Beispiel #1
0
    def dns_status():
        dns_servers_status = load_configuration('dns_server_status')
        dns_server = load_configuration('dns_server')['dns_server']

        tls_enabled = dns_server['tls']['enabled']
        dns_servers = dns_server['resolvers']
        dns_servers_copy = deepcopy(dns_servers)

        for server, server_info in dns_servers_copy.items():
            status = dns_servers_status.get(server_info['ip_address'], None)
            if (not status):
                tls = 'Waiting'
                dns = 'Waiting'
            else:
                dns = 'UP' if status['dns_up'] else 'Down'
                tls = 'UP' if status['tls_up'] else 'Down'

            if (not tls_enabled):
                tls = 'Disabled'

            dns_servers[server]['dns_up'] = dns
            dns_servers[server]['tls_up'] = tls

#        print(dnsstatus)
        return dns_servers
Beispiel #2
0
    def _load_interfaces(self):
        fw_settings = load_configuration('config')['settings']
        server_settings = load_configuration('dhcp_server')['dhcp_server']
        fw_intf = fw_settings['interfaces']
        dhcp_intfs = server_settings['interfaces']

        # ident
        for intf in self.DHCPServer._intfs:
            # friendly name
            for _intf, settings in dhcp_intfs.items():
                # ensuring the iterfaces match since we cannot guarantee order
                if (intf != settings['ident']): continue

                # passing over disabled server interfaces. NOTE: DEF temporary
                if not dhcp_intfs[_intf]['enabled']: continue

                # creating ipv4 interface object which will be associated with the ident in the config.
                # this can then be used by the server to identify itself as well as generate its effective
                # subnet based on netmask for ip handouts or membership tests.
                intf_ip = IPv4Interface(
                    str(fw_intf[_intf]['ip']) + '/' +
                    str(fw_intf[_intf]['netmask']))

                # initializing server options so the auto loader doesnt have to worry about it.
                self.DHCPServer.options[intf] = {}

                # updating general network information for interfaces on server class object. these will never change
                # while the server is running. for interfaces changes, the server must be restarted.
                self.DHCPServer.intf_settings[intf] = {'ip': intf_ip}
Beispiel #3
0
    def _load_restriction(self):
        ip_proxy = load_configuration('ip_proxy')['ip_proxy']
        logging = load_configuration('logging_client')['logging']

        restriction_start  = ip_proxy['time_restriction']['start']
        restriction_length = ip_proxy['time_restriction']['length']

        os_direction = logging['time_offset']['direction']
        os_amount    = logging['time_offset']['amount']

        offset = int(f'{os_direction}{os_amount}') * ONE_DAY

        return restriction_start, restriction_length, offset
Beispiel #4
0
    def _get_settings(self, cfg_file):
        #        print('[+] Starting: IPS Settings Update Thread.')
        ips = load_configuration(cfg_file)['ips']

        self.IPS.ddos_prevention = ips['ddos']['enabled']
        self.IPS.portscan_prevention = ips['port_scan']['drop']

        # ddos CPS THRESHHOLD CHECK
        tcp_src_limit = ips['ddos']['limits']['source']['tcp']
        udp_src_limit = ips['ddos']['limits']['source']['udp']
        icmp_src_limit = ips['ddos']['limits']['source']['icmp']
        self.IPS.connection_limits = {
            PROTO.ICMP: icmp_src_limit,
            PROTO.TCP: tcp_src_limit,
            PROTO.UDP: udp_src_limit
        }

        ##Checking length(hours) to leave IP Table Rules in place for hosts part of ddos attacks
        self.IPS.block_length = 0
        if (self.IPS.portscan_prevention or self.IPS.ddos_prevention):
            self.IPS.block_length = ips['passive_block_ttl'] * 3600

