From 628829a256034a15278be2a5f3e972ad243f1005 Mon Sep 17 00:00:00 2001
From: Michal Kostenec <kostenec@civ.zcu.cz>
Date: Thu, 18 Apr 2013 16:51:42 +0200
Subject: [PATCH] Uprava modulu IPset Doplneno README Zacisteni

---
 src/contrib/warden-app/Modules/IPset.pm |  8 ++---
 src/contrib/warden-app/doc/WApp.README  | 41 ++++++++++++++++++++-----
 src/contrib/warden-app/etc/db.conf      |  2 +-
 src/contrib/warden-app/etc/factory.conf |  8 ++---
 4 files changed, 42 insertions(+), 17 deletions(-)

diff --git a/src/contrib/warden-app/Modules/IPset.pm b/src/contrib/warden-app/Modules/IPset.pm
index 0d06504..0c5ae92 100644
--- a/src/contrib/warden-app/Modules/IPset.pm
+++ b/src/contrib/warden-app/Modules/IPset.pm
@@ -9,7 +9,7 @@ my %CONSTANTS =    (
                         threshold  =>  250,
                         excludedip =>  [],
                         eventtype  =>  [],
-                        setname  =>  "BLOCK",
+                        setname    =>  "BLOCK",
                         maxage     =>  "1D",
                      );
 
@@ -30,9 +30,9 @@ sub run {
 
     my @rows = Utils::fetchall_array_hashref($dbh, $query);
 
-    sub header { my $v = shift; return "create $v->{'setname'}_tmp hash:ip\n"; };
-    sub record { my ($r, $v) = @_; return "add $v->{'setname'}_tmp $r->{'source'}\n" if ($r->{'source'}=~/\d+\.\d+\.\d+\.\d+/); };
-    sub footer { my ($v) = @_; return "swap $v->{'setname'}_tmp $v->{'setname'}\ndestroy $v->{'setname'}_tmp\nquit\n"; };
+    sub header { my $v = shift; return "/usr/sbin/ipset --create $v->{'setname'}_tmp iphash\n"; };
+    sub record { my ($r, $v) = @_; return "/usr/sbin/ipset --add $v->{'setname'}_tmp $r->{'source'}\n" if ($r->{'source'}=~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/); };
+    sub footer { my ($v) = @_; return "/usr/sbin/ipset --swap $v->{'setname'}_tmp $v->{'setname'}\n/usr/sbin/ipset --destroy $v->{'setname'}_tmp\n"; };
 
     my $ret = Utils::generateOutput($v->{'outputfile'}, \@rows, \&header, \&record, \&footer, $v);
     return $ret;
diff --git a/src/contrib/warden-app/doc/WApp.README b/src/contrib/warden-app/doc/WApp.README
index 6a12fbd..203b23e 100644
--- a/src/contrib/warden-app/doc/WApp.README
+++ b/src/contrib/warden-app/doc/WApp.README
@@ -11,6 +11,7 @@ Content
  E.  Configuration
  F.  Modules
  G.  Run
+ H.  The requirements of modules
  X.  Tutorial: Running of the WApp along with the database backend
  XX. Tutorial: Writing your own module
 
@@ -146,10 +147,13 @@ F. Modules
    DNSblacklist	- generates zone file for the most widely used DNS software on the Internet.
    IPblacklist	- generates traditional CSV file with IP addresses.
    IPtables 	- generates iptables rules.
-   IPset 	- generates ipset rules (use on big sets of addresses rather than iptables).
+   IPset 	    - generates ipset rules (use on big sets of addresses rather than iptables).
    MailReport	- generates reports which are sent to specific recipients.
 
-   Section XX. describes how to write own module.
+   Section XX. describes how to write own module. 
+   
+   Some modules require additional requirements for their proper functioning. Specific 
+   examples are described in section H.
  
