clearlinux/tallow
2
0
Fork 0
mirror of https://github.com/clearlinux/tallow.git synced 2026-05-01 19:53:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
51 Commits 1 Branch 22 Tags
v4
Commit Graph

51 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Auke Kok
9042a01eab v4 v4 2017-05-11 08:56:56 -07:00
Auke Kok
2225ee029d Revert "also catch port probers that try ssl level evils" 
This reverts commit dc8f37e41f.

This message can print on a normal and legitimate user when they
disconnect, and therefore would be a false positive. We should
100% never get close to blocking legitimate users, ever.
 2017-05-10 21:49:16 -07:00
Auke Kok
dee23b8275 Lazy initialization. 
At start, only initialize the journal, but wait until we actually
need to block anything before initializing ipset and iptables.
 2017-05-10 21:14:07 -07:00
Auke Kok
34bd8d55bd Remove SIGUSR1 handler - dumping lists is obsolete with ipset. 2017-05-10 21:07:18 -07:00
Auke Kok
2a33768293 Don't break our LL on block. 
We will prune regularly anyway, so this is entirely unneeded.
 2017-05-10 20:59:36 -07:00
Auke Kok
ea958fd2b5 v3 v3 2017-05-08 08:49:15 -07:00
Auke Kok
4547892d56 Attempt to build against old systemd versions as well. 
In case libsystemd isn't found, try libsystemd-journal as well.
 2017-05-07 21:09:58 -07:00
Auke Kok
c661a20e33 Revert removal of prune(). 
We can't just delete an entry only when it is blocked, this
would forever leave all entries lingering in the list until
they hit the limit, and it would likely consume lots of memory.

Instead, we'll prune only based on timestamp values. This removes
old entries automatically regularly, but leaves new hits that
haven't hit the expiry time. If IPs get blocked, they're not
removed, but the expiry time will remove them. This will
assure that hosts that try in large intervals actually get
blocked again right away.
 2017-05-07 20:36:32 -07:00
Arjan van de Ven
9f37520c72 ip can be NULL (output of strtok) 2017-05-07 20:23:37 -07:00
Arjan van de Ven
dc8f37e41f also catch port probers that try ssl level evils 2017-05-07 20:23:31 -07:00
Auke Kok
d590c8f67f v2: ipset release. v2 2017-05-07 00:17:48 -07:00
Auke Kok
ec2b5cbfc0 Make ipset init clean and working. 2017-05-07 00:05:25 -07:00
Auke Kok
cb41c16e93 Minor ipset fixes. 2017-05-06 23:38:28 -07:00
Auke Kok
40568eb4cd Man pages and checked out folders. 2017-05-06 23:14:06 -07:00
Auke Kok
992927798d Convert to ipset. 
Create `tallow` and `tallow6` ipsets, hook up to iptables
and create a single rule in the INPUT chain of the filter
table.

The ipsets created have `expire` timeouts set by default
which removes the need to do pruning, so we can erase entries
immediately from our LL when blocking.
 2017-05-06 23:12:22 -07:00
Arjan van de Ven
fba8921952 add to .gitignore 2017-05-06 22:36:55 -07:00
Arjan van de Ven
73e9cd7011 add travis support 2017-05-06 22:36:55 -07:00
Arjan van de Ven
a4d9d9688e add -W 2017-05-06 22:35:49 -07:00
Arjan van de Ven
35eeabb146 avoid a large .data section by just initializing the big structures at run time 2017-05-06 22:35:49 -07:00
Auke Kok
08d45d39fd Convert man page to ronn generated .md input format. 2017-05-06 22:12:30 -07:00
Auke Kok
cd65e1c48a v1 v1 2017-05-06 21:46:27 -07:00
Auke Kok
47d7bf1d1f Link against libsystemd instead. 
With more recent versions, these symbols are now
moved.
 2017-03-25 13:00:03 -07:00
Auke Kok
b81b440495 Err, usec timeout value. 
This was causing a very tight loop if the journal rotates.
 2015-06-21 15:26:56 -07:00
Auke Kok
afe1a2663b Fixes: Make tailing the journal way more robust. 
This is a far more robust way of tailing the journal that seems
to work on 2 different journal versions. It's a bit more involved
and journal slowness may cause it to take several seconds to iterate
through the journal after a rotate or after startup, but it's far
more reliable than the old method.

