anfud/bin/anfud.sh

#!/bin/sh
#---------------------------------------------------------------------
#- Adjusting net filter updater daemon
#- rabit@netfrag.org, 01.11.2004
I='$Id: anfud.sh,v 1.1 2004/11/12 08:05:09 rabit Exp $'
#---------------------------------------------------------------------
#- Functions:

# Syntax: dropaddress <IP_address>
#
dropaddress() {
        local IP LogMsg RegEx RuleCount

        if [ -n "$EXCLUDE" ]; then
                for IP in $EXCLUDE; do
                        case $1 in
                        ($IP)
                                logmessage "Ignoring excluded address '$1'."
                                return 1
                                ;;
                        esac
                done
        fi

        RegEx='DROP.*'$1
        RuleCount=`iptables -L INPUT -n | egrep $RegEx | wc -l`

        if [ $RuleCount == 0 ]; then

                if [ "$PRETEND" == 1 ]; then
                        logmessage "(PRETEND) Dropping rule for address '$1' now would be inserted."
                else
                        iptables -I INPUT -s $1 -j DROP

                        LogMsg="Dropping rule for address '$1' has been inserted."
                        logmessage "$LogMsg"

                        [ -n "$LOG_DROPPED" ] && syslogwarning "$LogMsg"
                fi

        else
                logmessage "Address '$1' already gets dropped by $RuleCount rule(s). Doing nothing."
        fi

        return
}

# Syntax: echo_log [<Message>]
#
echo_log() {
        [ -n "$LOGTARGET" ] && echo $1 >>$LOGTARGET

        return $?
}

# Syntax: end [<ExitVal>]
#
end() {
        ExitVal=${1:-0}

        logmessage "Closing session. Exit code is '$ExitVal'."

        exit $ExitVal

        return
}

# Syntax: includeconf
#
includeconf() {
        # If existant, include the 'anfud.conf' file:
        [ -e /etc/anfud.conf ] && source /etc/anfud.conf

        return $?
}

# Syntax: init
#
init() {
        # Include the configuration file:
        includeconf

        # Set the default output log target:
        [ -z "$LOGTARGET" ] && LOGTARGET=/var/log/anfud.log

        echo_log # Before starting, output a blank line.
        logmessage "Session started ($A)."

        return
}

# Syntax: logmessage "<Message>"
#
logmessage() {
        echo_log "`date +'%b %e %H:%M:%S'` $N[$$]: $1"

        return $?
}

# Syntax: syslogwarning "<Message>"
#
syslogwarning() {
        logger -p warning -t $N[$$] $1

        return $?
}

#---------------------------------------------------------------------
#- Signal trapping:

trap 'logmessage "Recieved signal 1 (SIGHUP)."; end' 1
trap 'logmessage "Recieved signal 2 (SIGINT)."; end' 2
trap 'logmessage "Recieved signal 3 (SIGQUIT)."; end' 3
#trap 'logmessage "Recieved signal 4 (SIGILL)."; end' 4
#trap 'logmessage "Recieved signal 6 (SIGABRT)."; end' 6
trap 'logmessage "Recieved signal 9 (SIGKILL)."; end' 9
trap 'logmessage "Recieved signal 15 (SIGTERM)."; end' 15

#---------------------------------------------------------------------
#- Constants:

# Extract the basename:
N=$(basename $0)

# Format the CVS ID line:

I=${I:5}

if [ -n "$I" ]; then
        #while read Name Ver Date Time User Exp; do
        #       A="${Name/,v} v$Ver by $User ($Date, $Time)"
        #done < <(echo $I)
        A=$I
else
        A="No CVS ID yet"
fi

#- Match masks:

# Example lines from '/var/log/auth.log' where SSH login failed:
#"Jan  1 00:00:00 machine sshd[1000]: Illegal user admin from 127.0.0.1"
#"Jan  1 00:00:00 machine sshd[1000]: Failed password for root from 127.0.0.1 port 30000 ssh2"
#"Jan  1 00:00:00 machine sshd[1000]: error: PAM: Authentication failure for root from 127.0.0.1"

# Match mask for illegal SSH user login attempt:
MatchP1='* sshd*: Illegal user *'

# Match masks for SSH logins w/ failed password:
MatchN2='* sshd*: Failed * for illegal user * from *'
MatchP2='* sshd*: Failed password for * from *'

