diff --git a/CHANGELOG.md b/CHANGELOG.md index 685670a92..86ae1a35a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +29.05.2015 + +* Removed old 'iptables_counter_update_command' and added 'iptables_counter_enabled' + 26.05.2015 * Updated deploy script, now staging comes from staging branch diff --git a/app/controllers/epp_controller.rb b/app/controllers/epp_controller.rb index 3a5211de5..07a3aa732 100644 --- a/app/controllers/epp_controller.rb +++ b/app/controllers/epp_controller.rb @@ -285,6 +285,7 @@ class EppController < ApplicationController # rubocop: enable Metrics/CyclomaticComplexity def iptables_counter_update - `ENV['iptables_counter_update_command']` if ENV['iptables_counter_update_command'].present? + return if ENV['iptables_counter_enabled'].blank? && ENV['iptables_counter_enabled'] != 'true' + Iptable.counter_update(current_user.registrar_code, request.remote_ip) end end diff --git a/app/models/api_user.rb b/app/models/api_user.rb index e12c3b7b8..3312de5d4 100644 --- a/app/models/api_user.rb +++ b/app/models/api_user.rb @@ -11,13 +11,16 @@ class ApiUser < User } end - # TODO: should have max request limit per day + # TODO: should have max request limit per day? belongs_to :registrar has_many :certificates validates :username, :password, :registrar, :roles, presence: true validates :username, uniqueness: true + # TODO: probably cache, because it's requested on every EPP + delegate :code, to: :registrar, prefix: true + attr_accessor :registrar_typeahead ROLES = %w(super epp billing) # should not match to admin roles diff --git a/config/application-example.yml b/config/application-example.yml index 050216cee..5296f9f9d 100644 --- a/config/application-example.yml +++ b/config/application-example.yml @@ -30,8 +30,8 @@ webclient_cert_common_name: 'webclient' # and returns 2306 "Parameter value policy error" contact_org_enabled: 'false' -# Firewall countrer update command -# iptables_counter_update_command: '' +# Enable iptables counter updater +# iptables_counter_enabled: 'true' # DEPP server configuration (both for Registrar/Registrant servers) show_ds_data_fields: 'false' diff --git a/doc/debian_build_doc.md b/doc/debian_build_doc.md index c2d40f56c..fe40f2982 100644 --- a/doc/debian_build_doc.md +++ b/doc/debian_build_doc.md @@ -42,8 +42,7 @@ Please install following lib, otherwise your bundler install might not be succes ### Firewall rate limit config -First increase the maximum possible value for the hitcount parameter -from its default value of 20 by setting the option +First increase the maximum possible value form 20 to 100 of the hitcount parameter. ip_pkt_list_tot of the xt_recent kernel module. This can be done by creating an ip_pkt_list_tot.conf file in /etc/modeprobe.d/ which contains: @@ -53,7 +52,6 @@ options xt_recent ip_pkt_list_tot=100 Once the file is created, reload the xt_recent kernel module via modprobe -r xt_recent && modprobe xt_recent or reboot the system. - #### Registrar, REPP, Restful-whois ```` @@ -70,22 +68,6 @@ $IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set $IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --rcheck --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION} ```` -#### EPP - -```` -#!/bin/bash -# Inspired and credits to Vivek Gite: http://www.cyberciti.biz/faq/iptables-connection-limits-howto/ -IPT=/sbin/iptables -# Max connection in seconds -SECONDS=60 -# Max connections per IP -BLOCKCOUNT=100 -# default action can be DROP or REJECT or something else. -DACTION="REJECT" -$IPT -A INPUT -p tcp --dport 700 -i eth0 -m state --state NEW -m recent --set -$IPT -A INPUT -p tcp --dport 700 -i eth0 -m state --state NEW -m recent --rcheck --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION} -```` - #### Whois ```` @@ -102,3 +84,22 @@ $IPT -A INPUT -p tcp --dport 43 -i eth0 -m state --state NEW -m recent --set $IPT -A INPUT -p tcp --dport 43 -i eth0 -m state --state NEW -m recent --rcheck --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION} ```` +#### EPP + +We need to update iptables hitcounter from application. + +```` +#!/bin/bash +# Inspired and credits to Vivek Gite: http://www.cyberciti.biz/faq/iptables-connection-limits-howto/ +IPT=/sbin/iptables +# Registrar handler +REGISTRAR_CODE="test" +# Max connection in seconds +SECONDS=60 +# Max connections per IP +BLOCKCOUNT=100 +# default action can be DROP or REJECT or something else. +DACTION="REJECT" +$IPT -A INPUT -p tcp --dport 700 -i eth0 -m state --state NEW -m recent --set +$IPT -A INPUT -p tcp --dport 700 -m recent --name $REGISTRAR_CODE --rdest --rcheck --hitcount ${BLOCKCOUNT} --seconds ${SECONDS} -j ${DACTION} +```` diff --git a/lib/iptable.rb b/lib/iptable.rb new file mode 100644 index 000000000..54fba393d --- /dev/null +++ b/lib/iptable.rb @@ -0,0 +1,15 @@ +module Iptable + def counter_update(registrar_code, ip) + counter_proc = "/proc/net/xt_recent/#{registrar_code}" + + begin + File.open(counter_proc, 'a') do |f| + f.puts "+#{ip}" + end + rescue Errno::ENOENT => e + logger.error "ERROR: cannot open #{counter_proc}: #{e}" + rescue IOError => e + logger.error "ERROR: cannot write #{ip} to #{counter_proc}: #{e}" + end + end +end