#!/bin/sh
#######################################################################
# Script Name: install.sh
# Version: 2.5
# Description: Directadmin script for blocking of ips and reports to
# AbuseIPDB with csf firewall.
# Last Modify Date: 01102022
# Author(s): Alex Grebenschikov and Brent Dacus
# Email:brent[at]thedacus[dot]net
#######################################################################
csf="/usr/sbin/csf"
dir="/usr/local/directadmin/scripts/custom/"
da_conf="/usr/local/directadmin/conf/directadmin.conf"
csf_conf="/etc/csf/csf.conf"
csf_pignore="/etc/csf/csf.pignore"
SSHD_PORT=$(grep "^Port" /etc/ssh/sshd_config | tail -2 | awk '{print $2}')
do_install() {
    printf "Installing %s into %s.\n" "${1}" "${dir}"
    if [ -f "${1}" ]; then
        rm -f "${1}.bak"
        cp -f "${1}" "${1}.bak"
        chmod 600 "${1}.bak"
    fi
    wget --no-check-certificate -q -O "${1}" "${2}"
    chmod 700 "${1}"
    chown diradmin:diradmin "${1}"
}

csf_install() {
    printf "CSF/LFD was not found on your server!\nGoing to install it.\n"

    [ -d "/usr/local/src/csf" ] && rm -rf /usr/local/src/csf
    cd /usr/local/src || exit
    wget --no-check-certificate -q https://download.configserver.com/csf.tgz -O csf.tgz
    tar -xzf csf.tgz

    [ -d "/usr/local/src/csf" ] || die "CSF/LFD failed to unpack!\nTerminating.\n" 2
    cd /usr/local/src/csf || exit

    check=$(./csftest.pl | grep -c "RESULT: csf should function on this server")
    if [ "$check" != "1" ]; then
        printf "***\nThere are some possible issues with csf/LFD on your server:\nCheck it now:\n***\n"
        ./csftest.pl
        printf "\n***\n"
        exit 2
    fi

    printf "CSF/LFD check passed, going further with installation.\n"
    sh ./install.sh

    [ -x "${csf}" ] || die "CSF/LFD failed to install!\nTerminating.\n" 2

    printf "Updating a list of trusted binaries in %s.\n" "${csf_pignore}"
    wget --no-check-certificate -q http://files.delaintech.com/csf/csf.pignore.custom -O csf.pignore.custom
    cat csf.pignore.custom >>"${csf_pignore}"
    rm -f csf.pignore.custom

    grep -E -v "^#|^$" "${csf_pignore}" | sort | uniq | tee "${csf_pignore}~bak"
    mv -f "${csf_pignore}~bak" "${csf_pignore}"

    printf "CSF/LFD was installed!\nConfiguration file can be found under %s.\n" "${csf_conf}"
    printf "\n***\n"
}

csf_reconfig() {
    printf "***\nBacking up CSF config.\n***\n"
    cp -pf "${csf_conf}" "${csf_conf}~$(date +%s)"

