diff options
author | jim-p <jimp@netgate.com> | 2019-03-12 15:46:28 -0400 |
---|---|---|
committer | jim-p <jimp@netgate.com> | 2019-03-12 15:47:44 -0400 |
commit | d67449c6a3b6075a9ec4120842fa596e054a3826 (patch) | |
tree | b311264f7b329cf636e4966aac332b85439ca2c1 | |
parent | 922a1ae3d9d822bf68f17448756b1e2783d0cf85 (diff) | |
download | pfsense-d67449c6a3b6075a9ec4120842fa596e054a3826.zip pfsense-d67449c6a3b6075a9ec4120842fa596e054a3826.tar.gz |
Use only sshguard table for blocking ssh/gui attacks. Issue #9223
(cherry picked from commit 555a9ab5c01101ddab7daa41f35d379d1c39b26e)
-rw-r--r-- | src/etc/inc/auth.inc | 2 | ||||
-rw-r--r-- | src/etc/inc/filter.inc | 3 | ||||
-rw-r--r-- | src/usr/local/www/diag_tables.php | 4 | ||||
-rw-r--r-- | src/usr/local/www/guiconfig.inc | 1 |
4 files changed, 4 insertions, 6 deletions
diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc index 60d5de9..21e9052 100644 --- a/src/etc/inc/auth.inc +++ b/src/etc/inc/auth.inc @@ -41,7 +41,7 @@ if (function_exists("display_error_form")) { * lockout table before processing a request */ /* Fetch the contents of the lockout table. */ - exec("/sbin/pfctl -t 'webConfiguratorlockout' -T show", $entries); + exec("/sbin/pfctl -t 'sshguard' -T show", $entries); /* If the client is in the lockout table, print an error, kill states, and exit */ if (in_array($_SERVER['REMOTE_ADDR'], array_map('trim', $entries))) { diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc index 5bc6087..6fd450f 100644 --- a/src/etc/inc/filter.inc +++ b/src/etc/inc/filter.inc @@ -751,7 +751,6 @@ function filter_generate_aliases() { $aliases .= "\n#SSH Lockout Table\n"; $aliases .= "table <sshguard> persist\n"; - $aliases .= "table <webConfiguratorlockout> persist\n"; $aliases .= "#Snort tables\n"; $aliases .= "table <snort2c>\n"; @@ -3364,7 +3363,7 @@ EOD; $webConfiguratorlockoutport = $config['system']['webgui']['port']; } if ($webConfiguratorlockoutport) { - $ipfrules .= "block in {$log['block']} quick proto tcp from <webConfiguratorlockout> to (self) port {$webConfiguratorlockoutport} tracker {$increment_tracker($tracker)} label \"webConfiguratorlockout\"\n"; + $ipfrules .= "block in {$log['block']} quick proto tcp from <sshguard> to (self) port {$webConfiguratorlockoutport} tracker {$increment_tracker($tracker)} label \"GUI Lockout\"\n"; } $saved_tracker += 100; diff --git a/src/usr/local/www/diag_tables.php b/src/usr/local/www/diag_tables.php index af83215..6b2d007 100644 --- a/src/usr/local/www/diag_tables.php +++ b/src/usr/local/www/diag_tables.php @@ -125,8 +125,8 @@ if ($savemsg) { print_info_box($savemsg, 'success'); } -if ($tablename == "webConfiguratorlockout") { - $displayname = gettext("webConfigurator Lockout Table"); +if ($tablename == "sshguard") { + $displayname = gettext("SSH and GUI Lockout Table"); } else { $displayname = sprintf(gettext("%s Table"), ucfirst($tablename)); } diff --git a/src/usr/local/www/guiconfig.inc b/src/usr/local/www/guiconfig.inc index 2f70ab6..2c48531 100644 --- a/src/usr/local/www/guiconfig.inc +++ b/src/usr/local/www/guiconfig.inc @@ -91,7 +91,6 @@ $reserved_table_names = array( "tonatsubnets", "virusprot", "vpn_networks", - "webConfiguratorlockout" ); $firewall_rules_dscp_types = array( |