 --------------------------------------------------------------------------------       
 G. Run
@@ -174,22 +178,46 @@ G. Run
     3. Cleaner
 	Usage: warden-cleaner.pl
 
+--------------------------------------------------------------------------------       
+H. The requirements of modules
+
+   These modules require an initial steps:
+
+   1. IPtables
+
+   Redirect of specific traffic to chain specified in the configuration. 
+   If the 'chainname="BLOCK"' option is used and you are interested in SSH attackers (tcp/22), 
+   it's necessary use these commands:
+
+   iptables -N BLOCK
+   iptables -I INPUT 1 --protocol tcp --dport 22 --jump BLOCK
+   
+   2. IPset
+
+   Initialize the new set and create a blocking rule in iptables.   
+   If the 'setname="BLOCK"' option is used and and you are interested in SSH attackers (tcp/22)
+   it's necessary use these commands:
+
+   ipset --create BLOCK iphash
+   iptables -I INPUT 1 --protocol tcp --dport 22 -m set --match-set BLOCK src --jump DROP
+
 --------------------------------------------------------------------------------       
 X. Tutorial: Running of the WApp along with the database backend
 
     1. Database engine configuration (conf/db.conf)
 	
 	[SQLITE]
-            db="var/warden.db"
+        db="var/warden.db"
 	    user=
 	    pass=
 
     2. Receiver configuration (conf/receiver.conf)
 
 	[GENERAL]
-            method="db"
+        method="db"
 	    wardenpath="/opt/warden-client"
-	    requested_type="_all_"
+	    # Type of event which will be requested. To get all types of event, leave this option blank.
+        requested_type=
 
 	[DB]
 	    dbengine="sqlite"
@@ -213,9 +241,6 @@ X. Tutorial: Running of the WApp along with the database backend
   	    method="db"
 	    maxage="5D"
 
-	[DB]
-	    dbengine="sqlite"
-
     5. Run
 
 	I. Manually
diff --git a/src/contrib/warden-app/etc/db.conf b/src/contrib/warden-app/etc/db.conf
index 637ea68..7705ec3 100644
--- a/src/contrib/warden-app/etc/db.conf
+++ b/src/contrib/warden-app/etc/db.conf
@@ -2,7 +2,7 @@
 
 [SQLITE]
 # Path to sqlite database file
-db="/root/warden/src/warden-app/var/warden.db"
+db="/root/warden/src/contrib/warden-app/var/warden.db"
 # Username 
 user=
 # Password
diff --git a/src/contrib/warden-app/etc/factory.conf b/src/contrib/warden-app/etc/factory.conf
index 426859e..e637db0 100644
--- a/src/contrib/warden-app/etc/factory.conf
+++ b/src/contrib/warden-app/etc/factory.conf
@@ -10,7 +10,7 @@ enabled="yes"
 # Type of module; see 'moddir' directory
 module="IPblacklist"
 # Where will be result stored
-outputfile="/root/warden/src/warden-app/tmp/blacklist.csv"
+outputfile="/root/warden/src/contrib/warden-app/tmp/blacklist.csv"
 # Threshold for SQL query (events grouped by source IP) [number]
 threshold="2"
 # Which source IP we want to exclude from result [ip1, ip2, ipN]
@@ -26,7 +26,7 @@ enabled="yes"
 # Type of module; see 'moddir' directory
 module="IPtables"
 # Where will be result stored
-outputfile="/root/warden/src/warden-app/tmp/iptables2.txt"
+outputfile="/root/warden/src/contrib/warden-app/tmp/iptables2.txt"
 # Threshold for SQL query (events grouped by source IP) [number]
 threshold="10"
 # Which source IP we want to exclude from result [ip1, ip2, ipN]
@@ -46,7 +46,7 @@ enabled="yes"
 # Type of module; see 'moddir' directory
 module="IPset"
 # Where will be result stored
-outputfile="/opt/warden-app/var/ipset.txt"
+outputfile="/root/warden/src/contrib/warden-app/tmp/ipset.txt"
 # Threshold for SQL query (events grouped by source IP) [number]
 threshold="10"
 # Which source IP we want to exclude from result [ip1, ip2, ipN]
@@ -64,7 +64,7 @@ enabled="yes"
 # Type of module; see 'moddir' directory
 module="DNSblacklist"
 # Where will be result stored
-outputfile="/root/warden/src/warden-app/tmp/dnsbl2.txt"
+outputfile="/root/warden/src/contrib/warden-app/tmp/dnsbl2.txt"
 # Default target for blacklisted A record
 target="127.0.0.2"
 # Threshold for SQL query (events grouped by source IP) [number]
-- 
GitLab