 @@ 0 Y + + 0 + Y + N diff --git a/security/abuseipdb/src/opnsense/mvc/app/views/OPNsense/abuseipdb/index.volt b/security/abuseipdb/src/opnsense/mvc/app/views/OPNsense/abuseipdb/index.volt index fd3025ef12..211f37c318 100644 --- a/security/abuseipdb/src/opnsense/mvc/app/views/OPNsense/abuseipdb/index.volt +++ b/security/abuseipdb/src/opnsense/mvc/app/views/OPNsense/abuseipdb/index.volt @@ -37,7 +37,7 @@ POSSIBILITY OF SUCH DAMAGE. $("#saveAct").click(function(){ saveFormToEndpoint(url="/api/abuseipdb/settings/set",formid='frm_GeneralSettings',callback_ok=function(){ // action to run after successful save, for example reconfigure service. - ajaxCall(url="/api/abuseipdb/service/reload", sendData={},callback=function(data,status) { + ajaxCall(url="/api/abuseipdb/service/restart", sendData={},callback=function(data,status) { // action to run after reload }); }); diff --git a/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb b/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb index 850cf26d31..e94c9fb6f5 100755 --- a/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb +++ b/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb @@ -1,6 +1,6 @@ #!/usr/local/bin/php = $ratelimit_delay_max ) { $ratelimit_delay = $ratelimit_delay_max; } From c5a3938985528604a6b3a52b47911af09a9a5895 Mon Sep 17 00:00:00 2001 From: Steven Haigh Date: Sat, 3 Aug 2024 23:41:24 +1000 Subject: [PATCH 29/31] Fix API for stopping / starting service --- .../abuseipdb/Api/ServiceController.php | 30 +++++++------------ 1 file changed, 10 insertions(+), 20 deletions(-) diff --git a/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/ServiceController.php b/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/ServiceController.php index e010b2c10f..fc1dad48a7 100644 --- a/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/ServiceController.php +++ b/security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/ServiceController.php @@ -30,28 +30,18 @@ namespace OPNsense\abuseipdb\Api; -use OPNsense\Base\ApiControllerBase; -use OPNsense\Core\Backend; +use OPNsense\Base\ApiMutableServiceControllerBase; +use OPNsense\Core\Config; -/** - * Class ServiceController - * @package OPNsense\Cron - */ -class ServiceController extends ApiControllerBase +class ServiceController extends ApiMutableServiceControllerBase { - /** - * reconfigure abuseipdb - */ - public function reloadAction() + protected static $internalServiceClass = '\OPNsense\abuseipdb\abuseipdb'; + protected static $internalServiceTemplate = 'OPNsense/abuseipdb'; + protected static $internalServiceEnabled = 'general.enabled'; + protected static $internalServiceName = 'abuseipdb'; + + protected function reconfigureForceRestart() { - $status = "failed"; - if ($this->request->isPost()) { - $backend = new Backend(); - $bckresult = trim($backend->configdRun('template reload OPNsense/abuseipdb')); - if ($bckresult == "OK") { - $status = "ok"; - } - } - return array("status" => $status); + return 0; } } From 8e3e6637004e2735024ea7950703d65e5ad69c3a Mon Sep 17 00:00:00 2001 From: Steven Haigh Date: Sat, 3 Aug 2024 23:53:04 +1000 Subject: [PATCH 30/31] Add some more logging on startup --- security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb b/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb index e94c9fb6f5..557455e0ff 100755 --- a/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb +++ b/security/abuseipdb/src/opnsense/scripts/abuseipdb/abuseipdb @@ -3,14 +3,17 @@ // kate: space-indent off; indent-width 4; mixedindent off; syntax PHP (HTML) include "config.inc"; openlog('abuseipdb', LOG_PID, LOG_LOCAL0); +syslog(LOG_NOTICE, "abuseipdb system daemon starting."); ## Exit if we're disabled. if ( $config['OPNsense']['abuseipdb']["general"]["enabled"] != 1 ) { + syslog(LOG_ERROR, "abuseipdb disabled in config. Exiting..."); exit; } ## Exit if we have no filter ID set. if ( ! $config['OPNsense']['abuseipdb']["general"]["filter_id"] ) { + syslog(LOG_ERROR, "No firewall filter id set. Exiting..."); exit; } From 0404367a614e35d24eddd8b43b0cf68b37d1249c Mon Sep 17 00:00:00 2001 From: Steven Haigh Date: Sat, 3 Aug 2024 23:59:41 +1000 Subject: [PATCH 31/31] Add startup hook --- security/abuseipdb/src/etc/rc.syshook.d/start/99-abuseipdb | 3 +++ 1 file changed, 3 insertions(+) create mode 100755 security/abuseipdb/src/etc/rc.syshook.d/start/99-abuseipdb diff --git a/security/abuseipdb/src/etc/rc.syshook.d/start/99-abuseipdb b/security/abuseipdb/src/etc/rc.syshook.d/start/99-abuseipdb new file mode 100755 index 0000000000..46cff0f43a --- /dev/null +++ b/security/abuseipdb/src/etc/rc.syshook.d/start/99-abuseipdb @@ -0,0 +1,3 @@ +#!/bin/sh +# https://docs.opnsense.org/development/backend/autorun.html +/usr/local/etc/rc.d/abuseipdb start