#!/usr/bin/env python2.7# Name: tablemonk.py# Author: Anoniem4l, irc.freenod

1. #!/usr/bin/env python2.7
2. # Name: tablemonk.py
3. # Author: Anoniem4l, irc.freenode.net
4. # Make sure you run it with sudo. Have fun firewalling.
5. import sys, os
6.  
7. # Global vars.
8. numbers = "0123456789"
9.  
10.  
11. def main():
12.   if len(sys.argv) == 1:
13.     print "## tablemonk v0.01, firewall defense and logging configurator."
14.     print "[*] Usage:\n   --sshsec [port]                       ;  Secures the specified SSH type of port for bruteforcing and DDOS attacks.\n"
15.     print "   --secddos [port] [hitcount] [seconds] ;  Secures the specified port for DDOS type of attacks. Hitcount means the number of connections of the individual, seconds is obvious.\n"
16.     print "   --synproxy [interface] [port]         ;  Applies the well-known SYNPROXY configuration which amplifies defense against SYN flood attacks.\n"
17.   else:
18.     for arg in enumerate(sys.argv):
19.      
20.       if arg[1] == '--sshsec':
21.         # Parameter verification.
22.         for i in sys.argv[arg[0]+1]:
23.           pas = False
24.           for number in numbers:
25.             if int(number) == int(i):
26.               pas = True
27.           if pas != True:
28.             print "Invalid argument after --sshsec."
29.             return
30.         # Performing SSH bruteforce defense configuration.
31.         # ------
32.         port = sys.argv[arg[0]+1]
33.         # DDOS/excessive bruteforce.
34.         os.system("iptables -A INPUT -p tcp -m tcp --dport %s -m state --state NEW -m recent --set --name SSH --rsource" %(port))
35.         os.system("iptables -A INPUT -p tcp -m tcp --dport %s -m recent --rcheck --seconds 30 --hitcount 4 --rttl --name SSH --rsource -j REJECT --reject-with tcp-reset" %(port))
36.         # Logging.
37.         os.system('iptables -A INPUT -p tcp -m tcp --dport %s -m recent --rcheck --seconds 30 --hitcount 3 --rttl --name SSH --rsource -j LOG --log-prefix "SSH brute force "' %(port))
38.         # --update.
39.         os.system("iptables -A INPUT -p tcp -m tcp --dport %s -m recent --update --seconds 30 --hitcount 3 --rttl --name SSH --rsource -j REJECT --reject-with tcp-reset" %(port))
40.         # Slow bruteforce defense.
41.         os.system("iptables -A INPUT -p tcp -m tcp --dport %s -m recent --rcheck --seconds 3600 --hitcount 20 --rttl --name SSH --rsource -j REJECT --reject-with tcp-reset" %(port))
42.         # Logging.
43.         os.system('iptables -A INPUT -p tcp -m tcp --dport %s -m recent --rcheck --seconds 3600 --hitcount 15 --rttl --name SSH --rsource -j LOG --log-prefix "SSH brute force "' %(port))
44.         # --update.
45.         os.system("iptables -A INPUT -p tcp -m tcp --dport %s -m recent --update --seconds 3600 --hitcount 15 --rttl --name SSH --rsource -j REJECT --reject-with tcp-reset" %(port))
46.      
47.       if arg[1] == '--secddos':
48.         if arg[0] + 3 >= len(sys.argv):
49.           print "Insufficient arguments after --secddos."
50.           return
51.         party = sys.argv[arg[0]+1] + sys.argv[arg[0]+2] + sys.argv[arg[0]+3]
52.         # Parameter verification.
53.         for i in party:
54.           pas = False
55.           for number in numbers:
56.             if int(number) == int(i):
57.               pas = True
58.           if pas != True:
59.             print "Invalid argument after --secddos."
60.             return
61.         # Performing anti-DDOS defense configuration.
62.         # --------
63.         port = sys.argv[arg[0]+1]
64.         name = "port_" + sys.argv[arg[0]+1]
65.         hitcount = sys.argv[arg[0]+2]
66.         seconds = sys.argv[arg[0]+3]
67.         os.system("iptables -A INPUT -p tcp -m tcp --dport %s -m state --state NEW -m recent --set --name %s --rsource" %(port, name))
68.         os.system("iptables -A INPUT -p tcp -m tcp --dport %s -m recent --rcheck --seconds %s --hitcount %s --rttl --name %s --rsource -j REJECT --reject-with tcp-reset" %(port, seconds, hitcount, name))
69.         # Logging.
70.         os.system('iptables -A INPUT -p tcp -m tcp --dport %s -m recent --rcheck --seconds %s --hitcount %s --rttl --name %s --rsource -j LOG --log-prefix "[%s] flood attempt: "' %(port, seconds, hitcount, name, name))
71.        
72.        
73.       if arg[1] == '--synproxy':
74.         if arg[0] + 2 >= len(sys.argv):
75.           print "Insufficient arguments after --synproxy."
76.         # DANGEROUS, no parameter verification, be careful with input.
77.         iface = sys.argv[arg[0]+1]
78.         port = sys.argv[arg[0]+2]
79.         # Dropping invalid packets before they reach the LISTEN socket.
80.         os.system("iptables -m state --state INVALID -j DROP")
81.         # SYNPROXY: PREROUTING.
82.         os.system("iptables -t raw -I PREROUTING -i %s -p tcp -m tcp --syn --dport %s -j CT --notrack" %(iface, port))
83.         # SYNPROXY target.
84.         os.system("iptables -A INPUT -i %s -p tcp -m tcp --dport %s -m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460" %(iface, port))
85.         # Trick to catch SYN-ACK floods, drop rest of state INVALID.
86.         os.system("iptables -A INPUT -i %s -p tcp -m tcp --dport %s -m state --state INVALID -j DROP" %(iface, port))
87.         # Strict conntrack hanlding to get unknown ACKs (from 3WHS) to be marked as INVALID state.
88.         os.system("sysctl -w net/netfilter/nf_conntrack_tcp_loose=0")
89.         # Enable TCP timestamping (SYN cookies use TCP options field).
90.         os.system("/sbin/sysctl -w net/ipv4/tcp_timestamps=1")
91.         # Conntrack entries tuning.
92.         os.system("/sbin/sysctl -w net/netfilter/nf_conntrack_max=2000000")
93.         # Adjusting hash bucket size.
94.         os.system("echo 2000000 > /sys/module/nf_conntrack/parameters/hashsize")
95.        
96.     print os.popen("iptables -L").read()
97.  
98.    
99. if __name__ == "__main__":
100.   main()