Add responsive firewall / adbuseipdb integration plugin

security/abuseipdb/Makefile

@@ -0,0 +1,7 @@
+PLUGIN_NAME=		abuseipdb
+PLUGIN_VERSION=		0.1
+PLUGIN_REVISION=	1
+PLUGIN_COMMENT=		Block hosts based on incoming rules
+PLUGIN_MAINTAINER=	netwiz@crc.id.au
+
+.include "../../Mk/plugins.mk"

security/abuseipdb/src/etc/inc/plugins.inc.d/abuseipdb.inc

@@ -0,0 +1,94 @@
+<?php
+// kate: space-indent off; indent-width 4; mixedindent off; indent-mode cstyle;
+/*
+ *    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+use OPNsense\Core\Config;
+use OPNsense\Firewall\Alias;
+use OPNsense\Firewall\Plugin;
+
+function add_alias_if_not_exist($name, $description)
+{
+	$model = new Alias();
+
+	if ($model->getByName($name) != null) {
+		return;
+	}
+
+	$new_alias = $model->aliases->alias->Add();
+	$new_alias->name = $name;
+	$new_alias->description = $description;
+	$new_alias->type = 'external';
+	$model->serializeToConfig();
+	Config::getInstance()->save();
+}
+
+function abuseipdb_firewall(Plugin $fw)
+{
+	global $config;
+	if (
+		isset($config['OPNsense']['abuseipdb']['general']['enabled']) &&
+		$config['OPNsense']['abuseipdb']['general']['enabled'] == 1
+	) {
+		add_alias_if_not_exist('abuseipdb', 'abuseipdb blocklist');
+		$fw->registerFilterRule(
+			1, /* priority */
+			array(
+				'ipprotocol'	=> 'inet46',
+				'descr'			=> 'abuseipdb blocklist',
+				'from'			=> '<abuseipdb>',
+				'direction'		=> 'in',
+				'type'			=> 'block',
+				'log'			=> $config['OPNsense']['abuseipdb']['general']['log_denies'],
+				'tag'			=> "",
+				'quick'			=> true
+			)
+		);
+	}
+}
+
+function abuseipdb_services()
+{
+	global $config;
+	$services = array();
+
+	if (
+		isset($config['OPNsense']['abuseipdb']['general']['enabled']) &&
+		$config['OPNsense']['abuseipdb']['general']['enabled'] == 1
+	) {
+		$services[] = array(
+			'description' => 'abuseipdb Daemon',
+			'configd' => array(
+				'restart'	=> array('abuseipdb restart'),
+				'start'		=> array('abuseipdb start'),
+				'stop'		=> array('abuseipdb stop'),
+			),
+			'name' => 'abuseipdb',
+			'pidfile' => '/var/run/abuseipdb.pid'
+		);
+	}
+
+	return $services;
+}

security/abuseipdb/src/etc/rc.d/abuseipdb

@@ -0,0 +1,50 @@
+#!/bin/sh
+# PROVIDE: abuseipdb
+# REQUIRE: DAEMON NETWORKING syslogd
+
+. /etc/rc.subr
+
+name="abuseipdb"
+rcvar="abuseipdb_enable"
+
+load_rc_config $name
+
+: "${abuseipdb_enable="NO"}"
+
+start() {
+	/usr/local/opnsense/scripts/abuseipdb/abuseipdb &
+	exit $?
+}
+
+stop() {
+	read pid < /var/run/abuseipdb.pid
+	kill -TERM $pid
+}
+
+status() {
+	if [ -f /var/run/abuseipdb.pid ]; then
+		read pid < /var/run/abuseipdb.pid
+		ps $pid > /dev/null
+		if [ "$?" == "0" ]; then
+			echo "Process is running: $(ps $pid)"
+			exit 0
+		fi
+	fi
+	echo "Process is not running..."
+}
+
+case $1 in
+	start)
+		start
+		;;
+	stop)
+		stop
+		;;
+	restart)
+		stop
+		start
+		;;
+	status)
+		status
+		;;
+esac

security/abuseipdb/src/etc/rc.syshook.d/start/99-abuseipdb

@@ -0,0 +1,3 @@
+#!/bin/sh
+# https://docs.opnsense.org/development/backend/autorun.html
+/usr/local/etc/rc.d/abuseipdb start

security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/ServiceController.php

