diff options
| author | Karel Kočí <cynerd@email.cz> | 2020-07-11 16:06:13 +0200 |
|---|---|---|
| committer | Karel Kočí <cynerd@email.cz> | 2020-07-11 16:06:13 +0200 |
| commit | 2f31048b9123444aed7559b72c56645d73379e4b (patch) | |
| tree | b7ec0953b884ea2be3815adc8e488327d8871dd0 | |
| parent | c1fac266afb99c28ffbb8213d8cf1f6c19a5b13b (diff) | |
| download | openwrt-personal-pkgs-2f31048b9123444aed7559b72c56645d73379e4b.tar.gz openwrt-personal-pkgs-2f31048b9123444aed7559b72c56645d73379e4b.tar.bz2 openwrt-personal-pkgs-2f31048b9123444aed7559b72c56645d73379e4b.zip | |
sentinel-minipot: include latest turris-os-version
| -rw-r--r-- | sentinel-minipot/Makefile | 57 | ||||
| -rwxr-xr-x | sentinel-minipot/files/init | 23 | ||||
| -rw-r--r-- | sentinel-minipot/files/restart-minipot-hook.sh | 5 | ||||
| -rw-r--r-- | sentinel-minipot/files/sentinel-firewall.sh | 33 | ||||
| -rw-r--r-- | sentinel-minipot/files/uci-defaults | 25 |
5 files changed, 143 insertions, 0 deletions
diff --git a/sentinel-minipot/Makefile b/sentinel-minipot/Makefile new file mode 100644 index 0000000..2db0833 --- /dev/null +++ b/sentinel-minipot/Makefile @@ -0,0 +1,57 @@ +# +## Copyright (C) 2018-2020 CZ.NIC z.s.p.o. (https://www.nic.cz/) +# +## This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# # +# +include $(TOPDIR)/rules.mk + +PKG_NAME:=sentinel-minipot +PKG_VERSION:=1 +PKG_RELEASE:=10 +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=https://gitlab.nic.cz/turris/sentinel/minipot.git +PKG_SOURCE_VERSION:=ebc6c8f96202b6c122fcc8f94b9413ec6bfd2e4f + +PKG_MAINTAINER:=CZ.NIC <packaging@turris.cz> +PKG_LICENSE:=GPL-3.0-or-later + +PKG_FIXUP:=autoreconf + +include $(INCLUDE_DIR)/package.mk + +define Package/sentinel-minipot + SECTION:=net + CATEGORY:=Network + SUBMENU:=Sentinel + TITLE:=Minipots + URL:=https://gitlab.nic.cz/turris/sentinel/minipot + DEPENDS:=\ + +czmq \ + +libevent2 \ + +msgpack-c \ + +sentinel-firewall \ + +sentinel-proxy +endef + +define Package/sentinel-minipot/description + Sentinel minipots. These are minimal honeypots. Implements protocols: telnet +endef + +define Package/sentinel-minipot/install + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/sentinel_minipot $(1)/usr/bin/sentinel-minipot + + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/init $(1)/etc/init.d/sentinel-minipot + $(INSTALL_DIR) $(1)/etc/uci-defaults + $(INSTALL_BIN) ./files/uci-defaults $(1)/etc/uci-defaults/99-sentinel-minipot-telnet + $(INSTALL_DIR) $(1)/usr/libexec/sentinel/firewall.d + $(INSTALL_BIN) ./files/sentinel-firewall.sh $(1)/usr/libexec/sentinel/firewall.d/70-minipot.sh + + $(INSTALL_DIR) $(1)/usr/libexec/sentinel/reload_hooks.d + $(INSTALL_BIN) ./files/restart-minipot-hook.sh $(1)/usr/libexec/sentinel/reload_hooks.d/60_minipot.sh +endef + +$(eval $(call BuildPackage,sentinel-minipot)) diff --git a/sentinel-minipot/files/init b/sentinel-minipot/files/init new file mode 100755 index 0000000..0b504c1 --- /dev/null +++ b/sentinel-minipot/files/init @@ -0,0 +1,23 @@ +#!/bin/sh /etc/rc.common + +USE_PROCD=1 +START=99 +STOP=10 + +DEFAULT_TELNET_PORT=2333 + +start_service() { + source /lib/functions/sentinel.sh + allowed_to_run "minipot" || return 1 + + config_load sentinel + local telnet_port + config_get telnet_port minipot telnet_port "$DEFAULT_TELNET_PORT" + + procd_open_instance + procd_set_param command /usr/bin/sentinel-minipot + [ "$telnet_port" = "0" ] || procd_append_param command -T "$telnet_port" + procd_set_param respawn 3600 5 5 + procd_set_param file /etc/config/sentinel + procd_close_instance +} diff --git a/sentinel-minipot/files/restart-minipot-hook.sh b/sentinel-minipot/files/restart-minipot-hook.sh new file mode 100644 index 0000000..f316413 --- /dev/null +++ b/sentinel-minipot/files/restart-minipot-hook.sh @@ -0,0 +1,5 @@ +#!/bin/sh +# restart Sentinel:Minipot service +/etc/init.d/sentinel-minipot restart +# Reload firewall to apply redirect +/etc/init.d/firewall reload diff --git a/sentinel-minipot/files/sentinel-firewall.sh b/sentinel-minipot/files/sentinel-firewall.sh new file mode 100644 index 0000000..9c51268 --- /dev/null +++ b/sentinel-minipot/files/sentinel-firewall.sh @@ -0,0 +1,33 @@ +#!/bin/sh +set -e +SF_DIR="${0%/*}" +. "$SF_DIR/common.sh" +. /lib/functions.sh +. /lib/functions/sentinel.sh + +allowed_to_run "minipot" 2>/dev/null || return 0 + + +config_load "sentinel" +config_get telnet_port "minipot" "telnet_port" "2333" + + +port_redirect_zone() { + local config_section="$1" + local zone enabled + config_get zone "$config_section" "name" + config_get_bool enabled "$config_section" "sentinel_minipot" "0" + [ "$enabled" = "1" ] || return 0 + + [ "$telnet_port" = "0" ] || \ + iptables_redirect "$zone" 23 "$telnet_port" "Minipot Telnet" +} + +config_load "firewall" +config_foreach port_redirect_zone "zone" + + +if source_if_exists "$SF_DIR/dynfw-utils.sh"; then + [ "$telnet_port" = "0" ] || \ + bypass_dynamic_firewall "tcp" "23" "Minipot Telnet" +fi diff --git a/sentinel-minipot/files/uci-defaults b/sentinel-minipot/files/uci-defaults new file mode 100644 index 0000000..f90516c --- /dev/null +++ b/sentinel-minipot/files/uci-defaults @@ -0,0 +1,25 @@ +#!/bin/sh +set -e +. /lib/functions/sentinel-firewall.sh + +# Minipot entry in sentinel config +if [ "$(uci -q get sentinel.minipot)" != "minipot" ]; then + uci -q batch <<EOT + delete sentinel.minipot + set sentinel.minipot='minipot' + commit sentinel.minipot +EOT +fi + +# Remove old firewall rules +[ -z "$(uci -q get firewall.sentinel_minipot_telnet_mark)" ] || \ + uci -q delete firewall.sentinel_minipot_telnet_mark +[ -z "$(uci -q get firewall.sentinel_minipot_telnet)" ] || \ + uci -q delete firewall.sentinel_minipot_telnet + + +# Enable for wan interface in default +config_firewall_default_enable "sentinel_minipot" + +# Always reload firewall to use latest version of sentinel-firewall script +/etc/init.d/firewall reload |