anfud/bin/anfud.sh

#!/bin/sh
#---------------------------------------------------------------------
#- Adjusting net filter updater daemon
#- rabit@netfrag.org, 01.11.2004
I='$Id: anfud.sh,v 1.1 2004/11/12 08:05:09 rabit Exp $'
#---------------------------------------------------------------------
#- Functions:

# Syntax: dropaddress <IP_address>
#
dropaddress() {
        local IP LogMsg RegEx RuleCount

        if [ -n "$EXCLUDE" ]; then
                for IP in $EXCLUDE; do
                        case $1 in
                        ($IP)
                                logmessage "Ignoring excluded address '$1'."
                                return 1
                                ;;
                        esac
                done
        fi

        RegEx='DROP.*'$1
        RuleCount=`iptables -L INPUT -n | egrep $RegEx | wc -l`

        if [ $RuleCount == 0 ]; then

                if [ "$PRETEND" == 1 ]; then
                        logmessage "(PRETEND) Dropping rule for address '$1' now would be inserted."
                else
                        iptables -I INPUT -s $1 -j DROP

                        LogMsg="Dropping rule for address '$1' has been inserted."
                        logmessage "$LogMsg"

                        [ -n "$LOG_DROPPED" ] && syslogwarning "$LogMsg"
                fi

        else
                logmessage "Address '$1' already gets dropped by $RuleCount rule(s). Doing nothing."
        fi

        return
}

# Syntax: echo_log [<Message>]
#
echo_log() {
        [ -n "$LOGTARGET" ] && echo $1 >>$LOGTARGET

        return $?
}

# Syntax: end [<ExitVal>]
#
end() {
        ExitVal=${1:-0}

        logmessage "Closing session. Exit code is '$ExitVal'."

        exit $ExitVal

        return
}

# Syntax: includeconf
#
includeconf() {
        # If existant, include the 'anfud.conf' file:
        [ -e /etc/anfud.conf ] && source /etc/anfud.conf

        return $?
}

# Syntax: init
#
init() {
        # Include the configuration file:
        includeconf

        # Set the default output log target:
        [ -z "$LOGTARGET" ] && LOGTARGET=/var/log/anfud.log

        echo_log # Before starting, output a blank line.
        logmessage "Session started ($A)."

        return
}

# Syntax: logmessage "<Message>"
#
logmessage() {
        echo_log "`date +'%b %e %H:%M:%S'` $N[$$]: $1"

        return $?
}

# Syntax: syslogwarning "<Message>"
#
syslogwarning() {
        logger -p warning -t $N[$$] $1

        return $?
}

#---------------------------------------------------------------------
#- Signal trapping:

trap 'logmessage "Recieved signal 1 (SIGHUP)."; end' 1
trap 'logmessage "Recieved signal 2 (SIGINT)."; end' 2
trap 'logmessage "Recieved signal 3 (SIGQUIT)."; end' 3
#trap 'logmessage "Recieved signal 4 (SIGILL)."; end' 4
#trap 'logmessage "Recieved signal 6 (SIGABRT)."; end' 6
trap 'logmessage "Recieved signal 9 (SIGKILL)."; end' 9
trap 'logmessage "Recieved signal 15 (SIGTERM)."; end' 15

#---------------------------------------------------------------------
#- Constants:

# Extract the basename:
N=$(basename $0)

# Format the CVS ID line:

I=${I:5}

if [ -n "$I" ]; then
        #while read Name Ver Date Time User Exp; do
        #       A="${Name/,v} v$Ver by $User ($Date, $Time)"
        #done < <(echo $I)
        A=$I
else
        A="No CVS ID yet"
fi

#- Match masks:

# Example lines from '/var/log/auth.log' where SSH login failed:
#"Jan  1 00:00:00 machine sshd[1000]: Illegal user admin from 127.0.0.1"
#"Jan  1 00:00:00 machine sshd[1000]: Failed password for root from 127.0.0.1 port 30000 ssh2"
#"Jan  1 00:00:00 machine sshd[1000]: error: PAM: Authentication failure for root from 127.0.0.1"

# Match mask for illegal SSH user login attempt:
MatchP1='* sshd*: Illegal user *'

# Match masks for SSH logins w/ failed password:
MatchN2='* sshd*: Failed * for illegal user * from *'
MatchP2='* sshd*: Failed password for * from *'