        ## Reject packet (tcp reset and icmp port unreachable)
        self.IPS.portscan_reject = ips['port_scan']['reject']

        ## whitelist configured dns servers (local instance var)
        self.whitelist_dns_servers = ips['whitelist']['dns_servers']

        self._cfg_change.set()
        self.initialize.done()
Beispiel #5
0
    def _load_interfaces(self):
        interface = load_configuration('config.json')

        self.IPS.wan_int = interface['settings']['interfaces']['wan']

        self.IPS.broadcast = Interface.broadcast_address(
            self.IPS.wan_int['ident'])
Beispiel #6
0
    def get_settings(self, cfg_file):
        syslog = load_configuration(cfg_file)['syslog']

        SyslogService = self.SyslogService

        SyslogService.syslog_enabled   = syslog['enabled']
        SyslogService.syslog_protocol  = syslog['protocol']
        SyslogService.tls_enabled      = syslog['tls']['enabled']
        SyslogService.self_signed_cert = syslog['tls']['self_signed']
        SyslogService.tcp_fallback     = syslog['tcp']['fallback']
        SyslogService.udp_fallback     = syslog['udp']['fallback']

        syslog_servers = syslog['servers']

        # if service is started without servers configured we will return here.
        if not syslog_servers: return

        names = ['primary', 'secondary']
        with SyslogService.server_lock:
            for name, cfg_server, mem_server in zip(names, syslog_servers.values(), SyslogService.syslog_servers):
                if (cfg_server['ip_address'] == mem_server.get('ip')): continue

                getattr(SyslogService.syslog_servers, name).update({
                    'ip': syslog_servers[name]['ip_address'],
                    PROTO.UDP: True, PROTO.TCP: True, PROTO.DNS_TLS: True
                })
Beispiel #7
0
    def combine_domains(self):
        dns_proxy_categories = load_configuration('dns_proxy')

        categories   = dns_proxy_categories['dns_proxy']['categories']
        default_cats = categories['default']
        ud_cats      = categories['user_defined']

        for cat, settings in default_cats.items():
            # NOTE: this will prevent loading disabled configs to memory. maybe make it a user configurable option later?
#            if (not settings['enabled']): continue

            self.combine_dom_files.append(cat)

        for file in self.combine_dom_files:
            try:
                with open(f'{HOME_DIR}/dnx_system/signatures/domain_lists/{file}.domains', 'r') as file:
                    self.dom_signatures.extend([x.lower() for x in file.read().splitlines() if x and '#' not in x])
            except FileNotFoundError:
                self.Log.alert(f'Unable to locate {file}.domains file. Contact Support.')

        with open(f'{HOME_DIR}/dnx_system/signatures/domain_lists/blocked.domains', 'w+') as blocked:
            blocked.write('\n'.join(self.dom_signatures))

            # TODO: user defined categories will break the enum load on proxy / FIX
            # looping over all user defined categories
            for cat, settings in ud_cats:
                if (not settings['enabled']): continue

                # writing signatures to block file
                for signature in settings[1:]:
                    blocked.write(f'{signature} {cat}\n'.lower())

        # NOTE: nulling out signatures in memory so we dont have to wait for GC.
        self.dom_signatures = None
Beispiel #8
0
def load_page():
    dhcp_server = load_configuration('dhcp_server.json')['dhcp_server']
    dhcp_res_list = dhcp_server['reservations']

    return {'reservations': {
        m2s(mac): info for mac, info in dhcp_res_list.items()}
    }
Beispiel #9
0
    def _get_settings(self, cfg_file):
        ip_proxy = load_configuration(cfg_file)['ip_proxy']

        enabled = ip_proxy['time_restriction']['enabled']
        self._change_attribute('_enabled', enabled)

        self.initialize.done()
Beispiel #10
0
    def _get_settings(self, cfg_file):
        ips = load_configuration(cfg_file)['ips']

        self.IPS.ids_mode = ips['ids_mode']

        self.IPS.ddos_prevention = ips['ddos']['enabled']
        # ddos CPS configured thresholds
        tcp_src_limit = ips['ddos']['limits']['source']['tcp']
        udp_src_limit = ips['ddos']['limits']['source']['udp']
        icmp_src_limit = ips['ddos']['limits']['source']['icmp']
        self.IPS.connection_limits = {
            PROTO.ICMP: icmp_src_limit,
            PROTO.TCP: tcp_src_limit,
            PROTO.UDP: udp_src_limit
        }

        self.IPS.portscan_prevention = ips['port_scan']['enabled']
        self.IPS.portscan_reject = ips['port_scan']['reject']