I've also pushed all the output to stderr which makes the blocked/
unblocked messages end up in the journal itself.
 2015-06-21 13:18:04 -07:00
Auke Kok
dee31e8fc2 Clean up array properly. 2015-06-20 20:24:11 -07:00
Auke Kok
54adb2f684 Print a msg if ipv6 is disabled. 2015-03-21 14:56:09 -07:00
Auke Kok
cbcb62c206 Add ipv6 support. 
Can be disabled (ipv6=0 in conf).

Also ignores new chain errors since we assume those will fail.
 2015-03-21 14:27:10 -07:00
Auke Kok
c6343259ce Overdue fixes I've had running for a while. 2015-03-20 20:42:01 -07:00
Auke Kok
94f4e191fb Fix journal forward issue, add dump option. 
Adds a signal handler to gracefully shut down in case of exit
signal, while doubling as a way to quickly dump the current
state table.

A journal tailing error workaround thanks to ssh-blocker.
 2013-08-20 10:44:41 -07:00
Auke Kok
4f59e7feca Migrate normal output to stdout. 
Only error/warnings now go to stderr, the rest of the normal
start/block/unblock messages now all go to stdout.
 2012-11-05 11:10:33 -08:00
Auke Kok
e3914f7db0 Bugfix: bad option placement. 
I messed this up implementing the configfile stuff and
never saw the mistakes I made here. This tests ok.
 2012-11-04 23:28:05 -08:00
Auke Kok
dcbd79e477 Fix IP address check. Fix unblock calling iptables when not needed. 2012-11-02 18:00:56 -07:00
Auke Kok
f1a8249cea Install config example in /usr/share/doc. 2012-10-31 14:45:07 -07:00
Auke Kok
d60d4f1a33 Make sure we don't pass garbage to system(). 2012-10-31 14:18:37 -07:00
Auke Kok
67c92dbbc7 Config file -done- 2012-10-31 14:08:35 -07:00
Auke Kok
6b0d8a63e0 Install man pages. 2012-10-31 14:08:14 -07:00
Auke Kok
d281f6a8b9 Fix reference to the journal. 2012-10-31 12:14:45 -07:00
Auke Kok
7a80b95403 Adding 2 basic man pages. 2012-10-31 12:13:35 -07:00
Auke Kok
7022cf147a Example config file. 2012-10-29 16:43:35 -07:00
Auke Kok
d55b027206 Make tallow parse /etc/tallow.conf for non-default configuration. 2012-10-29 16:41:02 -07:00
Auke Kok
94bd6f5049 Adding limits.h to the checklist. 2012-10-29 16:38:00 -07:00
Auke Kok
62475715f6 AUTHORS. 2012-10-29 15:00:55 -07:00
Auke Kok
67c388a12e License header in the C file. 2012-10-29 14:55:09 -07:00
Auke Kok
3e3009edc5 Systemd service unit for tallow. 2012-10-29 13:22:21 -07:00
Auke Kok
b044e6cc9c Update README with some basic info. 2012-10-29 13:21:22 -07:00
Auke Kok
5b1748b4c3 Add TODO, debug output, systemd service file installation. 2012-10-29 12:35:33 -07:00
Auke Kok
df32d6fd09 Armed! 
- blocking and unblocking
- 1hr default timeout to unblock
- unblock pruning happens every time the queue of messages is
  processed.
 2012-10-26 11:57:47 -07:00
Auke Kok
1824266b1c Someowhat working code now. 
- Whitelist checking
- threshold counter
- store timestamps of latest attempt
 2012-10-26 00:29:05 -07:00
Auke Kok
5d46bfc44e Add basic filtering code. 2012-10-25 17:03:45 -07:00
Auke Kok
16379ff5cd Adding remaining build files. This compiles now, and runs. 2012-10-25 15:52:58 -07:00