From c9f38fb3417e89889b21d5207fdb8929eb1ff2df Mon Sep 17 00:00:00 2001 From: Azhar Desai Date: Thu, 17 Oct 2024 18:11:05 +0200 Subject: [PATCH] iptables simplify --- bin/opencanary.tac | 4 +--- docs/starting/configuration.rst | 1 - opencanary/__init__.py | 16 ---------------- opencanary/config.py | 9 --------- opencanary/modules/portscan.py | 27 ++++++++++----------------- 5 files changed, 11 insertions(+), 46 deletions(-) diff --git a/bin/opencanary.tac b/bin/opencanary.tac index 44f933d..bc5523f 100644 --- a/bin/opencanary.tac +++ b/bin/opencanary.tac @@ -4,7 +4,7 @@ import sys from twisted.application import service from pkg_resources import iter_entry_points -from opencanary.config import config, is_docker, detectIPTables +from opencanary.config import config, is_docker from opencanary.logger import getLogger from opencanary.modules.http import CanaryHTTP from opencanary.modules.https import CanaryHTTPS @@ -84,8 +84,6 @@ if sys.platform.startswith("linux"): if config.moduleEnabled("portscan") and is_docker(): # Remove portscan if running in DOCKER (specified in Dockerfile) print("Can't use portscan in Docker. Portscan module disabled.") - elif config.moduleEnabled("portscan") and not detectIPTables(): - print("Can't use portscan without iptables. Please install iptables.") else: from opencanary.modules.portscan import CanaryPortscan diff --git a/docs/starting/configuration.rst b/docs/starting/configuration.rst index 69d5e83..56aabce 100644 --- a/docs/starting/configuration.rst +++ b/docs/starting/configuration.rst @@ -41,7 +41,6 @@ For this configuration, you will need to set up your own Windows File Share. Ple `portscan` - a log watcher that works with iptables to monitor when your Opencanary is being scanned. At this stage, the portscan module supports the detection of Nmap OS, Nmap FIN, Nmap OS, Nmap NULL, and normal port scans. -`portscan.iptables_path` is available for you to specify the path to your `iptables` binary. Logger Configuration -------------------- diff --git a/opencanary/__init__.py b/opencanary/__init__.py index 71bdcd7..8e6093e 100644 --- a/opencanary/__init__.py +++ b/opencanary/__init__.py @@ -1,21 +1,5 @@ import os -import shutil -import subprocess __version__ = "0.9.5" STDPATH = os.pathsep.join(["/usr/bin", "/bin", "/usr/sbin", "/sbin"]) - - -def safe_exec(binary_name: str, args: list) -> bytes: - """ - Executes the given binary with the given arguments as a subprocess. What makes this safe is that the binary name - is not executed as an alias, and only binaries that live in trusted system locations are executed. This means that - only system-wide binaries are executable. - """ - exec_path = shutil.which(binary_name, path=STDPATH) - if exec_path is None: - raise Exception(f"Could not find executable ${binary_name} in ${STDPATH}") - - args.insert(0, exec_path) - return subprocess.check_output(args) diff --git a/opencanary/config.py b/opencanary/config.py index 5a621f2..f92d9f0 100644 --- a/opencanary/config.py +++ b/opencanary/config.py @@ -8,7 +8,6 @@ from os.path import expanduser from pkg_resources import resource_filename from pathlib import Path -from . import safe_exec SAMPLE_SETTINGS = resource_filename(__name__, "data/settings.json") SETTINGS = "opencanary.conf" @@ -36,13 +35,6 @@ def is_docker(): ) -def detectIPTables(): - if shutil.which("iptables"): - return True - else: - return False - - SERVICE_REGEXES = { "ssh.version": r"(SSH-(2.0|1.5|1.99|1.0)-([!-,\-./0-~]+(:?$|\s))(?:[ -~]*)){1,253}$", } @@ -77,7 +69,6 @@ def __init__(self, configfile=SETTINGS): print("[-] Failed to open %s for reading (%s)" % (fname, e)) except ValueError as e: print("[-] Failed to decode json from %s (%s)" % (fname, e)) - safe_exec("cp", ["-r", fname, "/var/tmp/config-err-$(date +%%s)"]) except Exception as e: print("[-] An error occurred loading %s (%s)" % (fname, e)) if self.__config is None: diff --git a/opencanary/modules/portscan.py b/opencanary/modules/portscan.py index cb6cb71..d48ad8a 100644 --- a/opencanary/modules/portscan.py +++ b/opencanary/modules/portscan.py @@ -1,7 +1,8 @@ from opencanary.modules import CanaryService from opencanary.modules import FileSystemWatcher -from opencanary import safe_exec +from opencanary import STDPATH import os +import subprocess import shutil @@ -66,11 +67,6 @@ def handleLines(self, lines=None): # noqa: C901 self.logger.log(data) - -def detectNFTables(): - return b"nf_tables" in safe_exec("iptables", ["--version"]) - - class CanaryPortscan(CanaryService): NAME = "portscan" @@ -85,18 +81,8 @@ def __init__(self, config=None, logger=None): "portscan.ignore_localhost", default=False ) self.ignore_ports = config.getVal("portscan.ignore_ports", default=[]) - self.iptables_path = self.config.getVal("portscan.iptables_path", False) self.config = config - def getIptablesPath(self): - if self.iptables_path: - return self.iptables_path - - if detectNFTables(): - return shutil.which("iptables-legacy") - - return shutil.which("iptables") or "/sbin/iptables" - def startYourEngines(self, reactor=None): # Logging rules for loopback interface. # This is separate from the canaryfw rule as the canary watchdog was @@ -117,7 +103,14 @@ def configUpdated( pass def set_iptables_rules(self): - iptables_path = self.getIptablesPath() + iptables_path = shutil.which("iptables-legacy", STDPATH) or shutil.which("iptables", STDPATH) + + if not iptables_path: + raise Exception("Portscan module failed to start as iptables cannot be found. Please install iptables.") + + if b"nf_tables" in subprocess.check_output([iptables_path, "--version"]): + raise Exception("Portscan module failed to start as iptables-legacy cannot be found. Please install iptables-legacy") + os.system( 'sudo {0} -t mangle -D PREROUTING -p tcp -i lo -j LOG --log-level=warning --log-prefix="canaryfw: " -m limit --limit="{1}/hour"'.format( iptables_path, self.lorate