Server IP : 184.154.167.98 / Your IP : 18.227.46.54 Web Server : Apache System : Linux pink.dnsnetservice.com 4.18.0-553.22.1.lve.1.el8.x86_64 #1 SMP Tue Oct 8 15:52:54 UTC 2024 x86_64 User : puertode ( 1767) PHP Version : 8.2.26 Disable Function : NONE MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : ON | Sudo : ON | Pkexec : ON Directory : /usr/share/imunify360-webshield/ |
Upload File : |
#!/opt/imunify360/venv/bin/python3 import os import re import subprocess PREFIX = '/etc/imunify360-webshield' PORTS = os.path.join(PREFIX, 'ports.conf') SSL_PORTS = os.path.join(PREFIX, 'ssl_ports.conf') PRESETS = os.path.join(PREFIX, 'presets.cfg') DA_CONFIG = '/usr/local/directadmin/conf/directadmin.conf' HTTP_INCLUDES = os.path.join(PREFIX, 'webshield-http.conf.d') IPV6_CHECK_PATH = '/sys/module/ipv6/parameters/disable' RESOLV = '/etc/resolv.conf' RESOLVER = os.path.join(HTTP_INCLUDES, 'resolver.conf') IPV4_TITLE = '# IPv4\n' IPV6_TITLE = '# IPv6\n' IPV4_ONLY_TITLE = '# IPv4 only (IPv6 is disabled)\n' IPV4_FMT = 'listen *:{}{};\n' IPV6_FMT = 'listen [::]:{}{};\n' IPV4_SSL_FMT = 'listen *:{} ssl{};\n' IPV6_SSL_FMT = 'listen [::]:{} ssl{};\n' RESOLVER_FMT = "resolver {}{};\n" class BasePanel: cmd = None ports = [52224] ssl_ports = [52223] @classmethod def check(cls): if not cls.cmd: return False try: subprocess.check_call( cls.cmd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) except (FileNotFoundError, subprocess.CalledProcessError): return False return True @classmethod def define_ports(cls): return cls.ports, cls.ssl_ports class Cpanel(BasePanel): cmd = ('/usr/local/cpanel/cpanel', '-V') modularity_flag = '/usr/share/imunify360-webshield/modularity_mode' ports = [52224, 52228, 52230, 52232] apache_mode_ports = [52228, 52230, 52232] ssl_ports = [52223, 52227, 52229, 52231] apache_mode_ssl_ports = [52227, 52229, 52231] @classmethod def define_ports(cls): """ Redefinition of parent class method. When in 'apache' mode, all the HTTP/HTTPS traffic is supposed to be handled by apache and non-standard ports like 2082/2083 are expected to be handled by webshield. So as there's no point for the webshield to listen on standard HTTP/HTTPS ports, we don't include them in the webshield ports config """ try: with open(cls.modularity_flag) as f: mode = f.read().strip() if mode == 'apache': return cls.apache_mode_ports, cls.apache_mode_ssl_ports return cls.ports, cls.ssl_ports except Exception: return cls.ports, cls.ssl_ports class Plesk(BasePanel): cmd = ('/usr/sbin/plesk', 'version') ports = [52224, 52234] ssl_ports = [52223, 52233] class DirectAdmin(BasePanel): cmd = ('/usr/local/directadmin/custombuild/build', 'version') config = '/usr/local/directadmin/conf/directadmin.conf' patt = re.compile(r'SSL\s*=\s*(?P<ssl>1|0)') ports = [52224] ssl_ports = [52223] panel_ports = [52235] @classmethod def _check_ssl(cls): with open(cls.config) as f: for line in f: if line.startswith('#'): continue m = cls.patt.match(line) if m: ssl = True if m.group('ssl') == '1' else False return ssl return False @classmethod def define_ports(cls): if cls._check_ssl(): return cls.ports, cls.ssl_ports + cls.panel_ports return cls.ports + cls.panel_ports, cls.ssl_ports def get_ports(): for panel_cls in Cpanel, Plesk, DirectAdmin: if panel_cls.check(): return panel_cls.define_ports() else: continue return BasePanel.define_ports() def is_ipv6_on(): """ Checks if IPv6 is enabled on the host """ try: with open(IPV6_CHECK_PATH) as p: val = p.read().strip() if val == "0": return True return False except Exception: return True def is_proxy_enabled(): """ Checks if 'proxy_protocol' is enabled """ try: with open(PRESETS) as f: for line in f: line = line.strip() if not line: continue if line.startswith('#'): continue if '=' not in line: continue key, value = [i.strip() for i in line.split('=', 1)] if key != 'proxy_protocol': continue if value.lower() in ('yes', 'on', 'true'): return True return False except Exception: return False def write_ports(ipv6=True): """ Writes IPv4/IPv6 ports configs for webshield """ ports_list, ssl_ports_list = get_ports() proxy_on = is_proxy_enabled() title = IPV4_TITLE if ipv6 else IPV4_ONLY_TITLE for is_ssl, path, ports in ( (False, PORTS, ports_list), (True, SSL_PORTS, ssl_ports_list)): with open(path, 'w') as w: w.write(title) fmt = IPV4_SSL_FMT if is_ssl else IPV4_FMT proto = ' http2' if is_ssl else '' if proxy_on: proto = ' proxy_protocol' for port in ports: w.write(fmt.format(port, proto)) if ipv6: w.write(IPV6_TITLE) fmt = IPV6_SSL_FMT if is_ssl else IPV6_FMT for port in ports: w.write(fmt.format(port, proto)) def write_resolver(): """ Writes resolver for webshield (based on /etc/resolv.conf content) """ has_ipv6 = False if not os.path.isdir(HTTP_INCLUDES): return patt_v4 = re.compile( r'nameserver\s+(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})') patt_v6 = re.compile( r'nameserver\s+(?P<ip>(?:(?:[a-fA-F0-9]{1,4})?\:){2,7}(?:[a-fA-F0-9]{1,4})?)') ips = [] try: with open(RESOLV) as f: for line in f: m = patt_v4.match(line) if m: ip = m.group('ip') else: m = patt_v6.match(line) if m: has_ipv6 = True ip = '[' + m.group('ip') + ']' else: continue if ip not in ips: ips.append(ip) except Exception: pass ips_string = ' '.join(ips) if ips else '127.0.0.1' v6_part = '' if has_ipv6 else ' ipv6=off' with open(RESOLVER, 'w') as f: f.write(RESOLVER_FMT.format(ips_string, v6_part)) if __name__ == '__main__': ipv6 = is_ipv6_on() write_ports(ipv6=ipv6) write_resolver()