    ipv6=$(ip -6 addr | grep -c "inet6")
    if [ "$ipv6" = "0" ]; then
        printf "IPV6 has no address.\nNot turning on IPV6 firewall.\n***\n"
    else
        printf "IPV6 has an address.\nTurning on IPV6 firewall.\n***\n"
        perl -pi -e 's/IPV6 = ".*"/IPV6 = "1"/g' "${csf_conf}"
    fi
    printf "Disabling emails from CSF/LFD about temporary blocks of an IP brute-forcing server.\n"
    perl -pi -e 's#^LF_EMAIL_ALERT = "1"#LF_EMAIL_ALERT = "0"#' "${csf_conf}"
    printf "Disabling emails from CSF/LFD about temporary blocks of an IP attacking Apache.\n"
    perl -pi -e 's#^LT_EMAIL_ALERT = "1"#LT_EMAIL_ALERT = "0"#' "${csf_conf}"
    printf "Disabling email from CSF/LFD about permament blocks of an IP.\n"
    perl -pi -e 's#^LF_PERMBLOCK_ALERT = "1"#LF_PERMBLOCK_ALERT = "0"#' "${csf_conf}"
    printf "Disabling CSF/LFD from scanning logs, Directadmin will do it instead.\n"
    perl -pi -e 's/LF_TRIGGER = ".*"/LF_TRIGGER = "3"/' "${csf_conf}"
    perl -pi -e 's/LF_TRIGGER_PERM = ".*"/LF_TRIGGER_PERM = "1"/' "${csf_conf}"
    perl -pi -e 's/LF_SSHD = ".*"/LF_SSHD = "1"/' "${csf_conf}"
    perl -pi -e 's/LF_FTPD = ".*"/LF_FTPD = "1"/' "${csf_conf}"
    perl -pi -e 's/LF_SMTPAUTH = ".*"/LF_SMTPAUTH = "1"/' "${csf_conf}"
    perl -pi -e 's/LF_EXIMSYNTAX = ".*"/LF_EXIMSYNTAX = "1"/' "${csf_conf}"
    perl -pi -e 's/LF_POP3D = ".*"/LF_POP3D = "1"/' "${csf_conf}"
    perl -pi -e 's/LF_IMAPD = ".*"/LF_IMAPD = "1"/' "${csf_conf}"
    perl -pi -e 's/LF_HTACCESS = ".*"/LF_HTACCESS = "1"/' "${csf_conf}"
    perl -pi -e 's/LF_MODSEC = ".*"/LF_MODSEC = "1"/' "${csf_conf}"
    perl -pi -e 's/LF_DIRECTADMIN = ".*"/LF_DIRECTADMIN = "1"/' "${csf_conf}"
    perl -pi -e 's/LF_IPSET = ".*"/LF_IPSET = "1"/g' "${csf_conf}"
    perl -pi -e 's/LF_INTERVAL = ".*"/LF_INTERVAL = "90"/' "${csf_conf}"
    perl -pi -e 's/CC_SRC = "1"/CC_SRC = "2"/g' "${csf_conf}"
    perl -pi -e 's/CC_DENY = ""/CC_DENY = "RU,CN,TR,IR,IQ,ID,KP"/g' "${csf_conf}"
    perl -pi -e 's/DENY_IP_LIMIT = ".*"/DENY_IP_LIMIT = "1000"/' "${csf_conf}"

    printf "Opening SSH ports for incoming connections.\n***\n"
    grep -q -o "^TCP_IN.*,14,1414" "${csf_conf}" || perl -pi -e 's/^TCP_IN = "(.*)"$/TCP_IN = "$1,14,1414"/' "${csf_conf}"
    grep -q -o "^TCP6_IN.*,14,1414" "${csf_conf}" || perl -pi -e 's/^TCP6_IN = "(.*)"$/TCP6_IN = "$1,14,1414"/' "${csf_conf}"

    printf "Opening SSH ports for outgoing connections.\n***\n"
    grep -q -o "^TCP_OUT.*,14,1414" "${csf_conf}" || perl -pi -e 's/^TCP_OUT = "(.*)"$/TCP_OUT = "$1,14,1414"/' "${csf_conf}"
    grep -q -o "^TCP6_OUT.*,14,1414" "${csf_conf}" || perl -pi -e 's/^TCP6_OUT = "(.*)"$/TCP6_OUT = "$1,14,1414"/' "${csf_conf}"

    printf "Opening passive ports for FTP incoming connections.\n***\n"
    grep -q -o "^TCP_IN.*,35000:35999" "${csf_conf}" || perl -pi -e 's/^TCP_IN = "(.*)"$/TCP_IN = "$1,35000:65535"/' "${csf_conf}"
    grep -q -o "^TCP6_IN.*,35000:35999" "${csf_conf}" || perl -pi -e 's/^TCP6_IN = "(.*)"$/TCP6_IN = "$1,35000:65535"/' "${csf_conf}"

    printf "Opening passive ports for outgoing connections.\n***\n"
    grep -q -o "^TCP_OUT.*,35000:65535" "${csf_conf}" || perl -pi -e 's/^TCP_OUT = "(.*)"$/TCP_OUT = "$1,35000:65535"/' "${csf_conf}"
    grep -q -o "^TCP6_OUT.*,35000:65535" "${csf_conf}" || perl -pi -e 's/^TCP6_OUT = "(.*)"$/TCP6_OUT = "$1,35000:65535"/' "${csf_conf}"
    printf "Adding Block lists.\n***\n"
    cat >/etc/csf/csf.blocklists <<eol
# Spamhaus Don't Route Or Peer List (DROP)
# Details: https://www.spamhaus.org/drop/
SPAMDROP|86400|0|https://www.spamhaus.org/drop/drop.txt

# Spamhaus Extended DROP List (EDROP)
# Details: https://www.spamhaus.org/drop/
SPAMEDROP|86400|0|http://www.spamhaus.org/drop/edrop.txt

