From 571ea4847a9463d3f1c4b607712ec74f05a09a75 Mon Sep 17 00:00:00 2001 From: Christian David Date: Thu, 6 Dec 2018 14:33:42 -0300 Subject: [PATCH] Juniper Implementation (#747) --- .gitmodules | 3 + src/juniper_plugin/README.md | 65 ++++++++++++ src/juniper_plugin/fastnetmon_juniper.php | 121 ++++++++++++++++++++++ src/juniper_plugin/netconf | 1 + src/juniper_plugin/notify_about_attack.sh | 17 +++ 5 files changed, 207 insertions(+) create mode 100644 .gitmodules create mode 100644 src/juniper_plugin/README.md create mode 100644 src/juniper_plugin/fastnetmon_juniper.php create mode 160000 src/juniper_plugin/netconf create mode 100755 src/juniper_plugin/notify_about_attack.sh diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..6c8d5f5 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "src/juniper_plugin/netconf"] + path = src/juniper_plugin/netconf + url = https://github.com/Juniper/netconf-php.git diff --git a/src/juniper_plugin/README.md b/src/juniper_plugin/README.md new file mode 100644 index 0000000..84d3c05 --- /dev/null +++ b/src/juniper_plugin/README.md @@ -0,0 +1,65 @@ +Juniper FastNetMon plug-in +=========== + +Overview +-------- +Connects to a Juniper router and adds or removes a blackhole rule for an attack by IP address. + +The actions can be modified such as adding a firewall rule. + +This script uses the Juniper NETCONF PHP API. More information about this can be found at the following URL: + * https://github.com/Juniper/netconf-php + +Installation +------------ + +#### Prerequisite +You must have a user and netconf enabled on your Juniper + +to enable netconf go to your cli and type: +``` +user@host> configure +user@host# set netconf ssh +``` +if you wish to change netconf port instead of +``` +user@host# set netconf ssh +``` +use +``` +user@host# set netconf ssh port +``` + +Install php to your server: +``` +sudo apt-get install php-cli php +``` + +#### Process +1. Configure the router in the ```fastnetmon_juniper.php``` file +``` +$cfg['hostname'] = "10.0.0.1"; // Juniper IP +$cfg['port'] = 880; //NETCONF Port +$cfg['username'] = "user"; //user +$cfg['password'] = "password"; //pass +``` +2. Change the ```notify_about_attack.sh``` with the new to run the PHP script + +This is the first buggy version, you are welcome to add more features. + +3. Set executable bit ```sudo chmod +x /etc/fastnetmon/scripts/notify_about_attack.sh``` + +4. For FastNetMon Advanced, please disable details: + +``` +sudo fcli set main notify_script_pass_details disable +sudo fcli commit +``` + +Changelog +--------- +v1.0 - 5 Dec 18 - Initial version + +Author: Christian David + +Based on Mikrotik Plugin by Maximiliano Dobladez \ No newline at end of file diff --git a/src/juniper_plugin/fastnetmon_juniper.php b/src/juniper_plugin/fastnetmon_juniper.php new file mode 100644 index 0000000..4b51c71 --- /dev/null +++ b/src/juniper_plugin/fastnetmon_juniper.php @@ -0,0 +1,121 @@ +#!/usr/bin/php + + * + * Credits for the Netconf API By Juniper/netconf-php + * Script based on Mikrotik Plugin by Maximiliano Dobladez + * + * Made based on a MX5 CLI and not tested yet, please feedback-us in Issues on github + * + * LICENSE: GPLv2 GNU GENERAL PUBLIC LICENSE + * + * + * v1.0 - 5 Dec 18 - initial version + ******************************/ + +define( "_VER", '1.0' ); + +$date = date("Y-m-d H:i:s", time()); + +// You need to enable NETCONF on your juniper +// https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/netconf-ssh-connection-establishing.html#task-netconf-service-over-ssh-enabling +$cfg['hostname'] = "10.0.0.1"; // Juniper IP +$cfg['port'] = 880; //NETCONF Port +$cfg['username'] = "user"; //user +$cfg['password'] = "password"; //pass + +/* +PARAMS( + $argv[1] = STRING (IP) + $argv[2] = STRING (ATTACK DIRECTION) + $argv[3] = STRING (PPS) + $argv[4] = STRING (ACTION = BAN OR UNBAN) +) +*/ +$IP_ATTACK = $argv[ 1 ]; +$DIRECTION_ATTACK = $argv[ 2 ]; +$POWER_ATTACK = $argv[ 3 ]; +$ACTION_ATTACK = $argv[ 4 ]; +if ( $argc <= 4 ) { + $msg .