        # checking length(hours) to leave IP Table Rules in place for hosts part of ddos attacks
        self.IPS.block_length = 0
        if (self.IPS.ddos_prevention and not self.IPS.ids_mode):
            self.IPS.block_length = ips['passive_block_ttl'] * ONE_HOUR

        # NOTE: this will provide a simple way to ensure very recently blocked hosts do not get their
        # rule removed if passive blocking is disabled.
        if (not self.IPS.block_length):
            self.IPS.block_length = TEN_MIN

        # src ips that will not trigger ips
        self.IPS.ip_whitelist = set(
            [IPv4Address(ip) for ip in ips['whitelist']['ip_whitelist']])

        self._cfg_change.set()
        self.initialize.done()
Beispiel #11
0
def set_dns_servers(dns_server_info):
    field = {1: 'primary', 2: 'secondary'}

    with ConfigurationManager('dns_server') as dnx:
        dns_server_settings = dnx.load_configuration()

        public_resolvers = dns_server_settings['dns_server']['resolvers']

        for i, (server_name, ip_address) in enumerate(dns_server_info.items(), 1):
            if (not server_name and ip_address):
                continue

            public_resolvers[field[i]].update({
                'name': server_name,
                'ip_address': ip_address
            })

        dnx.write_configuration(dns_server_settings)

    wan_information = load_configuration('config')['settings']
    interface = wan_information['interfaces']
    wan_dhcp = interface['wan']['dhcp']
    wan_int = interface['wan']['ident']
    if (not wan_dhcp):
        wan_ip = interface.get_ip_address(wan_int)

        wan_dfg = Interface.default_gateway(wan_int)
        cidr = System.standard_to_cidr(wan_netmask)

        # TODO: convert this to new module
        wan_netmask = Interface.netmask(wan_int)

        set_wan_interface({
            'ip_address': wan_ip, 'cidr': cidr, 'default_gateway': wan_dfg
        })
Beispiel #12
0
    def _get_settings(self, cfg_file):
        ip_proxy = load_configuration(cfg_file)['ip_proxy']

        cat_settings = ip_proxy['categories']
        geo_settings = ip_proxy['geolocation']

        cat_enabled = []
        for cat, setting in cat_settings.items():
            if (setting): cat_enabled.append(1)

            self.IPProxy.cat_settings[IPP_CAT[cat.upper()]] = DIR(setting)

        geo_enabled = []
        for cat, setting in geo_settings.items():
            if (setting): geo_enabled.append(1)

            # using enum for category key and direction value
            try:
                self.IPProxy.geo_settings[GEO[cat.title()]] = DIR(setting)
            except KeyError:
                continue  # NOTE: temporary while not all enums/countries are populated

        self.IPProxy.inspect_on = bool(cat_enabled or geo_enabled)
        self.IPProxy.cat_enabled = bool(cat_enabled)
        self.IPProxy.geo_enabled = bool(geo_enabled)
        self.IPProxy.ids_mode = ip_proxy['ids_mode']

        self.initialize.done()
Beispiel #13
0
def load_page():
    interface_settings = load_configuration('config')['settings']

    wan_int = interface_settings['interfaces']['wan']
    default_wan_mac = wan_int['default_mac']
    configured_wan_mac = wan_int['configured_mac']
    dhcp = wan_int['dhcp']
    wan_int = wan_int['ident']

