setec_cdm/setec-web/csf.py

"""
Command-builder module for ConfigServer Security & Firewall (CSF).

Each function returns a bash command string suitable for execution on a Linux VPS.
CSF installs to /etc/csf/.
"""


def status_cmd() -> str:
    """Check if CSF is installed, show version and rule summary."""
    return (
        "if [ -x /usr/sbin/csf ]; then "
        "echo '=== CSF Version ===' && csf -v && "
        "echo '=== Rule Summary ===' && csf -l | head -60; "
        "else echo 'CSF is not installed'; fi"
    )


def install_cmd() -> str:
    """Download and install CSF from configserver.com (requires perl, iptables)."""
    return (
        "apt-get install -y perl iptables libwww-perl && "
        "cd /tmp && "
        "rm -rf csf csf.tgz && "
        "wget https://download.configserver.com/csf.tgz && "
        "tar -xzf csf.tgz && "
        "cd csf && "
        "sh install.sh && "
        "rm -rf /tmp/csf /tmp/csf.tgz"
    )


def start_cmd() -> str:
    """Start CSF firewall."""
    return "csf -s"


def stop_cmd() -> str:
    """Flush/stop all CSF firewall rules."""
    return "csf -f"


def restart_cmd() -> str:
    """Restart CSF firewall."""
    return "csf -r"


def list_cmd() -> str:
    """List all current firewall rules."""
    return "csf -l"


def allow_ip_cmd(ip: str, comment: str = "") -> str:
    """Allow an IP address through the firewall."""
    if comment:
        return f"csf -a {ip} {comment}"
    return f"csf -a {ip}"


def deny_ip_cmd(ip: str, comment: str = "") -> str:
    """Deny/block an IP address."""
    if comment:
        return f"csf -d {ip} {comment}"
    return f"csf -d {ip}"


def remove_ip_cmd(ip: str) -> str:
    """Remove an IP from both allow and deny lists."""
    return f"csf -ar {ip} && csf -dr {ip}"


def allow_port_cmd(port: int, protocol: str = "tcp", direction: str = "in") -> str:
    """Add a port to the appropriate directive in csf.conf, then restart."""
    directive = f"{protocol.upper()}_{direction.upper()}"
    return (
        f"if grep -q '^{directive}' /etc/csf/csf.conf; then "
        f"sed -i 's/^{directive} = \"\\(.*\\)\"/'{directive}' = \"\\1,{port}\"/' /etc/csf/csf.conf && "
        f"csf -r; "
        f"else echo 'Directive {directive} not found in csf.conf'; fi"
    )


def deny_port_cmd(port: int, protocol: str = "tcp", direction: str = "in") -> str:
    """Remove a port from the appropriate directive in csf.conf, then restart."""
    directive = f"{protocol.upper()}_{direction.upper()}"
    return (
        f"sed -i 's/,{port},/,/g; s/,{port}\"/\"/g; s/\"{port},/\"/g; s/\"{port}\"/\"\"/g' "
        f"/etc/csf/csf.conf && csf -r"
    )


def temp_allow_cmd(ip: str, ttl: int = 3600) -> str:
    """Temporarily allow an IP for a given number of seconds."""
    return f"csf -ta {ip} {ttl}"


def temp_deny_cmd(ip: str, ttl: int = 3600) -> str:
    """Temporarily deny an IP for a given number of seconds."""
    return f"csf -td {ip} {ttl}"


def temp_list_cmd() -> str:
    """Show all temporary allow/deny rules."""
    return "csf -t"


def grep_ip_cmd(ip: str) -> str:
    """Search all firewall rules for a specific IP."""
    return f"csf -g {ip}"


def config_cmd() -> str:
    """Display key CSF configuration directives."""
    return (
        "grep -E '^(TCP_IN|TCP_OUT|UDP_IN|UDP_OUT|TCP6_IN|TCP6_OUT|UDP6_IN|UDP6_OUT|"
        "TESTING|AUTO_UPDATES|SYSLOG|RESTRICT_SYSLOG|LF_ALERT_TO|LF_DSHIELD|"
        "LF_SPAMHAUS|LF_DIRWATCH|LF_INTEGRITY|LF_PARSE|CT_LIMIT|PORTFLOOD|"
        "SYNFLOOD|CONNLIMIT|PORTKNOCKING|CC_DENY|CC_ALLOW) ' /etc/csf/csf.conf"
    )


def log_cmd(lines: int = 50) -> str:
    """Tail the LFD log file."""
    return f"tail -n {lines} /var/log/lfd.log"


def test_cmd() -> str:
    """Test iptables modules required by CSF."""
    return "csf --test"


def uninstall_cmd() -> str:
    """Uninstall CSF."""
    return "/etc/csf/uninstall.sh"