Vous êtes ici : Accueil / Debian GNU/Linux / Système / Sécurité / Installer la protection Peer 2 Peer PeerGuardian sur Debian

Installer la protection Peer 2 Peer PeerGuardian sur Debian

Par Pierre-Yves Landuré Dernière modification 11/11/2017 09:45

PeerGuardian est un pare-feu pour logiciel Peer 2 Peer bloquant les mauvais partageurs. C'est un outil très utile que je vous recommande fortement.

Ce guide est testé sur:

  • Debian 6.0 Squeeze

Installation

Installez l'outil permettant de détection de distribution ainsi que GnuPG pour récupérer la clef de chiffrement des dépôts:

command apt-get install lsb-release gnupg

Récupérez le nom de votre distribution:

DEBIAN_VERSION="$(command lsb_release -cs)"

Ajoutez les dépôts de l'application à la configuration apt:

echo "# Moblock for ${DEBIAN_VERSION}
deb http://moblock-deb.sourceforge.net/debian ${DEBIAN_VERSION} main
deb-src http://moblock-deb.sourceforge.net/debian ${DEBIAN_VERSION} main" \
    > '/etc/apt/sources.list.d/moblock.list'

Ajoutez les clefs de chiffrement des dépôts:

command gpg --keyserver keyserver.ubuntu.com --recv-keys C0145138
command gpg --export --armor C0145138 | command apt-key add -

Mettez à jour la liste des paquets disponibles:

command apt-get update

Installez le logiciel:

DEBIAN_FRONTEND='noninteractive' command apt-get install pgld pglcmd

Mettez en place les réglages de blockcontrol:

echo '# blocklists.list - lists the blocklists that are handled automatically by pglcmd

# Place one URL per line for every blocklist.
# Any line which starts with a # (hash) is a comment and is ignored.

# Have a look at /usr/share/doc/pglcmd/README.blocklists.gz for detailed
# information about some available blocklists.

# Instead or additionally to the blocklists that are specified in this file,
# you can manually put lists in MASTER_BLOCKLIST_DIR (/var/lib/pgl).
# All blocklists in that directory (except those which end in "~" or have a "."
# prefix) are used by pgld. They may be in any supported format and have to be
# either unpacked or gzipped. Note that these manually installed blocklists are
# neither updated automatically, nore does IP_REMOVE work for them.

# Do a "pglcmd reload" (or "restart" or "update") when you have edited
# this file.

# list.iblocklist.com/lists/atma/atma
list.iblocklist.com/lists/bluetack/ads-trackers-and-bad-pr0n
list.iblocklist.com/lists/bluetack/bad-peers
list.iblocklist.com/lists/bluetack/bogon
list.iblocklist.com/lists/bluetack/dshield
list.iblocklist.com/lists/bluetack/edu
# list.iblocklist.com/lists/bluetack/for-non-lan-computers
# list.iblocklist.com/lists/bluetack/forum-spam
list.iblocklist.com/lists/bluetack/hijacked
# list.iblocklist.com/lists/bluetack/iana-multicast
# list.iblocklist.com/lists/bluetack/iana-private
# list.iblocklist.com/lists/bluetack/iana-reserved
list.iblocklist.com/lists/bluetack/level-1
list.iblocklist.com/lists/bluetack/level-2
# list.iblocklist.com/lists/bluetack/level-3
list.iblocklist.com/lists/bluetack/microsoft
list.iblocklist.com/lists/bluetack/proxy
list.iblocklist.com/lists/bluetack/range-test
list.iblocklist.com/lists/bluetack/spider
list.iblocklist.com/lists/bluetack/spyware
list.iblocklist.com/lists/bluetack/web-exploit
list.iblocklist.com/lists/bluetack/webexploit-forumspam
# list.iblocklist.com/lists/cidr-report/bogon
list.iblocklist.com/lists/dchubad/faker
list.iblocklist.com/lists/dchubad/hacker
list.iblocklist.com/lists/dchubad/pedophiles
list.iblocklist.com/lists/dchubad/spammer
# list.iblocklist.com/lists/nexus23/ipfilterx
list.iblocklist.com/lists/peerblock/rapidshare
# list.iblocklist.com/lists/spamhaus/drop
list.iblocklist.com/lists/tbg/bogon
list.iblocklist.com/lists/tbg/business-isps
# list.iblocklist.com/lists/tbg/educational-institutions
list.iblocklist.com/lists/tbg/general-corporate-ranges
list.iblocklist.com/lists/tbg/hijacked
list.iblocklist.com/lists/tbg/primary-threats
list.iblocklist.com/lists/tbg/search-engines' \
     > '/etc/pgl/blocklists.list'

Détectez les ports utilisés par le mode passif de vsFTPd:

FTP_PASSIVE=""
if [ -e '/etc/vsftpd.conf' ]; then
MIN_PORT=$(command grep "^pasv_min_port=" '/etc/vsftpd.conf' | command cut --delimiter="=" --fields=2)
MAX_PORT=$(command grep "^pasv_max_port=" '/etc/vsftpd.conf' | command cut --delimiter="=" --fields=2)
if [ -n "${MIN_PORT}" -a -n "${MAX_PORT}" ]; then
FTP_PASSIVE="${MIN_PORT}:${MAX_PORT}"
fi
fi

Désactivez blockcontrol pour les ports HTTP, HTTPS et SSH:

command echo "WHITE_TCP_OUT=\"http https ssh ftp ${FTP_PASSIVE}\"
WHITE_TCP_IN=\"http https ssh ftp ${FTP_PASSIVE}\"" \ >> '/etc/pgl/pglcmd.conf'

Mise en place de la liste blanche

Ajoutez les trackers torrent que vous utilisez à la liste blanche. Par exemple, pour openbittorrent:

HOSTNAME="tracker.openbittorrent.com"

Récupérez l'adresse IP et ajoutez-la au fichier allow.p2p :

HOST_IPV4="$(command ping -c 1 "${HOSTNAME}" \
        | command head -n 1 \
        | command sed -e 's/[^(]*(\([^)]*\).*/\1/')"
echo "${HOSTNAME}:${HOST_IPV4}-255.255.255.255" \
    >> '/etc/pgl/allow.p2p'

Redémarrez le démon pour prendre en compte les  modifications:

/etc/init.d/pgl restart

Remerciements