# Match mask for SSH logins w/ incorrect password:
MatchN3='* sshd*: error: PAM: Authentication failure for illegal user * from *'
MatchP3='* sshd*: error: PAM: Authentication failure for * from *'

# Example lines from '/var/log/auth.log' where FTP login failed:
#"Jan  1 00:00:00 machine ftpd[17986]: FTP LOGIN FAILED FROM host.domain, root"

MatchFTP_P1='* ftpd*: FTP LOGIN FAILED FROM *, *'

#---------------------------------------------------------------------
#- Initialise:

init

#---------------------------------------------------------------------
#- Default parameters:

# The log file to be scanned for intrusion attempts:
# (default: "SCANLOG=/var/log/syslog")
[ -z "$SCANLOG" ] && [ -e /var/log/syslog ] && SCANLOG=/var/log/syslog

# On start seek and parse log file from beginning:
# (default: "SEEKSTART=1")
[ -z "$SEEKSTART" ] && SEEKSTART=1

# Follow the scan log file:
# (default: "LOGFOLLOW=1")
[ -z "$LOGFOLLOW" ] && LOGFOLLOW=1

# Time between log file scans (in seconds):
# (default: "INTERVAL=1")
[ -z "$INTERVAL" ] && INTERVAL=1

# Drop when illegal SSH login username:
# (default: "DROP_SSH_ILLEGALUSER=1")
[ -z "$DROP_SSH_ILLEGALUSER" ] && DROP_SSH_ILLEGALUSER=1

# Drop when FTP login failed:
# (default: "DROP_FTP_FAILEDLOGIN=1")
[ -z "$DROP_FTP_FAILEDLOGIN" ] && DROP_FTP_FAILEDLOGIN=1

# Log address dropping to the system log:
# (default: "LOG_DROPPED=1")
[ -z "$LOG_DROPPED" ] && LOG_DROPPED=1

# Pretend operation(s) (parse only):
# (default: "PRETEND=0")
[ -z "$PRETEND" ] && PRETEND=0

#---------------------------------------------------------------------
#- Early exit conditions:

if [ -z "$SCANLOG" ] || [ ! -f "$SCANLOG" ]; then
        logmessage "ERROR: No log file to scan. Nothing to do for me."
        end 1
fi

if [ $SEEKSTART != 1 ] && [ $LOGFOLLOW == 0 ]; then
        logmessage "ERROR: No seek, no follow. Nothing to do for me."
        end 1
fi

#---------------------------------------------------------------------

# Flag for marking the first run:
FirstRun=1

while [ -e $SCANLOG ]; do

        #LogSize=`du -b $SCANLOG | cut -f1`
        LogSize=$(stat -c %s $SCANLOG)

        if [ "$FirstRun" == 1 ]; then
                if [ "$SEEKSTART" == 1 ]; then
                        logmessage "Reading '$SCANLOG' from start. File size is '$LogSize' bytes."
                else
                        OldLogSize=$LogSize
                fi
        fi

        if ((LogSize > OldLogSize)); then

                tail --bytes=$[LogSize - OldLogSize] $SCANLOG | \
                  while read LogFileLine; do

                        DateTime=`echo "\$LogFileLine" | awk -F' ' '{ print $1 " " $2 " " $3 }'`
                        LogFileMsg=`echo "\$LogFileLine" | awk -F' ' '{ $1=""; $2=""; $3=""; print $0 }'`

                        case "$LogFileLine" in

                        ($MatchP1)
                                Username=`echo "\$LogFileMsg" | cut -d' ' -f8`
                                IP=`echo "\$LogFileMsg" | cut -d' ' -f10`
                                logmessage "SSH: illegal login as '$Username' from '$IP' at '$DateTime'."
                                [ "$DROP_SSH_ILLEGALUSER" == 1 ] && dropaddress $IP
                                ;;

                        ($MatchN2)
                                ;;

                        ($MatchP2)
                                Username=`echo "\$LogFileMsg" | cut -d' ' -f9`
                                IP=`echo "\$LogFileMsg" | cut -d' ' -f11`
                                logmessage "SSH: failed password for '$Username' from '$IP' at '$DateTime'."
                                dropaddress $IP
                                ;;