    # TODO: migrate away from instace
    Int = Interface()
    wan_ip = Int.ip_address(wan_int)
    wan_netmask = Int.netmask(wan_int)
    wan_dfg = Int.default_gateway(wan_int)

    current_wan_mac = default_wan_mac if not configured_wan_mac else configured_wan_mac

    interface_settings = {
        'mac': {
            'default': default_wan_mac,
            'current': current_wan_mac
        },
        'ip': {
            'dhcp': dhcp,
            'ip_address': wan_ip,
            'netmask': wan_netmask,
            'default_gateway': wan_dfg
        }
    }

    return interface_settings
Beispiel #14
0
        def wrapper(*args):
            # will redirect to login page if user is not logged in
            username = session.get('username', None)

            session_tracker = load_configuration(
                'session_tracker', filepath='dnx_frontend')['active_users']
            # NOTE: this is dnx local tracking of sessions. not to be confused with flask session tracking
            dnx_session_data = session_tracker.get(username)
            if not dnx_session_data or dnx_session_data[
                    'remote_addr'] != request.remote_addr:
                return redirect(url_for('dnx_login'))

            # will redirect to not authorized page if the user role does not match
            # requirements for the page
            # user_role = Authentication.get_user_role(username) # NOTE: should be depricated by dnx session tracker
            if (dnx_session_data['user_role'] not in authorized_roles):
                session.pop('username', None)

                return render_template('dnx_not_authorized.html',
                                       navi=True,
                                       login_btn=True,
                                       idle_timeout=False)

            dnx_session_data['username'] = username

            # flask page function
            page_action = function_to_wrap(dnx_session_data)

            return page_action
Beispiel #15
0
    def _load_restriction(self):
        restriction = load_configuration('ip_proxy.json')
        offset_settings = load_configuration('logging_client.json')

        restriction_start = restriction['ip_proxy']['time_restriction'][
            'start']
        restriction_length = restriction['ip_proxy']['time_restriction'][
            'length']

        offset = offset_settings['logging']['time_offset']
        os_direction = offset['direction']
        os_amount = offset['amount']

        offset = int(f'{os_direction}{os_amount}') * 3600

        return restriction_start, restriction_length, offset
Beispiel #16
0
def load_page():
    logging_settings = load_configuration('logging_client')['logging']

    logging = logging_settings['logging']
    log_level = logging['level']
    log_length = logging['length']
    log_settings = {'level': log_level, 'length': log_length}

    time_offset = logging_settings['time_offset']
    offset_values = {
        'direction': time_offset['direction'],
        'amount': time_offset['amount']
    }

    system_time = System.format_date_time(fast_time())

    local_time = System.calculate_time_offset(fast_time())
    local_time = System.format_date_time(local_time)

    logging_settings = {
        'system': system_time,
        'local': local_time,
        'logging': log_settings,
        'offset': offset_values
    }

    return logging_settings
Beispiel #17
0
    def get_settings(self):
        dnx_settings = load_configuration('config')['settings']

        self.lan_int = dnx_settings['interfaces']['lan']['ident']
        self.wan_int = dnx_settings['interfaces']['wan']['ident']

        self.custom_chains = ['FIREWALL', 'NAT', 'DOH']
Beispiel #18
0
    def __init__(self):
        dnx_settings = load_configuration('config')['settings']

        self._wan_int = dnx_settings['interfaces']['wan']['ident']
        self._lan_int = dnx_settings['interfaces']['lan']['ident']

        self._iptables_lock_file = f'{HOME_DIR}/dnx_system/iptables.lock'
Beispiel #19
0
def load_page():
    logging_settings = load_configuration('logging_client')['logging']

    log = logging_settings['logging']

