From 7906c053b1ae0639cc39e43638cddcac48be1d39 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Mon, 4 Apr 2022 16:46:05 -0400
Subject: [PATCH 1/2] Initial support for restricting IDH services on MGT IP

---
 salt/idh/init.sls | 27 ++++++++++++++++++++++++++-
 salt/top.sls      |  2 +-
 2 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/salt/idh/init.sls b/salt/idh/init.sls
index 089ecc4df..5f5307b08 100644
--- a/salt/idh/init.sls
+++ b/salt/idh/init.sls
@@ -19,11 +19,36 @@
 {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set MANAGER = salt['grains.get']('master') %}
+{% set MAININT = salt['pillar.get']('host:mainint') %}
+{% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
+{% set RESTRICTIDHSERVICES = salt['pillar.get']('idh:restrict_management_ip', False) %}
 
 include:
   - idh.openssh.config
 
-# IDH State
+
+# If True, block IDH Services from accepting connections on Managment IP
+{% if RESTRICTIDHSERVICES %}
+  {% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %}
+  {% set idh_services = salt['pillar.get']('idh:services', []) %}
+
+  {% for service in idh_services %}
+  {% if service in ["smnp","ntp", "tftp"] %}
+    {% set proto = 'udp' %}
+  {% else %}
+    {% set proto = 'tcp' %}
+  {% endif %}
+block_mgt_ip_idh_services_{{ proto }}_{{ OPENCANARYCONFIG[service~'.port'] }} :
+  iptables.insert:
+    - table: filter
+    - chain: INPUT
+    - jump: DROP
+    - position: 1
+    - proto:  {{ proto }}
+    - dport: {{ OPENCANARYCONFIG[service~'.port'] }}
+    - destination: {{ MAINIP }}
+  {% endfor %}
+{% endif %}
 
 # Create a config directory
 temp:
diff --git a/salt/top.sls b/salt/top.sls
index dd41ff9fe..5f8e56c7f 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -499,7 +499,7 @@ base:
     - ssl
     - sensoroni
     - telegraf
-    - firewall
+    - firewall # It's important that this state runs before the IDH state, since the IDH state (optionally) inserts BLOCK rules at position 1
     {%- if WAZUH != 0 %}
     - wazuh
     {%- endif %}

From f5e539a05c3c0e8c2466e5188867b77e24480fda Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Wed, 6 Apr 2022 17:16:38 -0400
Subject: [PATCH 2/2] Initial support for restricting IDH services on MGT IP

---
 setup/so-functions |  8 ++++++++
 setup/so-setup     |  9 +++++----
 setup/so-whiptail  | 11 +++++++++++
 3 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/setup/so-functions b/setup/so-functions
index 5b4914941..b1ebb1aa1 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -435,6 +435,13 @@ collect_hostname_validate() {
 	done
 }
 
+collect_idh_preferences() {
+	IDHMGTRESTRICT='False'
+	whiptail_idh_preferences
+
+	if [[ "$idh_preferences" != "" ]]; then IDHMGTRESTRICT='True'; fi
+}
+
 collect_idh_services() {
 	whiptail_idh_services
 
@@ -2867,6 +2874,7 @@ write_out_idh_services() {
 
 	printf '%s\n'\
 	"idh:"\
+	"  restrict_management_ip: $IDHMGTRESTRICT"\
 	"  services:" >> "$pillar_file"
 	for service in ${idh_services[@]}; do
 	  echo "    - $service" | tr '[:upper:]' '[:lower:]' >> "$pillar_file"
diff --git a/setup/so-setup b/setup/so-setup
index deca4b0d6..1cb1bdc4e 100755
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -276,10 +276,6 @@ if [[ $is_manager || $is_import ]]; then
 	check_elastic_license
 fi
 
-if [[ $is_idh ]]; then
-	collect_idh_services
-fi
-
 if ! [[ -f $install_opt_file ]]; then
 	if [[ $is_manager && $is_sensor ]]; then
 		check_requirements "standalone"
@@ -327,6 +323,11 @@ if ! [[ -f $install_opt_file ]]; then
 		copy_ssh_key >> $setup_log 2>&1
 	fi
 
+	if [[ $is_idh ]]; then
+	  collect_idh_services
+	  collect_idh_preferences
+    fi
+
 	# Check if this is an airgap install
 	if [[ ( $is_manager || $is_import) && $is_iso ]]; then
 		whiptail_airgap
diff --git a/setup/so-whiptail b/setup/so-whiptail
index c39ec4ff7..72013b0ac 100755
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -725,6 +725,17 @@ whiptail_homenet_sensor() {
 	export HNSENSOR
 }
 
+ whiptail_idh_preferences() {
+
+	[ -n "$TESTING" ] && return
+
+	idh_preferences=$(whiptail --title "$whiptail_title" --radiolist \
+		"\nBy default, the IDH services selected in the previous screen will be bound to all interfaces / IPs on this system.\n\nYou can choose below whether or not to prevent IDH services from being published on this system's management IP." 20 75 5 \
+		"$MAINIP" "Disable IDH services on this management IP " OFF 3>&1 1>&2 2>&3 )
+
+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
+}
 
 whiptail_idh_services() {