wevads-platform/scripts/security_manager.sh

#!/bin/bash
# SECURITY MANAGER - Protection permanente
# Whitelist tracking, Block intrusions, Monitor

LOG_FILE="/opt/wevads/logs/security.log"
BLOCKED_FILE="/opt/wevads/logs/blocked_ips.log"

# ==================== WHITELIST ====================
# IPs qui ne doivent JAMAIS être bloquées
WHITELIST=(
    "127.0.0.1"
    "89.167.40.150"      # Ce serveur
    "151.80.235.110"      # Tracking OVH
    "151.80.235.111"      # Tracking OVH backup
    # Cloudflare IPs (pour tracking)
    "173.245.48.0/20"
    "103.21.244.0/22"
    "103.22.200.0/22"
    "103.31.4.0/22"
    "141.101.64.0/18"
    "108.162.192.0/18"
    "190.93.240.0/20"
    "188.114.96.0/20"
    "197.234.240.0/22"
    "198.41.128.0/17"
    "162.158.0.0/15"
    "104.16.0.0/13"
    "104.24.0.0/14"
    "172.64.0.0/13"
    "131.0.72.0/22"
    # Huawei Cloud ranges
    "159.138.0.0/16"
    "119.8.0.0/16"
    # Scaleway ranges
    "51.15.0.0/16"
    "51.158.0.0/16"
)

# ==================== PORTS OUVERTS ====================
OPEN_PORTS=(
    22      # SSH (customized to 49222)
    49222   # SSH custom
    80      # HTTP
    443     # HTTPS
    5821    # WEVADS
    5822    # FMGAPP
    5823    # BCGAPP
    5678    # n8n
    58421   # Tracking WEVADS
    58422   # Tracking FMGAPP
    58423   # Tracking BCGAPP
)

# ==================== SETUP IPTABLES ====================
setup_firewall() {
    echo "[$(date)] Setting up firewall..." >> $LOG_FILE
    
    # Flush existing rules
    iptables -F
    iptables -X
    
    # Default policies
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    
    # Allow loopback
    iptables -A INPUT -i lo -j ACCEPT
    
    # Allow established connections
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    # Whitelist IPs
    for ip in "${WHITELIST[@]}"; do
        iptables -A INPUT -s $ip -j ACCEPT
    done
    
    # Open ports
    for port in "${OPEN_PORTS[@]}"; do
        iptables -A INPUT -p tcp --dport $port -j ACCEPT
    done
    
    # Rate limiting for API endpoints (prevent brute force)
    iptables -A INPUT -p tcp --dport 5821 -m state --state NEW -m recent --set
    iptables -A INPUT -p tcp --dport 5821 -m state --state NEW -m recent --update --seconds 60 --hitcount 100 -j DROP
    
    # Log dropped packets
    iptables -A INPUT -j LOG --log-prefix "DROPPED: " --log-level 4
    
    echo "[$(date)] Firewall configured" >> $LOG_FILE
}

# ==================== INTRUSION DETECTION ====================
detect_intrusions() {
    echo "[$(date)] Checking for intrusions..." >> $LOG_FILE
    
    # Check for too many connections from single IP
    SUSPICIOUS=$(netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head -20 | awk '$1 > 100 {print $2}')
    
    for ip in $SUSPICIOUS; do
        # Check if not whitelisted
        if ! printf '%s\n' "${WHITELIST[@]}" | grep -q "^$ip$"; then
            echo "[$(date)] BLOCKING suspicious IP: $ip (too many connections)" >> $LOG_FILE
            echo "$ip $(date)" >> $BLOCKED_FILE
            iptables -A INPUT -s $ip -j DROP
            
            # Alert
            curl -s "http://127.0.0.1:5821/api/system-health-api.php" -d "action=log_security_event&type=intrusion&ip=$ip" > /dev/null
        fi
    done
    
    # Check for failed SSH attempts
    FAILED_SSH=$(grep "Failed password" /var/log/auth.log 2>/dev/null | tail -100 | awk '{print $(NF-3)}' | sort | uniq -c | sort -rn | awk '$1 > 5 {print $2}')
    
    for ip in $FAILED_SSH; do
        if ! printf '%s\n' "${WHITELIST[@]}" | grep -q "^$ip$"; then
            echo "[$(date)] BLOCKING SSH brute force: $ip" >> $LOG_FILE
            echo "$ip $(date) SSH" >> $BLOCKED_FILE
            iptables -A INPUT -s $ip -j DROP
        fi
    done
    
    # Check for API abuse
    API_ABUSE=$(grep "POST /api" /var/log/apache2/access.log 2>/dev/null | tail -1000 | awk '{print $1}' | sort | uniq -c | sort -rn | awk '$1 > 500 {print $2}')
    
    for ip in $API_ABUSE; do
        if ! printf '%s\n' "${WHITELIST[@]}" | grep -q "^$ip$"; then
            echo "[$(date)] BLOCKING API abuse: $ip" >> $LOG_FILE
            echo "$ip $(date) API" >> $BLOCKED_FILE
            iptables -A INPUT -s $ip -j DROP
        fi
    done
}

# ==================== MAIN ====================
case "$1" in
    setup)
        setup_firewall
        ;;
    check)
        detect_intrusions
        ;;
    status)
        iptables -L -n -v
        ;;
    unblock)
        if [ ! -z "$2" ]; then
            iptables -D INPUT -s $2 -j DROP 2>/dev/null
            echo "Unblocked $2"
        fi
        ;;
    *)
        echo "Usage: $0 {setup|check|status|unblock IP}"
        ;;
esac