summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjim-p <jimp@netgate.com>2019-03-12 15:46:28 -0400
committerjim-p <jimp@netgate.com>2019-03-12 15:47:44 -0400
commitd67449c6a3b6075a9ec4120842fa596e054a3826 (patch)
treeb311264f7b329cf636e4966aac332b85439ca2c1
parent922a1ae3d9d822bf68f17448756b1e2783d0cf85 (diff)
downloadpfsense-d67449c6a3b6075a9ec4120842fa596e054a3826.zip
pfsense-d67449c6a3b6075a9ec4120842fa596e054a3826.tar.gz
Use only sshguard table for blocking ssh/gui attacks. Issue #9223
(cherry picked from commit 555a9ab5c01101ddab7daa41f35d379d1c39b26e)
Diffstat
-rw-r--r--src/etc/inc/auth.inc2
-rw-r--r--src/etc/inc/filter.inc3
-rw-r--r--src/usr/local/www/diag_tables.php4
-rw-r--r--src/usr/local/www/guiconfig.inc1
4 files changed, 4 insertions, 6 deletions
diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc
index 60d5de9..21e9052 100644
--- a/src/etc/inc/auth.inc
+++ b/src/etc/inc/auth.inc
@@ -41,7 +41,7 @@ if (function_exists("display_error_form")) {
* lockout table before processing a request */
/* Fetch the contents of the lockout table. */
- exec("/sbin/pfctl -t 'webConfiguratorlockout' -T show", $entries);
+ exec("/sbin/pfctl -t 'sshguard' -T show", $entries);
/* If the client is in the lockout table, print an error, kill states, and exit */
if (in_array($_SERVER['REMOTE_ADDR'], array_map('trim', $entries))) {
diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc
index 5bc6087..6fd450f 100644
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@@ -751,7 +751,6 @@ function filter_generate_aliases() {
$aliases .= "\n#SSH Lockout Table\n";
$aliases .= "table <sshguard> persist\n";
- $aliases .= "table <webConfiguratorlockout> persist\n";
$aliases .= "#Snort tables\n";
$aliases .= "table <snort2c>\n";
@@ -3364,7 +3363,7 @@ EOD;
$webConfiguratorlockoutport = $config['system']['webgui']['port'];
}
if ($webConfiguratorlockoutport) {
- $ipfrules .= "block in {$log['block']} quick proto tcp from <webConfiguratorlockout> to (self) port {$webConfiguratorlockoutport} tracker {$increment_tracker($tracker)} label \"webConfiguratorlockout\"\n";
+ $ipfrules .= "block in {$log['block']} quick proto tcp from <sshguard> to (self) port {$webConfiguratorlockoutport} tracker {$increment_tracker($tracker)} label \"GUI Lockout\"\n";
}
$saved_tracker += 100;
diff --git a/src/usr/local/www/diag_tables.php b/src/usr/local/www/diag_tables.php
index af83215..6b2d007 100644
--- a/src/usr/local/www/diag_tables.php
+++ b/src/usr/local/www/diag_tables.php
@@ -125,8 +125,8 @@ if ($savemsg) {
print_info_box($savemsg, 'success');
}
-if ($tablename == "webConfiguratorlockout") {
- $displayname = gettext("webConfigurator Lockout Table");
+if ($tablename == "sshguard") {
+ $displayname = gettext("SSH and GUI Lockout Table");
} else {
$displayname = sprintf(gettext("%s Table"), ucfirst($tablename));
}
diff --git a/src/usr/local/www/guiconfig.inc b/src/usr/local/www/guiconfig.inc
index 2f70ab6..2c48531 100644
--- a/src/usr/local/www/guiconfig.inc
+++ b/src/usr/local/www/guiconfig.inc
@@ -91,7 +91,6 @@ $reserved_table_names = array(
"tonatsubnets",
"virusprot",
"vpn_networks",
- "webConfiguratorlockout"
);
$firewall_rules_dscp_types = array(
OpenPOWER on IntegriCloud