# Match mask for SSH logins w/ incorrect password:
MatchN3='* sshd*: error: PAM: Authentication failure for illegal user * from *'
MatchP3='* sshd*: error: PAM: Authentication failure for * from *'

# Example lines from '/var/log/auth.log' where FTP login failed:
#"Jan  1 00:00:00 machine ftpd[17986]: FTP LOGIN FAILED FROM host.domain, root"

MatchFTP_P1='* ftpd*: FTP LOGIN FAILED FROM *, *'

#---------------------------------------------------------------------
#- Initialise:

init

#---------------------------------------------------------------------
#- Default parameters:

# The log file to be scanned for intrusion attempts:
# (default: "SCANLOG=/var/log/syslog")
[ -z "$SCANLOG" ] && [ -e /var/log/syslog ] && SCANLOG=/var/log/syslog

# On start seek and parse log file from beginning:
# (default: "SEEKSTART=1")
[ -z "$SEEKSTART" ] && SEEKSTART=1

# Follow the scan log file:
# (default: "LOGFOLLOW=1")
[ -z "$LOGFOLLOW" ] && LOGFOLLOW=1

# Time between log file scans (in seconds):
# (default: "INTERVAL=1")
[ -z "$INTERVAL" ] && INTERVAL=1

# Drop when illegal SSH login username:
# (default: "DROP_SSH_ILLEGALUSER=1")
[ -z "$DROP_SSH_ILLEGALUSER" ] && DROP_SSH_ILLEGALUSER=1

# Drop when FTP login failed:
# (default: "DROP_FTP_FAILEDLOGIN=1")
[ -z "$DROP_FTP_FAILEDLOGIN" ] && DROP_FTP_FAILEDLOGIN=1

# Log address dropping to the system log:
# (default: "LOG_DROPPED=1")
[ -z "$LOG_DROPPED" ] && LOG_DROPPED=1

# Pretend operation(s) (parse only):
# (default: "PRETEND=0")
[ -z "$PRETEND" ] && PRETEND=0

#---------------------------------------------------------------------
#- Early exit conditions:

if [ -z "$SCANLOG" ] || [ ! -f "$SCANLOG" ]; then
        logmessage "ERROR: No log file to scan. Nothing to do for me."
        end 1
fi

if [ $SEEKSTART != 1 ] && [ $LOGFOLLOW == 0 ]; then
        logmessage "ERROR: No seek, no follow. Nothing to do for me."
        end 1
fi

#---------------------------------------------------------------------

# Flag for marking the first run:
FirstRun=1

while [ -e $SCANLOG ]; do

        #LogSize=`du -b $SCANLOG | cut -f1`
        LogSize=$(stat -c %s $SCANLOG)

        if [ "$FirstRun" == 1 ]; then
                if [ "$SEEKSTART" == 1 ]; then
                        logmessage "Reading '$SCANLOG' from start. File size is '$LogSize' bytes."
                else
                        OldLogSize=$LogSize
                fi
        fi

        if ((LogSize > OldLogSize)); then

                tail --bytes=$[LogSize - OldLogSize] $SCANLOG | \
                  while read LogFileLine; do

                        DateTime=`echo "\$LogFileLine" | awk -F' ' '{ print $1 " " $2 " " $3 }'`
                        LogFileMsg=`echo "\$LogFileLine" | awk -F' ' '{ $1=""; $2=""; $3=""; print $0 }'`

                        case "$LogFileLine" in

                        ($MatchP1)
                                Username=`echo "\$LogFileMsg" | cut -d' ' -f8`
                                IP=`echo "\$LogFileMsg" | cut -d' ' -f10`
                                logmessage "SSH: illegal login as '$Username' from '$IP' at '$DateTime'."
                                [ "$DROP_SSH_ILLEGALUSER" == 1 ] && dropaddress $IP
                                ;;

                        ($MatchN2)
                                ;;

                        ($MatchP2)
                                Username=`echo "\$LogFileMsg" | cut -d' ' -f9`
                                IP=`echo "\$LogFileMsg" | cut -d' ' -f11`
                                logmessage "SSH: failed password for '$Username' from '$IP' at '$DateTime'."
                                dropaddress $IP
                                ;;

                        ($MatchN3)
                                ;;

