#!/usr/bin/env python3 # # Copyright (C) 2018-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. import os from sys import exit from vyos.config import Config from vyos.template import render from vyos.utils.process import call from vyos import ConfigError from vyos import airbag airbag.enable() config_file = r'/run/fastnetmon/fastnetmon.conf' networks_list = r'/run/fastnetmon/networks_list' excluded_networks_list = r'/run/fastnetmon/excluded_networks_list' attack_dir = '/var/log/fastnetmon_attacks' def get_config(config=None): if config: conf = config else: conf = Config() base = ['service', 'ids', 'ddos-protection'] if not conf.exists(base): return None fastnetmon = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True, with_recursive_defaults=True) return fastnetmon def verify(fastnetmon): if not fastnetmon: return None if 'mode' not in fastnetmon: raise ConfigError('Specify operating mode!') if fastnetmon.get('mode') == 'mirror' and 'listen_interface' not in fastnetmon: raise ConfigError("Incorrect settings for 'mode mirror': must specify interface(s) for traffic mirroring") if fastnetmon.get('mode') == 'sflow' and 'listen_address' not in fastnetmon.get('sflow', {}): raise ConfigError("Incorrect settings for 'mode sflow': must specify sFlow 'listen-address'") if 'alert_script' in fastnetmon: if os.path.isfile(fastnetmon['alert_script']): # Check script permissions if not os.access(fastnetmon['alert_script'], os.X_OK): raise ConfigError('Script "{alert_script}" is not executable!'.format(fastnetmon['alert_script'])) else: raise ConfigError('File "{alert_script}" does not exists!'.format(fastnetmon)) def generate(fastnetmon): if not fastnetmon: for file in [config_file, networks_list]: if os.path.isfile(file): os.unlink(file) return None # Create dir for log attack details if not os.path.exists(attack_dir): os.mkdir(attack_dir) render(config_file, 'ids/fastnetmon.j2', fastnetmon) render(networks_list, 'ids/fastnetmon_networks_list.j2', fastnetmon) render(excluded_networks_list, 'ids/fastnetmon_excluded_networks_list.j2', fastnetmon) return None def apply(fastnetmon): systemd_service = 'fastnetmon.service' if not fastnetmon: # Stop fastnetmon service if removed call(f'systemctl stop {systemd_service}') else: call(f'systemctl reload-or-restart {systemd_service}') return None if __name__ == '__main__': try: c = get_config() verify(c) generate(c) apply(c) except ConfigError as e: print(e) exit(1)