#!/bin/sh
#######################################################################
# Script Name: install.sh
# Version: 2.5
# Description: Directadmin script for blocking of ips and reports to
# AbuseIPDB with csf firewall.
# Last Modify Date: 01102022
# Author(s): Alex Grebenschikov and Brent Dacus
# Email:brent[at]thedacus[dot]net
#######################################################################
csf="/usr/sbin/csf"
csf_conf="/etc/csf/csf.conf"
csf_pignore="/etc/csf/csf.pignore"
SSHD_PORT=$(grep "^Port" /etc/ssh/sshd_config | tail -2 | awk '{print $2}')

csf_install() {
    printf "CSF/LFD was not found on your server!\nGoing to install it.\n"

    [ -d "/usr/local/src/csf" ] && rm -rf /usr/local/src/csf
    cd /usr/local/src || exit
    wget --no-check-certificate -q https://download.configserver.com/csf.tgz -O csf.tgz
    tar -xzf csf.tgz

    [ -d "/usr/local/src/csf" ] || die "CSF/LFD failed to unpack!\nTerminating.\n" 2
    cd /usr/local/src/csf || exit

    check=$(./csftest.pl | grep -c "RESULT: csf should function on this server")
    if [ "$check" != "1" ]; then
        printf "***\nThere are some possible issues with csf/LFD on your server:\nCheck it now:\n***\n"
        ./csftest.pl
        printf "\n***\n"
        exit 2
    fi

    printf "CSF/LFD check passed, going further with installation.\n"
    sh ./install.sh

    [ -x "${csf}" ] || die "CSF/LFD failed to install!\nTerminating.\n" 2

    printf "Updating a list of trusted binaries in %s.\n" "${csf_pignore}"
    wget --no-check-certificate -q http://files.delaintech.com/csf/csf.pignore.custom -O csf.pignore.custom
    cat csf.pignore.custom >>"${csf_pignore}"
    rm -f csf.pignore.custom

    grep -E -v "^#|^$" "${csf_pignore}" | sort | uniq | tee "${csf_pignore}~bak"
    mv -f "${csf_pignore}~bak" "${csf_pignore}"

    printf "CSF/LFD was installed!\nConfiguration file can be found under %s.\n" "${csf_conf}"
    printf "\n***\n"
}

csf_reconfig() {
    printf "Updating a list of trusted binaries in %s.\n" "${csf_pignore}"
    wget --no-check-certificate -q http://files.delaintech.com/csf/csf.pignore.custom -O csf.pignore.custom
    cat csf.pignore.custom >>"${csf_pignore}"
    rm -f csf.pignore.custom

    grep -E -v "^#|^$" "${csf_pignore}" | sort | uniq | tee "${csf_pignore}~bak"
    mv -f "${csf_pignore}~bak" "${csf_pignore}"

    printf "***\nBacking up CSF config.\n***\n"
    cp -pf "${csf_conf}" "${csf_conf}~$(date +%s)"

    ipv6=$(ip -6 addr | grep -c "inet6")
    if [ "$ipv6" = "0" ]; then
        printf "IPV6 has no address.\nNot turning on IPV6 firewall.\n***\n"
    else
        printf "IPV6 has an address.\nTurning on IPV6 firewall.\n***\n"
        perl -pi -e 's/IPV6 = ".*"/IPV6 = "1"/g' "${csf_conf}"
    fi
    printf "Disabling emails from CSF/LFD about temporary blocks of an IP brute-forcing server.\n"
    perl -pi -e 's#^LF_EMAIL_ALERT = "1"#LF_EMAIL_ALERT = "0"#' "${csf_conf}"
    printf "Disabling emails from CSF/LFD about temporary blocks of an IP attacking Apache.\n"
    perl -pi -e 's#^LT_EMAIL_ALERT = "1"#LT_EMAIL_ALERT = "0"#' "${csf_conf}"
    printf "Disabling email from CSF/LFD about permament blocks of an IP.\n"
    perl -pi -e 's#^LF_PERMBLOCK_ALERT = "1"#LF_PERMBLOCK_ALERT = "0"#' "${csf_conf}"

    printf "Enabling CSF/LFD Netblock/Distattack.\n"
    perl -pi -e 's/LF_DISTATTACK = ".*"/LF_DISTATTACK = "1"/' "${csf_conf}"
    perl -pi -e 's/LF_NETBLOCK = ".*"/LF_NETBLOCK = "1"/' "${csf_conf}"

    printf "Enabling CSF/LFD to scan logs.\n"
    perl -pi -e 's/LF_TRIGGER = ".*"/LF_TRIGGER = "3"/' "${csf_conf}"
    perl -pi -e 's/LF_TRIGGER_PERM = ".*"/LF_TRIGGER_PERM = "1"/' "${csf_conf}"
    perl -pi -e 's/LF_SSHD = ".*"/LF_SSHD = "1"/' "${csf_conf}"
    perl -pi -e 's/LF_FTPD = ".*"/LF_FTPD = "1"/' "${csf_conf}"
    perl -pi -e 's/LF_SMTPAUTH = ".*"/LF_SMTPAUTH = "1"/' "${csf_conf}"
    perl -pi -e 's/LF_EXIMSYNTAX = ".*"/LF_EXIMSYNTAX = "1"/' "${csf_conf}"
    perl -pi -e 's/LF_POP3D = ".*"/LF_POP3D = "1"/' "${csf_conf}"
    perl -pi -e 's/LF_IMAPD = ".*"/LF_IMAPD = "1"/' "${csf_conf}"
    perl -pi -e 's/LF_HTACCESS = ".*"/LF_HTACCESS = "1"/' "${csf_conf}"
    perl -pi -e 's/LF_MODSEC = ".*"/LF_MODSEC = "1"/' "${csf_conf}"
    perl -pi -e 's/LF_DIRECTADMIN = ".*"/LF_DIRECTADMIN = "1"/' "${csf_conf}"

