ROOTPLOIT
Server: Apache
System: Linux node6122.myfcloud.com 6.14.3-x86_64-linode168 #1 SMP PREEMPT_DYNAMIC Mon Apr 21 19:47:55 EDT 2025 x86_64
User: bashacomputer (1004)
PHP: 7.4.33
Disabled: exec,passthru,shell_exec,system
$ pwd: /usr/lib64/nagios/plugins/
Upload Files
File: //usr/lib64/nagios/plugins/check_a2_fw.sh.internal
#!/bin/bash
#
# Icinga Plugin: Firewall rules check compatible with iptables/firewalld/imunify360
# Destination: Internal servers
# Refactored from: check_fw.sh.internal
# 

# Minimum firewalld rules expected
MIN_FIREWALLD_RULES=3

# Check if firewalld is enabled
if systemctl -q is-enabled firewalld 2>/dev/null; then
  NUM_FIREWALLD_RULES=$(firewall-offline-cmd --list-rich | wc -l)
  DEFAULT_ZONE=$(firewall-cmd --get-default-zone)
  DROP_CHECK=$(firewall-offline-cmd --list-all --zone="$DEFAULT_ZONE" | grep target: | awk '{print $2}')
  
  if systemctl -q is-active firewalld; then
    if [ "$DEFAULT_ZONE" == "a2-internal" ] && [ "$DROP_CHECK" != "default" ] && [ "$DROP_CHECK" != "DROP" ]; then
      echo "CRITICAL - Firewalld is active but the zone target is not set to DROP or default. May be open to the world!"
      exit 2
    fi
    if [ "$NUM_FIREWALLD_RULES" -lt "$MIN_FIREWALLD_RULES" ]; then
      echo "WARNING - Firewalld is active but has only $NUM_FIREWALLD_RULES rules (min: $MIN_FIREWALLD_RULES)"
      exit 1
    fi
    echo "OK - Firewalld is active with $NUM_FIREWALLD_RULES rules"
    exit 0
  else
    echo "CRITICAL - Firewalld is enabled but not active, with $NUM_FIREWALLD_RULES rules"
    exit 2
  fi
fi

# Check iptables rules
IPT=$(iptables -S | grep -wE 'INPUT|DROP|REJECT')
IDRP=$(echo "$IPT" | grep -c 'INPUT DROP')
DRP=$(echo "$IPT" | grep -c DROP)
REJ=$(echo "$IPT" | grep -c REJECT)
IMUNIFY=$(echo "$IPT" | grep -c "imunify360_log_bl -j DROP")

if [ "$IDRP" -eq 0 ] && [ "$IMUNIFY" -eq 0 ]; then
  echo "CRITICAL - Firewall rules not loaded, no default DROP policy!"
  exit 2
elif [ "$DRP" -eq 0 ] && [ "$REJ" -eq 0 ]; then
  echo "CRITICAL - Firewall DROP/REJECT rules missing!"
  exit 2
fi

CHAINS=$(iptables -nvL | grep 'Chain' | awk '{print $2}')

for CHAIN in $CHAINS; do
  if [[ "$CHAIN" != "FORWARD" && "$CHAIN" != "OUTPUT"* && "$CHAIN" != "LOG_"* && "$CHAIN" != "SOLUS"* && ! "$CHAIN" =~ "imunify360" ]]; then
    CNT=$(iptables -S "$CHAIN" | wc -l)
    if [ "$CNT" -le 1 ]; then
      echo "CRITICAL - Firewall rules are missing!"
      exit 2
    fi
  fi
done

echo "OK - Firewall is working properly!"
exit 0
@ Telegram