                        ($MatchN3)
                                ;;

                        ($MatchP3)
                                Username=`echo "\$LogFileMsg" | cut -d' ' -f11`
                                IP=`echo "\$LogFileMsg" | cut -d' ' -f13`
                                logmessage "SSH: incorrect password for '$Username' from '$IP' at '$DateTime'."
                                dropaddress $IP
                                ;;

                        ($MatchFTP_P1)
                                Address=`echo "\$LogFileMsg" | cut -d' ' -f10`
                                Username=`echo "\$LogFileMsg" | cut -d' ' -f11`
                                Address=${Address/,}
                                IP=$(resolveip -s $Address)
                                logmessage "FTP: failed login as '$Username' from '$IP' at '$DateTime'."
                                [ "$DROP_FTP_FAILEDLOGIN" == 1 ] && dropaddress $IP
                                ;;

                        esac
                done

        elif ((OldLogSize > LogSize)); then
                logmessage "'$SCANLOG' has been truncated. New file size is '$LogSize' bytes."
        fi

        OldLogSize=$LogSize

        [ "$LOGFOLLOW" != 1 ] && end

        [ "$FirstRun" == 1 ] && [ "$LOGFOLLOW" == 1 ] && \
          logmessage "Following. Scanning '$SCANLOG' every '$INTERVAL' second(s)."