                        ($MatchP3)
                                Username=`echo "\$LogFileMsg" | cut -d' ' -f11`
                                IP=`echo "\$LogFileMsg" | cut -d' ' -f13`
                                logmessage "SSH: incorrect password for '$Username' from '$IP' at '$DateTime'."
                                dropaddress $IP
                                ;;

                        ($MatchFTP_P1)
                                Address=`echo "\$LogFileMsg" | cut -d' ' -f10`
                                Username=`echo "\$LogFileMsg" | cut -d' ' -f11`
                                Address=${Address/,}
                                IP=$(resolveip -s $Address)
                                logmessage "FTP: failed login as '$Username' from '$IP' at '$DateTime'."
                                [ "$DROP_FTP_FAILEDLOGIN" == 1 ] && dropaddress $IP
                                ;;

                        esac
                done

        elif ((OldLogSize > LogSize)); then
                logmessage "'$SCANLOG' has been truncated. New file size is '$LogSize' bytes."
        fi

        OldLogSize=$LogSize

        [ "$LOGFOLLOW" != 1 ] && end

        [ "$FirstRun" == 1 ] && [ "$LOGFOLLOW" == 1 ] && \
          logmessage "Following. Scanning '$SCANLOG' every '$INTERVAL' second(s)."

        # First run just ended:
        FirstRun=0

        # Make the defined pause:
        sleep $INTERVAL
done

#---------------------------------------------------------------------
1	rabit	1.1	#!/bin/sh
2			#---------------------------------------------------------------------
3			#- Adjusting net filter updater daemon
4			#- rabit@netfrag.org, 01.11.2004
5	rabit	1.2	I='$Id: anfud.sh,v 1.1 2004/11/12 08:05:09 rabit Exp $'
6	rabit	1.1	#---------------------------------------------------------------------
7			#- Functions:
8
9			# Syntax: dropaddress <IP_address>
10			#
11			dropaddress() {
12			local IP LogMsg RegEx RuleCount
13
14			if [ -n "$EXCLUDE" ]; then
15			for IP in $EXCLUDE; do
16			case $1 in
17			($IP)
18			logmessage "Ignoring excluded address '$1'."
19			return 1
20			;;
21			esac
22			done
23			fi
24
25			RegEx='DROP.*'$1
26			RuleCount=`iptables -L INPUT -n \| egrep $RegEx \| wc -l`
27
28			if [ $RuleCount == 0 ]; then
29
30			if [ "$PRETEND" == 1 ]; then
31			logmessage "(PRETEND) Dropping rule for address '$1' now would be inserted."
32			else
33			iptables -I INPUT -s $1 -j DROP
34
35			LogMsg="Dropping rule for address '$1' has been inserted."
36			logmessage "$LogMsg"
37
38			[ -n "$LOG_DROPPED" ] && syslogwarning "$LogMsg"
39			fi
40
41			else
42			logmessage "Address '$1' already gets dropped by $RuleCount rule(s). Doing nothing."
43			fi
44
45			return
46			}
47
48			# Syntax: echo_log [<Message>]
49			#
50			echo_log() {
51			[ -n "$LOGTARGET" ] && echo $1 >>$LOGTARGET
52
53			return $?
54			}
55
56			# Syntax: end [<ExitVal>]
57			#
58			end() {
59			ExitVal=${1:-0}
60
61			logmessage "Closing session. Exit code is '$ExitVal'."
62
63			exit $ExitVal
64
65			return
66			}
67
68			# Syntax: includeconf
69			#
70			includeconf() {
71			# If existant, include the 'anfud.conf' file:
72			[ -e /etc/anfud.conf ] && source /etc/anfud.conf
73
74			return $?
75			}
76
77			# Syntax: init
78			#
79			init() {
80			# Include the configuration file:
81			includeconf
82
83			# Set the default output log target:
84			[ -z "$LOGTARGET" ] && LOGTARGET=/var/log/anfud.log
