martillo-maldito/src/main.rs

pub mod cli;
pub mod iptables_save;
pub mod iptables_wrapper;
pub mod login_attempt;

use cli::Cli;
use iptables_wrapper::{
    allow_ip_for_port, is_port_secured, list_banned_ips, list_secured_ports,
    map_secured_ports_allowed_ips, remove_allow_ip_for_port, secure_port, unsecure_port,
};
use linemux::MuxedLines;
use login_attempt::LoginAttempt;
use std::path::PathBuf;
use std::thread::spawn;
use std::{collections::HashMap, thread::sleep, time::Duration};
use structopt::StructOpt;

#[tokio::main]
async fn main() {
    match Cli::from_args() {
        Cli::BanServer {
            ssh_auth_log,
            iptables_save,
        } => {
            let _ = start_ban_server(ssh_auth_log, iptables_save).await;
        }
        Cli::ListBannedIps => {
            println!("{}", serde_json::to_string(&list_banned_ips()).unwrap());
        }
        Cli::ListSecuredPorts { docker } => {
            println!(
                "{}",
                serde_json::to_string(&list_secured_ports(docker)).unwrap()
            );
        }
        Cli::MapSecuredPortsAllowedIps { docker } => {
            println!(
                "{}",
                serde_json::to_string(&map_secured_ports_allowed_ips(docker)).unwrap()
            );
        }
        Cli::IsPortSecured { port, docker } => {
            println!("{}", is_port_secured(port, docker));
        }
        Cli::SecurePort {
            port,
            docker,
            position,
        } => secure_port(port, docker, position),
        Cli::UnsecurePort { port, docker } => unsecure_port(port, docker),
        Cli::AllowIpForPort {
            ip,
            port,
            docker,
            position,
        } => allow_ip_for_port(&ip, port, docker, position),
        Cli::OnlyIpForPort { ip, port, docker } => {
            allow_ip_for_port(&ip, port, docker, Some(1));
            secure_port(port, docker, Some(2));
        }
        Cli::RemoveAllowIpPort { ip, port, docker } => remove_allow_ip_for_port(&ip, port, docker),
        Cli::SaveIPTables { iptables_save } => {
            let path = if let Some(iptables_save) = iptables_save {
                iptables_save
            } else {
                PathBuf::from("/etc/iptables/rules.v4")
            };

            iptables_save::save_iptables(&path);
            println!("Saved IPTables to {}", path.display());
        }
    }
}

async fn start_ban_server(
    ssh_auth_log: PathBuf,
    iptables_save: Option<PathBuf>,
) -> std::io::Result<()> {
    let iptables = iptables::new(false).unwrap();
    let mut lines = MuxedLines::new()?;
    lines.add_file(&ssh_auth_log).await?;
    let mut login_attempts: HashMap<String, usize> = HashMap::new();

    if let Some(iptables_save) = iptables_save {
        let seconds_iptables = Duration::from_secs(60);
        println!(
            "Saving IPTables every {} seconds",
            seconds_iptables.as_secs()
        );

        spawn(move || loop {
            sleep(seconds_iptables);
            iptables_save::save_iptables(&iptables_save);
        });
    }

    println!("Listeging to changer over file: {}", ssh_auth_log.display());
    loop {
        while let Ok(Some(line)) = lines.next_line().await {
            if let Some(login_attempt) = LoginAttempt::capture(line.line()) {
                println!(
                    "Failed login attempt from {}@{}:{}",
                    login_attempt.user, login_attempt.ip, login_attempt.port
                );

                match login_attempts.get_mut(&login_attempt.ip) {
                    Some(count) => {
                        *count += 1;

                        if *count == 3 {
                            if iptables
                                .append_unique(
                                    "filter",
                                    "INPUT",
                                    &format!("--source {} -j DROP", login_attempt.ip),
                                )
                                .is_ok()
                            {
                                println!("IP {} banned", login_attempt.ip);
                            } else {
                                println!("IP {} already banned", login_attempt.ip);
                            }