@@ -0,0 +1,47 @@
+<?php
+
+/**
+ *    Copyright (C) 2015 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\abuseipdb\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+use OPNsense\Core\Config;
+
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    protected static $internalServiceClass = '\OPNsense\abuseipdb\abuseipdb';
+    protected static $internalServiceTemplate = 'OPNsense/abuseipdb';
+    protected static $internalServiceEnabled = 'general.enabled';
+    protected static $internalServiceName = 'abuseipdb';
+
+    protected function reconfigureForceRestart()
+    {
+        return 0;
+    }
+}

security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/SettingsController.php

@@ -0,0 +1,92 @@
+<?php
+
+/**
+ *    Copyright (C) 2015-2019 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\abuseipdb\Api;
+
+use OPNsense\Base\ApiControllerBase;
+use OPNsense\abuseipdb\abuseipdb;
+use OPNsense\Core\Config;
+
+/**
+ * Class SettingsController Handles settings related API actions for the abuseipdb module
+ * @package OPNsense\abuseipdb
+ */
+class SettingsController extends ApiControllerBase
+{
+    /**
+     * retrieve abuseipdb general settings
+     * @return array general settings
+     * @throws \OPNsense\Base\ModelException
+     * @throws \ReflectionException
+     */
+    public function getAction()
+    {
+        // define list of configurable settings
+        $result = array();
+        if ($this->request->isGet()) {
+            $mdlabuseipdb = new abuseipdb();
+            $result['abuseipdb'] = $mdlabuseipdb->getNodes();
+        }
+        return $result;
+    }
+
+    /**
+     * update abuseipdb settings
+     * @return array status
+     * @throws \OPNsense\Base\ModelException
+     * @throws \ReflectionException
+     */
+    public function setAction()
+    {
+        $result = array("result" => "failed");
+        if ($this->request->isPost()) {
+            // load model and update with provided data
+            $mdlabuseipdb = new abuseipdb();
+            $mdlabuseipdb->setNodes($this->request->getPost("abuseipdb"));
+
+            // perform validation
+            $valMsgs = $mdlabuseipdb->performValidation();
+            foreach ($valMsgs as $field => $msg) {
+                if (!array_key_exists("validations", $result)) {
+                    $result["validations"] = array();
+                }
+                $result["validations"]["abuseipdb." . $msg->getField()] = $msg->getMessage();
+            }
+
+            // serialize model to config and save
+            if ($valMsgs->count() == 0) {
+                $mdlabuseipdb->serializeToConfig();
+                Config::getInstance()->save();
+                $result["result"] = "saved";
+            }
+        }
+        return $result;
+    }
+}

security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/Api/SimplifiedSettingsController.php

@@ -0,0 +1,43 @@
+<?php
+
+/**
+ *    Copyright (C) 2015-2019 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\abuseipdb\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+/**
+ * a simplified settings controller for our abuseipdb app, uses our ApiMutableModelControllerBase type
+ * @package OPNsense\abuseipdb
+ */
+class SimplifiedSettingsController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'abuseipdb';
+    protected static $internalModelClass = 'OPNsense\abuseipdb\abuseipdb';
+}

security/abuseipdb/src/opnsense/mvc/app/controllers/OPNsense/abuseipdb/IndexController.php

@@ -0,0 +1,46 @@
+<?php
+
+/**
+ *    Copyright (C) 2015 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\abuseipdb;
+
+/**
+ * Class IndexController
+ * @package OPNsense\abuseipdb
+ */
+class IndexController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        // pick the template to serve to our users.
+        $this->view->pick('OPNsense/abuseipdb/index');
+        // fetch form data "general" in
+        $this->view->generalForm = $this->getForm("general");
+    }
+}