Nexos/waf
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

cleanup

Browse Source
This commit is contained in:
n.diaz
2024-11-25 19:12:51 +01:00
parent f917303ec8
commit 74638343ae
1 changed files with 18 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
waf3.py
View File

@ -12,36 +12,45 @@ import yaml
from peewee import fn
from rich import print
base_path = Path('/var/opt/waf')
conf_file = base_path / 'config.yml'
db_path = base_path / 'waf.db'
if conf_file.exists():
conf = yaml.safe_load(conf_file.text())
else:
conf = {
'vroots': "/srv",
'whitelist_ips': [],
'date_range': 'last_hour',
'purge_older_than': 'three_days',
'db_filename': 'waf.db',
}
conf_file.touch()
yaml.dump(conf, conf_file.open('w'))
# with open('names.yaml', 'w') as file:
# db_path = base_path / 'waf.db'
now = arrow.utcnow()
older_than = now.shift(days=-3).floor('day')
last_hour = now.shift(hours=-1).floor('hour')
last_thirty_min = now.shift(minutes=-30)
# last_period = last_thirty_min
last_period = last_hour
# Configuring
db_path = base_path / globals()[conf['db_filename']]
date_range = globals()[conf['date_range']]
vroots = Path(conf['vroots'])
logs = vroots.glob('*/logs/*access*.log')
whitelist_ips = conf['whitelist_ips']
# Database
db = SqliteExtDatabase(db_path, pragmas={'journal_mode': 'wal'})
class Attack(peewee.Model):
ip = peewee.CharField(unique=True)
host = peewee.CharField(index = True)
date = peewee.DateTimeField(default=now.datetime)
# date = peewee.DateTimeField(default=datetime.datetime.now)
count = peewee.BigIntegerField()
class Meta:
@ -49,17 +58,16 @@ class Attack(peewee.Model):
Attack.create_table(True)
# CLI App
@click.group()
def cli():
pass
async def nginx_reload():
returned_value = subprocess.call('/usr/bin/systemctl reload nginx', shell=True)
if returned_value == 0:
click.echo(click.style('Nginx reloaded', fg="blue"))
async def get_denied():
denied = []
for rule in ufw.get_rules().values():
@ -67,11 +75,9 @@ async def get_denied():
denied.append(rule.split(' ')[-1])
return denied
async def deny(ip):
ufw.add('deny from ' + ip + ' to any', number=1)
def undeny(ip):
# Not async to avoid deleting wrong ufw rule.
for key, rule in ufw.get_rules().items():
@ -82,10 +88,9 @@ def undeny(ip):
# if attack:
# attack.delete_instance()
async def check(ip, host, date_position):
date = arrow.get(date_position,'DD/MMM/YYYY:HH:mm:ss')
if date > last_period:
if date > date_range:
find = Attack.get_or_none(Attack.ip == ip)
if find:
find.count = find.count + 1
@ -94,7 +99,6 @@ async def check(ip, host, date_position):
data = {'ip': ip, 'date':date.datetime, 'host': host, 'count':1}
Attack.create(**data)
checklist = [
{
'where': 'url',
@ -111,11 +115,6 @@ checklist = [
'in': "\\x00",
'store': 'suspects',
},
{
'where': 'url',
'in': 'xmlrpc',
'store': 'suspects',
},
{
'method': 'post',
'where': 'url',
@ -145,7 +144,6 @@ async def scan(log):
host = log.parent.parent.basename()
if ip not in whitelist_ips:
for rule in checklist:
# print(rule)
where = url
if rule['where'] == 'url':
where = url
@ -154,24 +152,15 @@ async def scan(log):
store = suspects
if 'in' in rule and rule['in'] in where:
store.append(check(ip, host, date_position))
#if 'xmlrpc' not in where:
# print(host)
break
elif 'startswith' in rule and url.startswith(rule['startswith']) and 'notin' in rule and rule['notin'] not in url:
store.append(check(ip, host, date_position))
# print(2)
break
elif 'startswith' in rule and url.startswith(rule['startswith']):
store.append(check(ip, host, date_position))
# print(3)
break
# elif 'login.php' in url and method == 'POST':
# if ip in suspects_login:
# suspects_login[ip].append( (ip, host, date_position) )
# else:
# suspects_login[ip] = [(ip, host, date_position),]
# elif 'wp-admin' in url and status not in ['200','302','499']:
# suspects.append(check(ip, host, date_position))
# store.append(check(ip, host, date_position))
# def is_suspicious_login(item):
# return len(item[1]) > 18