                            login_attempts.remove(&login_attempt.ip);
                        }
                    }
                    None => {
                        login_attempts.insert(login_attempt.ip.clone(), 1);
                    }
                }
            }
        }
    }
}
moving code from command server into cli 2024-05-28 16:03:32 +02:00			`pub mod cli;`
better err handling, and WIP iptables asve 2024-05-12 14:03:26 +02:00			`pub mod iptables_save;`
moving code from command server into cli 2024-05-28 16:03:32 +02:00			`pub mod iptables_wrapper;`
first commit with test logic 2024-05-12 13:46:11 +02:00			`pub mod login_attempt;`

improving martillo-maldito to server to protect also nodes (port, ip, etc..) 2024-07-23 21:14:51 +02:00			`use cli::Cli;`
WIP list banned ips 2024-07-21 13:01:23 +02:00			`use iptables_wrapper::{`
improving martillo-maldito to server to protect also nodes (port, ip, etc..) 2024-07-23 21:14:51 +02:00			`allow_ip_for_port, is_port_secured, list_banned_ips, list_secured_ports,`
			`map_secured_ports_allowed_ips, remove_allow_ip_for_port, secure_port, unsecure_port,`
WIP list banned ips 2024-07-21 13:01:23 +02:00			`};`
first commit with test logic 2024-05-12 13:46:11 +02:00			`use linemux::MuxedLines;`
			`use login_attempt::LoginAttempt;`
moving code from command server into cli 2024-05-28 16:03:32 +02:00			`use std::path::PathBuf;`
improving martillo-maldito to server to protect also nodes (port, ip, etc..) 2024-07-23 21:14:51 +02:00			`use std::thread::spawn;`
iptables-save every minute 2024-05-12 14:54:47 +02:00			`use std::{collections::HashMap, thread::sleep, time::Duration};`
moving code from command server into cli 2024-05-28 16:03:32 +02:00			`use structopt::StructOpt;`
first commit with test logic 2024-05-12 13:46:11 +02:00
			`#[tokio::main]`
moving code from command server into cli 2024-05-28 16:03:32 +02:00			`async fn main() {`
improving martillo-maldito to server to protect also nodes (port, ip, etc..) 2024-07-23 21:14:51 +02:00			`match Cli::from_args() {`
			`Cli::BanServer {`
moving code from command server into cli 2024-05-28 16:03:32 +02:00			`ssh_auth_log,`
			`iptables_save,`
			`} => {`
			`let _ = start_ban_server(ssh_auth_log, iptables_save).await;`
			`}`
improving martillo-maldito to server to protect also nodes (port, ip, etc..) 2024-07-23 21:14:51 +02:00			`Cli::ListBannedIps => {`
			`println!("{}", serde_json::to_string(&list_banned_ips()).unwrap());`
WIP list banned ips 2024-07-21 13:01:23 +02:00			`}`
improving martillo-maldito to server to protect also nodes (port, ip, etc..) 2024-07-23 21:14:51 +02:00			`Cli::ListSecuredPorts { docker } => {`
			`println!(`
			`"{}",`
			`serde_json::to_string(&list_secured_ports(docker)).unwrap()`
			`);`
adding argument to check if port is secured 2024-06-09 15:17:36 +02:00			`}`
improving martillo-maldito to server to protect also nodes (port, ip, etc..) 2024-07-23 21:14:51 +02:00			`Cli::MapSecuredPortsAllowedIps { docker } => {`
			`println!(`
			`"{}",`
			`serde_json::to_string(&map_secured_ports_allowed_ips(docker)).unwrap()`
			`);`
			`}`
			`Cli::IsPortSecured { port, docker } => {`
			`println!("{}", is_port_secured(port, docker));`
			`}`
			`Cli::SecurePort {`
adding pos, and directly ban and allow ip 2024-05-28 21:13:53 +02:00			`port,`
			`docker,`
			`position,`
improving martillo-maldito to server to protect also nodes (port, ip, etc..) 2024-07-23 21:14:51 +02:00			`} => secure_port(port, docker, position),`
			`Cli::UnsecurePort { port, docker } => unsecure_port(port, docker),`
			`Cli::AllowIpForPort {`
adding pos, and directly ban and allow ip 2024-05-28 21:13:53 +02:00			`ip,`
			`port,`
			`docker,`
			`position,`
improving martillo-maldito to server to protect also nodes (port, ip, etc..) 2024-07-23 21:14:51 +02:00			`} => allow_ip_for_port(&ip, port, docker, position),`
			`Cli::OnlyIpForPort { ip, port, docker } => {`
			`allow_ip_for_port(&ip, port, docker, Some(1));`
			`secure_port(port, docker, Some(2));`
			`}`
			`Cli::RemoveAllowIpPort { ip, port, docker } => remove_allow_ip_for_port(&ip, port, docker),`
			`Cli::SaveIPTables { iptables_save } => {`
			`let path = if let Some(iptables_save) = iptables_save {`
			`iptables_save`
			`} else {`
			`PathBuf::from("/etc/iptables/rules.v4")`
			`};`