        # First run just ended:
        FirstRun=0

        # Make the defined pause:
        sleep $INTERVAL
done

#---------------------------------------------------------------------
1	#!/bin/sh
2	#---------------------------------------------------------------------
3	#- Adjusting net filter updater daemon
4	#- rabit@netfrag.org, 01.11.2004
5	I='$Id: anfud.sh,v 1.1 2004/11/12 08:05:09 rabit Exp $'
6	#---------------------------------------------------------------------
7	#- Functions:
8
9	# Syntax: dropaddress <IP_address>
10	#
11	dropaddress() {
12	local IP LogMsg RegEx RuleCount
13
14	if [ -n "$EXCLUDE" ]; then
15	for IP in $EXCLUDE; do
16	case $1 in
17	($IP)
18	logmessage "Ignoring excluded address '$1'."
19	return 1
20	;;
21	esac
22	done
23	fi
24
25	RegEx='DROP.*'$1
26	RuleCount=`iptables -L INPUT -n \| egrep $RegEx \| wc -l`
27
28	if [ $RuleCount == 0 ]; then
29
30	if [ "$PRETEND" == 1 ]; then
31	logmessage "(PRETEND) Dropping rule for address '$1' now would be inserted."
32	else
33	iptables -I INPUT -s $1 -j DROP
34
35	LogMsg="Dropping rule for address '$1' has been inserted."
36	logmessage "$LogMsg"
37
38	[ -n "$LOG_DROPPED" ] && syslogwarning "$LogMsg"
39	fi
40
41	else
42	logmessage "Address '$1' already gets dropped by $RuleCount rule(s). Doing nothing."
43	fi
44
45	return
46	}
47
48	# Syntax: echo_log [<Message>]
49	#
50	echo_log() {
51	[ -n "$LOGTARGET" ] && echo $1 >>$LOGTARGET
52
53	return $?
54	}
55
56	# Syntax: end [<ExitVal>]
57	#
58	end() {
59	ExitVal=${1:-0}
60
61	logmessage "Closing session. Exit code is '$ExitVal'."
62
63	exit $ExitVal
64
65	return
66	}
67
68	# Syntax: includeconf
69	#
70	includeconf() {
71	# If existant, include the 'anfud.conf' file:
72	[ -e /etc/anfud.conf ] && source /etc/anfud.conf
73
74	return $?
75	}
76
77	# Syntax: init
78	#
79	init() {
80	# Include the configuration file:
81	includeconf
82
83	# Set the default output log target:
84	[ -z "$LOGTARGET" ] && LOGTARGET=/var/log/anfud.log
85
86	echo_log # Before starting, output a blank line.
87	logmessage "Session started ($A)."
88
89	return
90	}
91
92	# Syntax: logmessage "<Message>"
93	#
94	logmessage() {
95	echo_log "`date +'%b %e %H:%M:%S'` $N[$$]: $1"
96
97	return $?
98	}
99
100	# Syntax: syslogwarning "<Message>"
101	#
102	syslogwarning() {
103	logger -p warning -t $N[$$] $1
104
105	return $?
106	}
107
108	#---------------------------------------------------------------------
109	#- Signal trapping:
110
111	trap 'logmessage "Recieved signal 1 (SIGHUP)."; end' 1
112	trap 'logmessage "Recieved signal 2 (SIGINT)."; end' 2
113	trap 'logmessage "Recieved signal 3 (SIGQUIT)."; end' 3
114	#trap 'logmessage "Recieved signal 4 (SIGILL)."; end' 4
115	#trap 'logmessage "Recieved signal 6 (SIGABRT)."; end' 6
116	trap 'logmessage "Recieved signal 9 (SIGKILL)."; end' 9
117	trap 'logmessage "Recieved signal 15 (SIGTERM)."; end' 15
118
119	#---------------------------------------------------------------------
120	#- Constants:
121
122	# Extract the basename:
123	N=$(basename $0)
124
125	# Format the CVS ID line:
126
127	I=${I:5}
128
129	if [ -n "$I" ]; then
130	#while read Name Ver Date Time User Exp; do
131	# A="${Name/,v} v$Ver by $User ($Date, $Time)"
132	#done < <(echo $I)
133	A=$I
134	else
135	A="No CVS ID yet"
136	fi
137
138	#- Match masks:
139
140	# Example lines from '/var/log/auth.log' where SSH login failed:
141	#"Jan 1 00:00:00 machine sshd[1000]: Illegal user admin from 127.0.0.1"
142	#"Jan 1 00:00:00 machine sshd[1000]: Failed password for root from 127.0.0.1 port 30000 ssh2"
143	#"Jan 1 00:00:00 machine sshd[1000]: error: PAM: Authentication failure for root from 127.0.0.1"
144
145	# Match mask for illegal SSH user login attempt:
146	MatchP1='* sshd: Illegal user '
147
148	# Match masks for SSH logins w/ failed password:
149	MatchN2='* sshd: Failed for illegal user * from *'
150	MatchP2='* sshd: Failed password for from *'
151
152	# Match mask for SSH logins w/ incorrect password:
153	MatchN3='* sshd: error: PAM: Authentication failure for illegal user from *'
154	MatchP3='* sshd: error: PAM: Authentication failure for from *'
155
156	# Example lines from '/var/log/auth.log' where FTP login failed:
157	#"Jan 1 00:00:00 machine ftpd[17986]: FTP LOGIN FAILED FROM host.domain, root"