    # correcting time for configured offset.
    time_offset = logging_settings['time_offset']
    system_time = System.format_date_time(fast_time())
    local_time = System.calculate_time_offset(fast_time())
    local_time = System.format_date_time(local_time)

    logging_settings = {
        'system': system_time,
        'local': local_time,
        'offset': {
            'direction': time_offset['direction'],
            'amount': time_offset['amount']
        },
        'logging': {
            'log_levels': [level.title() for level in LOG_LEVELS],
            'level': log['level'],
            'length': log['length']
        }
    }

    return logging_settings
Beispiel #20
0
def syslog_settings(syslog_settings):
    syslog = load_configuration('syslog_client')['syslog']

    configured_syslog_servers = syslog['servers']
    if (not configured_syslog_servers):
        raise ValidationError(
            'Syslog servers must be configured before modifying client settings.'
        )

    tls_retry = convert_int(syslog_settings['tls_retry'])
    tcp_retry = convert_int(syslog_settings['tcp_retry'])
    tls_settings = syslog_settings['tls']
    syslog_settings = syslog_settings['syslog']

    if (tls_retry not in [5, 10, 60] and tcp_retry not in [5, 10, 30]):
        raise ValidationError('Syslog settings are not valid.')

    for item in tls_settings:
        if (item not in [
                'enabled', 'tcp_fallback', 'udp_fallback', 'self_signed'
        ]):
            raise ValidationError('Syslog settings are not valid.')

    for item in syslog_settings:
        if (item not in ['syslog_enabled', 'syslog_protocol']):
            raise ValidationError('Syslog settings are not valid.')

    if ('syslog_protocol' not in syslog_settings):
        if ('encrypted_syslog' in tls_settings):
            raise ValidationError('TCP must be enabled to enable TLS.')

        if ('tcp_fallback' in tls_settings):
            raise ValidationError('TLS must be enabled before TCP fallback.')
Beispiel #21
0
def set_dns_servers(dns_server_info):
    with ConfigurationManager('dns_server') as dnx:
        dns_server_settings = dnx.load_configuration()

        dns = dns_server_settings['dns_server']['resolvers']
        for i, (server_name, ip_address) in enumerate(dns_server_info.items(),
                                                      1):
            if (server_name and ip_address):
                server = dns[f'server{i}']
                server.update({'name': server_name, 'ip_address': ip_address})

        dnx.write_configuration(dns_server_settings)

    wan_information = load_configuration('config')
    interface = wan_information['settings']['interface']
    wan_dhcp = interface['wan']['dhcp']
    wan_int = interface['outside']
    if (not wan_dhcp):
        wan_ip = interface.get_ip_address(wan_int)
        wan_netmask = Interface.netmask(wan_int)
        wan_dfg = Interface.default_gateway(wan_int)

        cidr = System.standard_to_cidr(wan_netmask)

        wan_settings = {
            'ip_address': wan_ip,
            'cidr': cidr,
            'default_gateway': wan_dfg
        }
        set_wan_interface(wan_settings)
Beispiel #22
0
def load_page():
    users = load_configuration('logins')['users']

    userlist = {}
    for account, info in users.items():
        userlist[account] = ('*****', info['role'])

    return userlist
Beispiel #23
0
    def get_settings(self):
        dnx_settings = load_configuration('config')['settings']

        self._lan_int = dnx_settings['interfaces']['lan']['ident']
        self._wan_int = dnx_settings['interfaces']['wan']['ident']

        self.custom_filter_chains = ['GLOBAL_INTERFACE', 'WAN_INTERFACE', 'LAN_INTERFACE', 'DMZ_INTERFACE', 'NAT', 'DOH']
        self.custom_nat_chains = ['DSTNAT', 'SRCNAT']
Beispiel #24
0
    def _ip_whitelist(self, cfg_file):
        whitelist = load_configuration(cfg_file)

        ip_whitelist = set(whitelist['ips']['whitelist']['ip_whitelist'])
        if (self.whitelist_dns_servers):
            dns_servers_settings = load_configuration('dns_server.json')

            dns_servers = dns_servers_settings['dns_server']
            dns1 = dns_servers['resolvers']['server1']['ip_address']
            dns2 = dns_servers['resolvers']['server2']['ip_address']

            self.IPS.ip_whitelist = ip_whitelist.union({dns1, dns2})
        else:
            self.IPS.ip_whitelist = ip_whitelist

        self._cfg_change.set()
        self.initialize.done()
Beispiel #25
0
def dns_record_remove(dns_record_name):
    dns_server = load_configuration('dns_server')['dns_server']

    if (dns_record_name == 'dnx.firewall'):
        raise ValidationError('Cannot remove dnxfirewall dns record.')