    printf "Enabling CSF/LFD Country Code Blocking.\n"
    perl -pi -e 's/LF_IPSET = ".*"/LF_IPSET = "1"/g' "${csf_conf}"
    perl -pi -e 's/LF_INTERVAL = ".*"/LF_INTERVAL = "90"/' "${csf_conf}"
    perl -pi -e 's/CC_SRC = ".*"/CC_SRC = "2"/g' "${csf_conf}"
    perl -pi -e 's/CC_DENY = ".*"/CC_DENY = "RU,CN,TR,IR,IQ,ID,KP"/g' "${csf_conf}"
    perl -pi -e 's/DENY_IP_LIMIT = ".*"/DENY_IP_LIMIT = "500"/' "${csf_conf}"

    printf "Opening SSH ports for incoming connections.\n***\n"
    grep -q -o "^TCP_IN.*,14,1414" "${csf_conf}" || perl -pi -e 's/^TCP_IN = "(.*)"$/TCP_IN = "$1,14,1414"/' "${csf_conf}"
    grep -q -o "^TCP6_IN.*,14,1414" "${csf_conf}" || perl -pi -e 's/^TCP6_IN = "(.*)"$/TCP6_IN = "$1,14,1414"/' "${csf_conf}"

    printf "Opening SSH ports for outgoing connections.\n***\n"
    grep -q -o "^TCP_OUT.*,14,1414" "${csf_conf}" || perl -pi -e 's/^TCP_OUT = "(.*)"$/TCP_OUT = "$1,14,1414"/' "${csf_conf}"
    grep -q -o "^TCP6_OUT.*,14,1414" "${csf_conf}" || perl -pi -e 's/^TCP6_OUT = "(.*)"$/TCP6_OUT = "$1,14,1414"/' "${csf_conf}"

    printf "Opening passive ports for FTP incoming connections.\n***\n"
    grep -q -o "^TCP_IN.*,35000:65535" "${csf_conf}" || perl -pi -e 's/^TCP_IN = "(.*)"$/TCP_IN = "$1,35000:65535"/' "${csf_conf}"
    grep -q -o "^TCP6_IN.*,35000:65535" "${csf_conf}" || perl -pi -e 's/^TCP6_IN = "(.*)"$/TCP6_IN = "$1,35000:65535"/' "${csf_conf}"

    printf "Opening passive ports for outgoing connections.\n***\n"
    grep -q -o "^TCP_OUT.*,35000:65535" "${csf_conf}" || perl -pi -e 's/^TCP_OUT = "(.*)"$/TCP_OUT = "$1,35000:65535"/' "${csf_conf}"
    grep -q -o "^TCP6_OUT.*,35000:65535" "${csf_conf}" || perl -pi -e 's/^TCP6_OUT = "(.*)"$/TCP6_OUT = "$1,35000:65535"/' "${csf_conf}"
    printf "Adding Block lists.\n***\n"
    cat >/etc/csf/csf.blocklists <<eol
# Spamhaus Don't Route Or Peer List (DROP)
# Details: https://www.spamhaus.org/drop/
SPAMDROP|86400|0|https://www.spamhaus.org/drop/drop.txt

# Spamhaus Extended DROP List (EDROP)
# Details: https://www.spamhaus.org/drop/
SPAMEDROP|86400|0|http://www.spamhaus.org/drop/edrop.txt

# Details: https://docs.abuseipdb.com/#blacklist-endpoint
ABUSEIPDB|86400|10000|https://api.abuseipdb.com/api/v2/blacklist?&key=c13866e213ef23a0fbf2c57cd6474d63477dda0767a2a088249de1151f269157c48ab70a4dc0c531&plaintext&limit=20000
eol
    printf "Enabling CSF/LFD.\n***\n"
    perl -pi -e 's/^TESTING = "1"/TESTING = "0"/' "${csf_conf}"
    perl -pi -e 's/^RESTRICT_SYSLOG = "0"/RESTRICT_SYSLOG = "3"/' "${csf_conf}"
    perl -pi -e 's/^SYSLOG_CHECK = ".*"/SYSLOG_CHECK = "3600"/' "${csf_conf}"
    printf "\n***\n"

    [ -n "${SSHD_PORT}" ] || SSHD_PORT=22
    printf "Your SSH PORT is (%s).\nIt should be listed below as allowed.\n***\n" "${SSHD_PORT}"

    printf "\n***\n"
    printf "A list of opened ports in firewall.\n"
    grep -E "^(UD|TC)P(|6)_(IN|OUT)" "${csf_conf}" --color
    printf "\n***\n"
    printf "Reloading Firewall rules and LDF.\n***\n"
    csf -ra >/dev/null 2>&1
    service lfd restart >/dev/null 2>&1
    service csf restart >/dev/null 2>&1
}

die() {
    printf "%s \n***\n" "${1}"
    exit "$2"
}

[ -x "${csf}" ] || csf_install

[ -x "/usr/local/cpanel/cpanel" ] || die "cPanel not found!\nYou should install it first!\n" 1

csf_reconfig
printf "Done.\n***\nScripts installed!\n***\nInstallation complete!\n"
exit 0