			`iptables_save::save_iptables(&path);`
			`println!("Saved IPTables to {}", path.display());`
adding pos, and directly ban and allow ip 2024-05-28 21:13:53 +02:00			`}`
moving code from command server into cli 2024-05-28 16:03:32 +02:00			`}`
			`}`

			`async fn start_ban_server(`
			`ssh_auth_log: PathBuf,`
			`iptables_save: Option<PathBuf>,`
			`) -> std::io::Result<()> {`
first commit with test logic 2024-05-12 13:46:11 +02:00			`let iptables = iptables::new(false).unwrap();`
			`let mut lines = MuxedLines::new()?;`
moving code from command server into cli 2024-05-28 16:03:32 +02:00			`lines.add_file(&ssh_auth_log).await?;`
first commit with test logic 2024-05-12 13:46:11 +02:00			`let mut login_attempts: HashMap<String, usize> = HashMap::new();`

moving code from command server into cli 2024-05-28 16:03:32 +02:00			`if let Some(iptables_save) = iptables_save {`
			`let seconds_iptables = Duration::from_secs(60);`
			`println!(`
improving martillo-maldito to server to protect also nodes (port, ip, etc..) 2024-07-23 21:14:51 +02:00			`"Saving IPTables every {} seconds",`
moving code from command server into cli 2024-05-28 16:03:32 +02:00			`seconds_iptables.as_secs()`
			`);`
improving martillo-maldito to server to protect also nodes (port, ip, etc..) 2024-07-23 21:14:51 +02:00
			`spawn(move \|\| loop {`
moving code from command server into cli 2024-05-28 16:03:32 +02:00			`sleep(seconds_iptables);`
			`iptables_save::save_iptables(&iptables_save);`
			`});`
			`}`
iptables-save every minute 2024-05-12 14:54:47 +02:00
improving martillo-maldito to server to protect also nodes (port, ip, etc..) 2024-07-23 21:14:51 +02:00			`println!("Listeging to changer over file: {}", ssh_auth_log.display());`
			`loop {`
			`while let Ok(Some(line)) = lines.next_line().await {`
			`if let Some(login_attempt) = LoginAttempt::capture(line.line()) {`
			`println!(`
			`"Failed login attempt from {}@{}:{}",`
			`login_attempt.user, login_attempt.ip, login_attempt.port`
			`);`
first commit with test logic 2024-05-12 13:46:11 +02:00
improving martillo-maldito to server to protect also nodes (port, ip, etc..) 2024-07-23 21:14:51 +02:00			`match login_attempts.get_mut(&login_attempt.ip) {`
			`Some(count) => {`
			`*count += 1;`

			`if *count == 3 {`
			`if iptables`
			`.append_unique(`
			`"filter",`
			`"INPUT",`
			`&format!("--source {} -j DROP", login_attempt.ip),`
			`)`
			`.is_ok()`
			`{`
			`println!("IP {} banned", login_attempt.ip);`
			`} else {`
			`println!("IP {} already banned", login_attempt.ip);`
better err handling, and WIP iptables asve 2024-05-12 14:03:26 +02:00			`}`
improving martillo-maldito to server to protect also nodes (port, ip, etc..) 2024-07-23 21:14:51 +02:00
			`login_attempts.remove(&login_attempt.ip);`
better err handling, and WIP iptables asve 2024-05-12 14:03:26 +02:00			`}`
first commit with test logic 2024-05-12 13:46:11 +02:00			`}`
improving martillo-maldito to server to protect also nodes (port, ip, etc..) 2024-07-23 21:14:51 +02:00			`None => {`
			`login_attempts.insert(login_attempt.ip.clone(), 1);`
			`}`
first commit with test logic 2024-05-12 13:46:11 +02:00			`}`
			`}`
			`}`
			`}`
			`}`