    if (dns_record_name not in dns_server['records']):
        raise ValidationError(INVALID_FORM)
Beispiel #26
0
def load_page():
    ips = load_configuration('ips.json')['ips']

    passive_block_ttl = ips['passive_block_ttl']
    ids_mode = ips['ids_mode']

    # ddos settings
    ddos_enabled = ips['ddos']['enabled']
    tcp_src_limit = ips['ddos']['limits']['source']['tcp']
    udp_src_limit = ips['ddos']['limits']['source']['udp']
    icmp_src_limit = ips['ddos']['limits']['source']['icmp']
    ddos_settings = {
        'enabled': ddos_enabled,
        'tcp': tcp_src_limit,
        'udp': udp_src_limit,
        'icmp': icmp_src_limit
    }

    # portscan settings
    portscan_prevention = ips['port_scan']['enabled']
    portscan_reject = ips['port_scan']['reject']
    portscan_settings = {
        'enabled': portscan_prevention,
        'reject': portscan_reject
    }

    # ips host/ configured dns server whitelist
    ip_whitelist = ips['whitelist']['ip_whitelist']
    dns_server_whitelist = ips['whitelist']['dns_servers']

    ips_enabled = bool(ddos_enabled or portscan_prevention)

    # TODO: clean this shit up.
    tcp_nat = ips['open_protocols']['tcp']
    udp_nat = ips['open_protocols']['udp']

    nats_configured = tcp_nat or udp_nat
    if (not nats_configured):
        ddos_notify = True if not ddos_enabled else False
        ps_notify = True if not portscan_prevention else False
    else:
        ddos_notify = False
        ps_notify = False

    ips_settings = {
        'enabled': ips_enabled,
        'length': passive_block_ttl,
        'ids_mode': ids_mode,
        'ddos': ddos_settings,
        'port_scan': portscan_settings,
        'ddos_notify': ddos_notify,
        'ps_notify': ps_notify,
        'ip_whitelist': ip_whitelist,
        'dns_server_whitelist': dns_server_whitelist
    }

    return ips_settings
Beispiel #27
0
    def _load_leases(self):
        # print('[+] Loading leases from file.')
        dhcp_settings = load_configuration('dhcp_server')

        stored_leases = dhcp_settings['dhcp_server']['leases']
        self.update({
            IPv4Address(ip): lease_info
            for ip, lease_info in stored_leases.items()
        })
Beispiel #28
0
    def _load_top_domains(self):
        self._top_domains = fo.load_configuration('dns_cache')

        dom_list = reversed(list(self._top_domains))
        self._dom_counter = Counter(
            {dom: cnt
             for cnt, dom in enumerate(dom_list)})

        self._top_dom_filter = set(fo.load_top_domains_filter())
Beispiel #29
0
    def bandwidth():
        intstat = {}
        interface_bandwidth = load_configuration('interface_speed.json')
        for interface, value in interface_bandwidth.items():
            rx = str(round(int(value[0])/1024, 2)) + ' MB/s'
            tx = str(round(int(value[1])/1024, 2)) + ' MB/s'
            intstat[interface] = [rx, tx]
#        print(intstat)
        return intstat
Beispiel #30
0
 def _user_authorized(self, username, hexpass):
     local_accounts = load_configuration('logins')['users']
     try:
         password = local_accounts[username]['password']
     except KeyError:
         return False
     else:
         # returning True on password match else False
         return password == hexpass