85
86			echo_log # Before starting, output a blank line.
87			logmessage "Session started ($A)."
88
89			return
90			}
91
92			# Syntax: logmessage "<Message>"
93			#
94			logmessage() {
95			echo_log "`date +'%b %e %H:%M:%S'` $N[$$]: $1"
96
97			return $?
98			}
99
100			# Syntax: syslogwarning "<Message>"
101			#
102			syslogwarning() {
103			logger -p warning -t $N[$$] $1
104
105			return $?
106			}
107
108			#---------------------------------------------------------------------
109			#- Signal trapping:
110
111			trap 'logmessage "Recieved signal 1 (SIGHUP)."; end' 1
112			trap 'logmessage "Recieved signal 2 (SIGINT)."; end' 2
113			trap 'logmessage "Recieved signal 3 (SIGQUIT)."; end' 3
114			#trap 'logmessage "Recieved signal 4 (SIGILL)."; end' 4
115			#trap 'logmessage "Recieved signal 6 (SIGABRT)."; end' 6
116			trap 'logmessage "Recieved signal 9 (SIGKILL)."; end' 9
117			trap 'logmessage "Recieved signal 15 (SIGTERM)."; end' 15
118
119			#---------------------------------------------------------------------
120			#- Constants:
121
122			# Extract the basename:
123			N=$(basename $0)
124
125			# Format the CVS ID line:
126
127			I=${I:5}
128
129			if [ -n "$I" ]; then
130			#while read Name Ver Date Time User Exp; do
131			# A="${Name/,v} v$Ver by $User ($Date, $Time)"
132			#done < <(echo $I)
133			A=$I
134			else
135			A="No CVS ID yet"
136			fi
137
138			#- Match masks:
139
140			# Example lines from '/var/log/auth.log' where SSH login failed:
141			#"Jan 1 00:00:00 machine sshd[1000]: Illegal user admin from 127.0.0.1"
142			#"Jan 1 00:00:00 machine sshd[1000]: Failed password for root from 127.0.0.1 port 30000 ssh2"
143			#"Jan 1 00:00:00 machine sshd[1000]: error: PAM: Authentication failure for root from 127.0.0.1"
144
145			# Match mask for illegal SSH user login attempt:
146			MatchP1='* sshd: Illegal user '
147
148			# Match masks for SSH logins w/ failed password:
149			MatchN2='* sshd: Failed for illegal user * from *'
150			MatchP2='* sshd: Failed password for from *'
151
152			# Match mask for SSH logins w/ incorrect password:
153			MatchN3='* sshd: error: PAM: Authentication failure for illegal user from *'
154			MatchP3='* sshd: error: PAM: Authentication failure for from *'
155
156			# Example lines from '/var/log/auth.log' where FTP login failed:
157			#"Jan 1 00:00:00 machine ftpd[17986]: FTP LOGIN FAILED FROM host.domain, root"
158
159			MatchFTP_P1='* ftpd: FTP LOGIN FAILED FROM , *'
160
161			#---------------------------------------------------------------------
162			#- Initialise:
163
164			init
165
166			#---------------------------------------------------------------------
167			#- Default parameters:
168
169			# The log file to be scanned for intrusion attempts:
170			# (default: "SCANLOG=/var/log/syslog")
171			[ -z "$SCANLOG" ] && [ -e /var/log/syslog ] && SCANLOG=/var/log/syslog
172
173			# On start seek and parse log file from beginning:
174			# (default: "SEEKSTART=1")
175			[ -z "$SEEKSTART" ] && SEEKSTART=1
176
177			# Follow the scan log file:
178			# (default: "LOGFOLLOW=1")
179			[ -z "$LOGFOLLOW" ] && LOGFOLLOW=1
180
181			# Time between log file scans (in seconds):
182			# (default: "INTERVAL=1")
183			[ -z "$INTERVAL" ] && INTERVAL=1
184
185			# Drop when illegal SSH login username:
186			# (default: "DROP_SSH_ILLEGALUSER=1")
187			[ -z "$DROP_SSH_ILLEGALUSER" ] && DROP_SSH_ILLEGALUSER=1
188
189			# Drop when FTP login failed:
