/[cvs]/nfo/projects/anfud/bin/anfud.sh
ViewVC logotype

Contents of /nfo/projects/anfud/bin/anfud.sh

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.2 - (show annotations)
Sat Dec 10 12:25:34 2005 UTC (18 years, 11 months ago) by rabit
Branch: MAIN
CVS Tags: HEAD
Changes since 1.1: +12 -13 lines
File MIME type: application/x-sh
Fix: Date/Time bug.

1 #!/bin/sh
2 #---------------------------------------------------------------------
3 #- Adjusting net filter updater daemon
4 #- rabit@netfrag.org, 01.11.2004
5 I='$Id: anfud.sh,v 1.1 2004/11/12 08:05:09 rabit Exp $'
6 #---------------------------------------------------------------------
7 #- Functions:
8
9 # Syntax: dropaddress <IP_address>
10 #
11 dropaddress() {
12 local IP LogMsg RegEx RuleCount
13
14 if [ -n "$EXCLUDE" ]; then
15 for IP in $EXCLUDE; do
16 case $1 in
17 ($IP)
18 logmessage "Ignoring excluded address '$1'."
19 return 1
20 ;;
21 esac
22 done
23 fi
24
25 RegEx='DROP.*'$1
26 RuleCount=`iptables -L INPUT -n | egrep $RegEx | wc -l`
27
28 if [ $RuleCount == 0 ]; then
29
30 if [ "$PRETEND" == 1 ]; then
31 logmessage "(PRETEND) Dropping rule for address '$1' now would be inserted."
32 else
33 iptables -I INPUT -s $1 -j DROP
34
35 LogMsg="Dropping rule for address '$1' has been inserted."
36 logmessage "$LogMsg"
37
38 [ -n "$LOG_DROPPED" ] && syslogwarning "$LogMsg"
39 fi
40
41 else
42 logmessage "Address '$1' already gets dropped by $RuleCount rule(s). Doing nothing."
43 fi
44
45 return
46 }
47
48 # Syntax: echo_log [<Message>]
49 #
50 echo_log() {
51 [ -n "$LOGTARGET" ] && echo $1 >>$LOGTARGET
52
53 return $?
54 }
55
56 # Syntax: end [<ExitVal>]
57 #
58 end() {
59 ExitVal=${1:-0}
60
61 logmessage "Closing session. Exit code is '$ExitVal'."
62
63 exit $ExitVal
64
65 return
66 }
67
68 # Syntax: includeconf
69 #
70 includeconf() {
71 # If existant, include the 'anfud.conf' file:
72 [ -e /etc/anfud.conf ] && source /etc/anfud.conf
73
74 return $?
75 }
76
77 # Syntax: init
78 #
79 init() {
80 # Include the configuration file:
81 includeconf
82
83 # Set the default output log target:
84 [ -z "$LOGTARGET" ] && LOGTARGET=/var/log/anfud.log
85
86 echo_log # Before starting, output a blank line.
87 logmessage "Session started ($A)."
88
89 return
90 }
91
92 # Syntax: logmessage "<Message>"
93 #
94 logmessage() {
95 echo_log "`date +'%b %e %H:%M:%S'` $N[$$]: $1"
96
97 return $?
98 }
99
100 # Syntax: syslogwarning "<Message>"
101 #
102 syslogwarning() {
103 logger -p warning -t $N[$$] $1
104
105 return $?