158
159	MatchFTP_P1='* ftpd: FTP LOGIN FAILED FROM , *'
160
161	#---------------------------------------------------------------------
162	#- Initialise:
163
164	init
165
166	#---------------------------------------------------------------------
167	#- Default parameters:
168
169	# The log file to be scanned for intrusion attempts:
170	# (default: "SCANLOG=/var/log/syslog")
171	[ -z "$SCANLOG" ] && [ -e /var/log/syslog ] && SCANLOG=/var/log/syslog
172
173	# On start seek and parse log file from beginning:
174	# (default: "SEEKSTART=1")
175	[ -z "$SEEKSTART" ] && SEEKSTART=1
176
177	# Follow the scan log file:
178	# (default: "LOGFOLLOW=1")
179	[ -z "$LOGFOLLOW" ] && LOGFOLLOW=1
180
181	# Time between log file scans (in seconds):
182	# (default: "INTERVAL=1")
183	[ -z "$INTERVAL" ] && INTERVAL=1
184
185	# Drop when illegal SSH login username:
186	# (default: "DROP_SSH_ILLEGALUSER=1")
187	[ -z "$DROP_SSH_ILLEGALUSER" ] && DROP_SSH_ILLEGALUSER=1
188
189	# Drop when FTP login failed:
190	# (default: "DROP_FTP_FAILEDLOGIN=1")
191	[ -z "$DROP_FTP_FAILEDLOGIN" ] && DROP_FTP_FAILEDLOGIN=1
192
193	# Log address dropping to the system log:
194	# (default: "LOG_DROPPED=1")
195	[ -z "$LOG_DROPPED" ] && LOG_DROPPED=1
196
197	# Pretend operation(s) (parse only):
198	# (default: "PRETEND=0")
199	[ -z "$PRETEND" ] && PRETEND=0
200
201	#---------------------------------------------------------------------
202	#- Early exit conditions:
203
204	if [ -z "$SCANLOG" ] \|\| [ ! -f "$SCANLOG" ]; then
205	logmessage "ERROR: No log file to scan. Nothing to do for me."
206	end 1
207	fi
208
209	if [ $SEEKSTART != 1 ] && [ $LOGFOLLOW == 0 ]; then
210	logmessage "ERROR: No seek, no follow. Nothing to do for me."
211	end 1
212	fi
213
214	#---------------------------------------------------------------------
215
216	# Flag for marking the first run:
217	FirstRun=1
218
219	while [ -e $SCANLOG ]; do
220
221	#LogSize=`du -b $SCANLOG \| cut -f1`
222	LogSize=$(stat -c %s $SCANLOG)
223
224	if [ "$FirstRun" == 1 ]; then
225	if [ "$SEEKSTART" == 1 ]; then
226	logmessage "Reading '$SCANLOG' from start. File size is '$LogSize' bytes."
227	else
228	OldLogSize=$LogSize
229	fi
230	fi
231
232	if ((LogSize > OldLogSize)); then
233
234	tail --bytes=$[LogSize - OldLogSize] $SCANLOG \| \
235	while read LogFileLine; do
236
237	DateTime=`echo "\$LogFileLine" \| awk -F' ' '{ print $1 " " $2 " " $3 }'`
238	LogFileMsg=`echo "\$LogFileLine" \| awk -F' ' '{ $1=""; $2=""; $3=""; print $0 }'`
239
240	case "$LogFileLine" in
241
242	($MatchP1)
243	Username=`echo "\$LogFileMsg" \| cut -d' ' -f8`
244	IP=`echo "\$LogFileMsg" \| cut -d' ' -f10`
245	logmessage "SSH: illegal login as '$Username' from '$IP' at '$DateTime'."
246	[ "$DROP_SSH_ILLEGALUSER" == 1 ] && dropaddress $IP
247	;;
248
249	($MatchN2)
250	;;
251
252	($MatchP2)
253	Username=`echo "\$LogFileMsg" \| cut -d' ' -f9`
254	IP=`echo "\$LogFileMsg" \| cut -d' ' -f11`
255	logmessage "SSH: failed password for '$Username' from '$IP' at '$DateTime'."
256	dropaddress $IP
257	;;
258
259	($MatchN3)
260	;;
261
262	($MatchP3)
263	Username=`echo "\$LogFileMsg" \| cut -d' ' -f11`
264	IP=`echo "\$LogFileMsg" \| cut -d' ' -f13`
265	logmessage "SSH: incorrect password for '$Username' from '$IP' at '$DateTime'."
266	dropaddress $IP
267	;;
268
269	($MatchFTP_P1)
270	Address=`echo "\$LogFileMsg" \| cut -d' ' -f10`
271	Username=`echo "\$LogFileMsg" \| cut -d' ' -f11`
272	Address=${Address/,}
273	IP=$(resolveip -s $Address)
274	logmessage "FTP: failed login as '$Username' from '$IP' at '$DateTime'."
275	[ "$DROP_FTP_FAILEDLOGIN" == 1 ] && dropaddress $IP
276	;;
277
278	esac
279	done
280
281	elif ((OldLogSize > LogSize)); then
282	logmessage "'$SCANLOG' has been truncated. New file size is '$LogSize' bytes."
283	fi
284
285	OldLogSize=$LogSize
286
287	[ "$LOGFOLLOW" != 1 ] && end
288
289	[ "$FirstRun" == 1 ] && [ "$LOGFOLLOW" == 1 ] && \
290	logmessage "Following. Scanning '$SCANLOG' every '$INTERVAL' second(s)."
291
292	# First run just ended:
293	FirstRun=0
294
295	# Make the defined pause:
296	sleep $INTERVAL
297	done
298
299	#---------------------------------------------------------------------
MailToCvsAdmin">MailToCvsAdmin	ViewVC Help
Powered by ViewVC 1.1.26