190			# (default: "DROP_FTP_FAILEDLOGIN=1")
191			[ -z "$DROP_FTP_FAILEDLOGIN" ] && DROP_FTP_FAILEDLOGIN=1
192
193			# Log address dropping to the system log:
194			# (default: "LOG_DROPPED=1")
195			[ -z "$LOG_DROPPED" ] && LOG_DROPPED=1
196
197			# Pretend operation(s) (parse only):
198			# (default: "PRETEND=0")
199			[ -z "$PRETEND" ] && PRETEND=0
200
201			#---------------------------------------------------------------------
202			#- Early exit conditions:
203
204			if [ -z "$SCANLOG" ] \|\| [ ! -f "$SCANLOG" ]; then
205			logmessage "ERROR: No log file to scan. Nothing to do for me."
206			end 1
207			fi
208
209			if [ $SEEKSTART != 1 ] && [ $LOGFOLLOW == 0 ]; then
210			logmessage "ERROR: No seek, no follow. Nothing to do for me."
211			end 1
212			fi
213
214			#---------------------------------------------------------------------
215
216			# Flag for marking the first run:
217			FirstRun=1
218
219			while [ -e $SCANLOG ]; do
220
221			#LogSize=`du -b $SCANLOG \| cut -f1`
222			LogSize=$(stat -c %s $SCANLOG)
223
224			if [ "$FirstRun" == 1 ]; then
225			if [ "$SEEKSTART" == 1 ]; then
226			logmessage "Reading '$SCANLOG' from start. File size is '$LogSize' bytes."
227			else
228			OldLogSize=$LogSize
229			fi
230			fi
231
232			if ((LogSize > OldLogSize)); then
233
234			tail --bytes=$[LogSize - OldLogSize] $SCANLOG \| \
235			while read LogFileLine; do
236
237	rabit	1.2	DateTime=`echo "\$LogFileLine" \| awk -F' ' '{ print $1 " " $2 " " $3 }'`
238			LogFileMsg=`echo "\$LogFileLine" \| awk -F' ' '{ $1=""; $2=""; $3=""; print $0 }'`
239
240	rabit	1.1	case "$LogFileLine" in
241
242			($MatchP1)
243	rabit	1.2	Username=`echo "\$LogFileMsg" \| cut -d' ' -f8`
244			IP=`echo "\$LogFileMsg" \| cut -d' ' -f10`
245	rabit	1.1	logmessage "SSH: illegal login as '$Username' from '$IP' at '$DateTime'."
246			[ "$DROP_SSH_ILLEGALUSER" == 1 ] && dropaddress $IP
247			;;
248
249			($MatchN2)
250			;;
251
252			($MatchP2)
253	rabit	1.2	Username=`echo "\$LogFileMsg" \| cut -d' ' -f9`
254			IP=`echo "\$LogFileMsg" \| cut -d' ' -f11`
255	rabit	1.1	logmessage "SSH: failed password for '$Username' from '$IP' at '$DateTime'."
256			dropaddress $IP
257			;;
258
259			($MatchN3)
260			;;
261
262			($MatchP3)
263	rabit	1.2	Username=`echo "\$LogFileMsg" \| cut -d' ' -f11`
264			IP=`echo "\$LogFileMsg" \| cut -d' ' -f13`
265	rabit	1.1	logmessage "SSH: incorrect password for '$Username' from '$IP' at '$DateTime'."
266			dropaddress $IP
267			;;
268
269			($MatchFTP_P1)
270	rabit	1.2	Address=`echo "\$LogFileMsg" \| cut -d' ' -f10`
271			Username=`echo "\$LogFileMsg" \| cut -d' ' -f11`
272	rabit	1.1	Address=${Address/,}
273			IP=$(resolveip -s $Address)
274			logmessage "FTP: failed login as '$Username' from '$IP' at '$DateTime'."
275			[ "$DROP_FTP_FAILEDLOGIN" == 1 ] && dropaddress $IP
276			;;
277
278			esac
279			done
280
281			elif ((OldLogSize > LogSize)); then
282			logmessage "'$SCANLOG' has been truncated. New file size is '$LogSize' bytes."
283			fi
284
285			OldLogSize=$LogSize
286
287			[ "$LOGFOLLOW" != 1 ] && end
288
289			[ "$FirstRun" == 1 ] && [ "$LOGFOLLOW" == 1 ] && \
290			logmessage "Following. Scanning '$SCANLOG' every '$INTERVAL' second(s)."
291
292			# First run just ended:
293			FirstRun=0
294
295			# Make the defined pause:
296			sleep $INTERVAL
297			done
298
299			#---------------------------------------------------------------------
MailToCvsAdmin">MailToCvsAdmin	ViewVC Help
Powered by ViewVC 1.1.26