# Details: https://docs.abuseipdb.com/#blacklist-endpoint
ABUSEIPDB|86400|10000|https://api.abuseipdb.com/api/v2/blacklist?&key=c13866e213ef23a0fbf2c57cd6474d63477dda0767a2a088249de1151f269157c48ab70a4dc0c531&plaintext&limit=20000
eol
    printf "Enabling CSF/LFD.\n***\n"
    perl -pi -e 's/^TESTING = "1"/TESTING = "0"/' "${csf_conf}"
    perl -pi -e 's/^RESTRICT_SYSLOG = "0"/RESTRICT_SYSLOG = "3"/' "${csf_conf}"
    perl -pi -e 's/^SYSLOG_CHECK = ".*"/SYSLOG_CHECK = "3600"/' "${csf_conf}"
    printf "\n***\n"

    [ -n "${SSHD_PORT}" ] || SSHD_PORT=22
    printf "Your SSH PORT is (%s).\nIt should be listed below as allowed.\n***\n" "${SSHD_PORT}"

    printf "\n***\n"
    printf "A list of opened ports in firewall.\n"
    grep -E "^(UD|TC)P(|6)_(IN|OUT)" "${csf_conf}" --color
    printf "\n***\n"
    printf "Reloading Firewall rules and LDF.\n***\n"
    csf -ra >/dev/null
    service lfd restart >/dev/null 2>&1
    service csf restart >/dev/null 2>&1
}

da_set_conf() {
    da_set_conf_option=$1
    da_set_conf_value=$2
    printf "Setting %s to %s in %s.\n" "${da_set_conf_option}" "${da_set_conf_value}" "${da_conf}"

    if grep -q -m1 "^${da_set_conf_option}=" "${da_conf}"; then
        perl -pi -e "s#${da_set_conf_option}=.*#${da_set_conf_option}=${da_set_conf_value}#" "${da_conf}"
    else
        echo "${da_set_conf_option}=${da_set_conf_value}" | tee -a "${da_conf}"
    fi
}

da_reconfig() {
    cp -pf "${da_conf}" "${da_conf}~$(date +%s)"
    da_set_conf bruteforce 1
    da_set_conf brutecount 3
    da_set_conf brute_dos_count 3
    da_set_conf ip_brutecount 3
    da_set_conf user_brutecount 3
    da_set_conf unblock_brute_ip_time 86400   #24 hrs
    da_set_conf clear_blacklist_ip_time 86400 #24 hrs
    da_set_conf clear_brute_log_time 8
    da_set_conf clear_brute_log_entry_time 1
    da_set_conf brute_force_time_limit 3600
    da_set_conf hide_brute_force_notifications 1
    da_set_conf show_info_in_header 0
    da_set_conf exempt_local_block 1
    da_set_conf brute_force_log_scanner 1
    da_set_conf brute_force_scan_apache_logs 2
    da_set_conf brute_force_apache_log_list_update_interval 10
    da_set_conf ip_blacklist /etc/blocked_ips
    da_set_conf ip_whitelist /etc/whitelist_ips
}

die() {
    printf "%s \n***\n" "${1}"
    exit "$2"
}

[ -x "${csf}" ] || csf_install

[ -x "/usr/local/directadmin/directadmin" ] || die "Directadmin not found!\nYou should install it first!\n" 1
cd "${dir}" || die "Could not change directory to %s.\n" "${dir}" 1

do_install "bfsynctable.sh" "http://files.delaintech.com/csf/bfsynctable.sh"
do_install "block_ip.sh" "http://files.delaintech.com/csf/block_ip.sh"
do_install "unblock_ip.sh" "http://files.delaintech.com/csf/unblock_ip.sh"
do_install "show_blocked_ips.sh" "http://files.delaintech.com/csf/show_blocked_ips.sh"
do_install "brute_force_notice_ip.sh" "http://files.delaintech.com/csf/brute_force_notice_ip.sh"

[ -f "/etc/blocked_ips" ] || touch /etc/blocked_ips
[ -f "/etc/whitelist_ips" ] || touch /etc/whitelist_ips

cronline0="#bf jobs"
	(
		crontab -l 2>/dev/null
		echo "$cronline0"
	) | sort - | uniq - | crontab -
	cronline1="0 1 * * * /usr/local/directadmin/scripts/custom/bfsynctable.sh"
	crontab -l | sed -e '/^#bf jobs/a\
'"$cronline1" | uniq - | crontab -

csf_reconfig
da_reconfig
printf "\n***\nRestarting Directadmin\n"
service directadmin restart
printf "Done.\n***\nScripts installed!\n***\nInstallation complete!\n"
exit 0