106 }
107
108 #---------------------------------------------------------------------
109 #- Signal trapping:
110
111 trap 'logmessage "Recieved signal 1 (SIGHUP)."; end' 1
112 trap 'logmessage "Recieved signal 2 (SIGINT)."; end' 2
113 trap 'logmessage "Recieved signal 3 (SIGQUIT)."; end' 3
114 #trap 'logmessage "Recieved signal 4 (SIGILL)."; end' 4
115 #trap 'logmessage "Recieved signal 6 (SIGABRT)."; end' 6
116 trap 'logmessage "Recieved signal 9 (SIGKILL)."; end' 9
117 trap 'logmessage "Recieved signal 15 (SIGTERM)."; end' 15
118
119 #---------------------------------------------------------------------
120 #- Constants:
121
122 # Extract the basename:
123 N=$(basename $0)
124
125 # Format the CVS ID line:
126
127 I=${I:5}
128
129 if [ -n "$I" ]; then
130 #while read Name Ver Date Time User Exp; do
131 # A="${Name/,v} v$Ver by $User ($Date, $Time)"
132 #done < <(echo $I)
133 A=$I
134 else
135 A="No CVS ID yet"
136 fi
137
138 #- Match masks:
139
140 # Example lines from '/var/log/auth.log' where SSH login failed:
141 #"Jan 1 00:00:00 machine sshd[1000]: Illegal user admin from 127.0.0.1"
142 #"Jan 1 00:00:00 machine sshd[1000]: Failed password for root from 127.0.0.1 port 30000 ssh2"
143 #"Jan 1 00:00:00 machine sshd[1000]: error: PAM: Authentication failure for root from 127.0.0.1"
144
145 # Match mask for illegal SSH user login attempt:
146 MatchP1='* sshd*: Illegal user *'
147
148 # Match masks for SSH logins w/ failed password:
149 MatchN2='* sshd*: Failed * for illegal user * from *'
150 MatchP2='* sshd*: Failed password for * from *'
151
152 # Match mask for SSH logins w/ incorrect password:
153 MatchN3='* sshd*: error: PAM: Authentication failure for illegal user * from *'
154 MatchP3='* sshd*: error: PAM: Authentication failure for * from *'
155
156 # Example lines from '/var/log/auth.log' where FTP login failed:
157 #"Jan 1 00:00:00 machine ftpd[17986]: FTP LOGIN FAILED FROM host.domain, root"
158
159 MatchFTP_P1='* ftpd*: FTP LOGIN FAILED FROM *, *'
160
161 #---------------------------------------------------------------------
162 #- Initialise:
163
164 init
165
166 #---------------------------------------------------------------------
167 #- Default parameters:
168
169 # The log file to be scanned for intrusion attempts:
170 # (default: "SCANLOG=/var/log/syslog")
171 [ -z "$SCANLOG" ] && [ -e /var/log/syslog ] && SCANLOG=/var/log/syslog
172
173 # On start seek and parse log file from beginning:
174 # (default: "SEEKSTART=1")
175 [ -z "$SEEKSTART" ] && SEEKSTART=1
176
177 # Follow the scan log file:
178 # (default: "LOGFOLLOW=1")
179 [ -z "$LOGFOLLOW" ] && LOGFOLLOW=1
180
181 # Time between log file scans (in seconds):
182 # (default: "INTERVAL=1")
183 [ -z "$INTERVAL" ] && INTERVAL=1
184
185 # Drop when illegal SSH login username:
186 # (default: "DROP_SSH_ILLEGALUSER=1")
187 [ -z "$DROP_SSH_ILLEGALUSER" ] && DROP_SSH_ILLEGALUSER=1
188
189 # Drop when FTP login failed:
190 # (default: "DROP_FTP_FAILEDLOGIN=1")
191 [ -z "$DROP_FTP_FAILEDLOGIN" ] && DROP_FTP_FAILEDLOGIN=1
192
193 # Log address dropping to the system log:
194 # (default: "LOG_DROPPED=1")
195 [ -z "$LOG_DROPPED" ] && LOG_DROPPED=1
196
197 # Pretend operation(s) (parse only):
198 # (default: "PRETEND=0")
199 [ -z "$PRETEND" ] && PRETEND=0
200
201 #---------------------------------------------------------------------
202 #- Early exit conditions:
203
204 if [ -z "$SCANLOG" ] || [ ! -f "$SCANLOG" ]; then
205 logmessage "ERROR: No log file to scan. Nothing to do for me."