= "Juniper API Integration for FastNetMon - Ver: " . _VER . "\n"; + $msg .= "missing arguments"; + $msg .= "php fastnetmon_juniper.php [IP] [data_direction] [pps_as_string] [action] \n"; + echo $msg; + exit( 1 ); +} +//NOTE help +if ( $argv[ 1 ] == "help" ) { + $msg = "Juniper API Integration for FastNetMon - Ver: " . _VER; + echo $msg; + exit( 1 ); +} + +require_once "netconf/netconf/Device.php"; +$conn = new Device($cfg); +switch($ACTION_ATTACK){ + case 'ban': + try{ + $desc = 'FastNetMon Guard: IP '. $IP_ATTACK .' unblocked because '. $DIRECTION_ATTACK .' attack with power '. $POWER_ATTACK .' pps | at '.$fecha_now; + $conn->connect(); //Try conect or catch NetconfException (Wrong username, Timeout, Device not found, etc) + $locked = $conn->lock_config(); //Equivalent of "configure exclusive" on Juniper CLI + if($locked){ + //Community 65535:666 = BLACKHOLE + $conn->load_set_configuration("set routing-options static route {$IP_ATTACK} community 65535:666 discard"); + $conn->commit(); + } + $conn->unlock(); //Unlock the CLI + $conn->close(); //Close the connection + _log($desc); + + } + catch(NetconfException $e){ + $msg = "Couldn't connect to " . $cfg['hostname'] . '\nLOG: '.$e; + _log( $msg ); + echo $msg; + exit( 1 ); + } + break; + case 'unban': + try{ + $desc = 'FastNetMon Guard: IP '. $IP_ATTACK .' remove from blacklist.'; + $conn->connect(); //Try conect or catch NetconfException (Wrong username, Timeout, Device not found, etc) + $locked = $conn->lock_config(); //Equivalent of "configure exclusive" on Juniper CLI + if($locked){ + $conn->load_set_configuration("delete routing-options static route {$IP_ATTACK}/32"); + $conn->commit(); + } + $conn->unlock(); //Unlock the CLI + $conn->close(); //Close the connection + _log($desc); + } + catch(NetconfException $e){ + $msg = "Couldn't connect to " . $cfg['hostname'] . '\nLOG: '.$e; + _log( $msg ); + echo $msg; + exit( 1 ); + } + break; + default: + $msg = "Juniper API Integration for FastNetMon - Ver: " . _VER; + echo $msg; + exit( 1 ); + break; +} +/** + * [_log Write a log file] + * @param [type] $msg [text to log] + * @return [type] + */ +function _log( $msg ) { + $FILE_LOG_TMP = "/tmp/fastnetmon_api_juniper.log"; + if ( !file_exists( $FILE_LOG_TMP ) ) exec( "echo `date` \"- [FASTNETMON] - " . $msg . " \" > " . $FILE_LOG_TMP ); + else exec( "echo `date` \"- [FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP ); + +} +?> diff --git a/src/juniper_plugin/netconf b/src/juniper_plugin/netconf new file mode 160000 index 0000000..652a8b6 --- /dev/null +++ b/src/juniper_plugin/netconf @@ -0,0 +1 @@ +Subproject commit 652a8b61c27bbe627c752569a489bcb455b31b67 diff --git a/src/juniper_plugin/notify_about_attack.sh b/src/juniper_plugin/notify_about_attack.sh new file mode 100755 index 0000000..b0b941d --- /dev/null +++ b/src/juniper_plugin/notify_about_attack.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash +# +# Fastnetmon: Juniper plugin +# +# Author: - info@mkesolutions.net - http://maxid.com.ar +# Modified by Christian David for juniper implementation +# +# This script will get following params: +# $1 client_ip_as_string +# $2 data_direction +# $3 pps_as_string +# $4 action (ban or unban) + + +php -f /opt/fastnetmon/fastnetmon_juniper.php $1 $2 $3 $4 +exit 0 + \ No newline at end of file