206 end 1
207 fi
208
209 if [ $SEEKSTART != 1 ] && [ $LOGFOLLOW == 0 ]; then
210 logmessage "ERROR: No seek, no follow. Nothing to do for me."
211 end 1
212 fi
213
214 #---------------------------------------------------------------------
215
216 # Flag for marking the first run:
217 FirstRun=1
218
219 while [ -e $SCANLOG ]; do
220
221 #LogSize=`du -b $SCANLOG | cut -f1`
222 LogSize=$(stat -c %s $SCANLOG)
223
224 if [ "$FirstRun" == 1 ]; then
225 if [ "$SEEKSTART" == 1 ]; then
226 logmessage "Reading '$SCANLOG' from start. File size is '$LogSize' bytes."
227 else
228 OldLogSize=$LogSize
229 fi
230 fi
231
232 if ((LogSize > OldLogSize)); then
233
234 tail --bytes=$[LogSize - OldLogSize] $SCANLOG | \
235 while read LogFileLine; do
236
237 DateTime=`echo "\$LogFileLine" | awk -F' ' '{ print $1 " " $2 " " $3 }'`
238 LogFileMsg=`echo "\$LogFileLine" | awk -F' ' '{ $1=""; $2=""; $3=""; print $0 }'`
239
240 case "$LogFileLine" in
241
242 ($MatchP1)
243 Username=`echo "\$LogFileMsg" | cut -d' ' -f8`
244 IP=`echo "\$LogFileMsg" | cut -d' ' -f10`
245 logmessage "SSH: illegal login as '$Username' from '$IP' at '$DateTime'."
246 [ "$DROP_SSH_ILLEGALUSER" == 1 ] && dropaddress $IP
247 ;;
248
249 ($MatchN2)
250 ;;
251
252 ($MatchP2)
253 Username=`echo "\$LogFileMsg" | cut -d' ' -f9`
254 IP=`echo "\$LogFileMsg" | cut -d' ' -f11`
255 logmessage "SSH: failed password for '$Username' from '$IP' at '$DateTime'."
256 dropaddress $IP
257 ;;
258
259 ($MatchN3)
260 ;;
261
262 ($MatchP3)
263 Username=`echo "\$LogFileMsg" | cut -d' ' -f11`
264 IP=`echo "\$LogFileMsg" | cut -d' ' -f13`
265 logmessage "SSH: incorrect password for '$Username' from '$IP' at '$DateTime'."
266 dropaddress $IP
267 ;;
268
269 ($MatchFTP_P1)
270 Address=`echo "\$LogFileMsg" | cut -d' ' -f10`
271 Username=`echo "\$LogFileMsg" | cut -d' ' -f11`
272 Address=${Address/,}
273 IP=$(resolveip -s $Address)
274 logmessage "FTP: failed login as '$Username' from '$IP' at '$DateTime'."
275 [ "$DROP_FTP_FAILEDLOGIN" == 1 ] && dropaddress $IP
276 ;;
277
278 esac
279 done
280
281 elif ((OldLogSize > LogSize)); then
282 logmessage "'$SCANLOG' has been truncated. New file size is '$LogSize' bytes."
283 fi
284
285 OldLogSize=$LogSize
286
287 [ "$LOGFOLLOW" != 1 ] && end
288
289 [ "$FirstRun" == 1 ] && [ "$LOGFOLLOW" == 1 ] && \
290 logmessage "Following. Scanning '$SCANLOG' every '$INTERVAL' second(s)."
291
292 # First run just ended:
293 FirstRun=0
294
295 # Make the defined pause:
296 sleep $INTERVAL
297 done
298
299 #---------------------------------------------------------------------

MailToCvsAdmin">MailToCvsAdmin
ViewVC Help
Powered by ViewVC 1.1.26 RSS 2.0 feed