1 |
rabit |
1.1 |
#!/bin/sh |
2 |
|
|
#--------------------------------------------------------------------- |
3 |
|
|
#- Adjusting net filter updater daemon |
4 |
|
|
#- rabit@netfrag.org, 01.11.2004 |
5 |
rabit |
1.2 |
I='$Id: anfud.sh,v 1.1 2004/11/12 08:05:09 rabit Exp $' |
6 |
rabit |
1.1 |
#--------------------------------------------------------------------- |
7 |
|
|
#- Functions: |
8 |
|
|
|
9 |
|
|
# Syntax: dropaddress <IP_address> |
10 |
|
|
# |
11 |
|
|
dropaddress() { |
12 |
|
|
local IP LogMsg RegEx RuleCount |
13 |
|
|
|
14 |
|
|
if [ -n "$EXCLUDE" ]; then |
15 |
|
|
for IP in $EXCLUDE; do |
16 |
|
|
case $1 in |
17 |
|
|
($IP) |
18 |
|
|
logmessage "Ignoring excluded address '$1'." |
19 |
|
|
return 1 |
20 |
|
|
;; |
21 |
|
|
esac |
22 |
|
|
done |
23 |
|
|
fi |
24 |
|
|
|
25 |
|
|
RegEx='DROP.*'$1 |
26 |
|
|
RuleCount=`iptables -L INPUT -n | egrep $RegEx | wc -l` |
27 |
|
|
|
28 |
|
|
if [ $RuleCount == 0 ]; then |
29 |
|
|
|
30 |
|
|
if [ "$PRETEND" == 1 ]; then |
31 |
|
|
logmessage "(PRETEND) Dropping rule for address '$1' now would be inserted." |
32 |
|
|
else |
33 |
|
|
iptables -I INPUT -s $1 -j DROP |
34 |
|
|
|
35 |
|
|
LogMsg="Dropping rule for address '$1' has been inserted." |
36 |
|
|
logmessage "$LogMsg" |
37 |
|
|
|
38 |
|
|
[ -n "$LOG_DROPPED" ] && syslogwarning "$LogMsg" |
39 |
|
|
fi |
40 |
|
|
|
41 |
|
|
else |
42 |
|
|
logmessage "Address '$1' already gets dropped by $RuleCount rule(s). Doing nothing." |
43 |
|
|
fi |
44 |
|
|
|
45 |
|
|
return |
46 |
|
|
} |
47 |
|
|
|
48 |
|
|
# Syntax: echo_log [<Message>] |
49 |
|
|
# |
50 |
|
|
echo_log() { |
51 |
|
|
[ -n "$LOGTARGET" ] && echo $1 >>$LOGTARGET |
52 |
|
|
|
53 |
|
|
return $? |
54 |
|
|
} |
55 |
|
|
|
56 |
|
|
# Syntax: end [<ExitVal>] |
57 |
|
|
# |
58 |
|
|
end() { |
59 |
|
|
ExitVal=${1:-0} |
60 |
|
|
|
61 |
|
|
logmessage "Closing session. Exit code is '$ExitVal'." |
62 |
|
|
|
63 |
|
|
exit $ExitVal |
64 |
|
|
|
65 |
|
|
return |
66 |
|
|
} |
67 |
|
|
|
68 |
|
|
# Syntax: includeconf |
69 |
|
|
# |
70 |
|
|
includeconf() { |
71 |
|
|
# If existant, include the 'anfud.conf' file: |
72 |
|
|
[ -e /etc/anfud.conf ] && source /etc/anfud.conf |
73 |
|
|
|
74 |
|
|
return $? |
75 |
|
|
} |
76 |
|
|
|
77 |
|
|
# Syntax: init |
78 |
|
|
# |
79 |
|
|
init() { |
80 |
|
|
# Include the configuration file: |
81 |
|
|
includeconf |
82 |
|
|
|
83 |
|
|
# Set the default output log target: |
84 |
|
|
[ -z "$LOGTARGET" ] && LOGTARGET=/var/log/anfud.log |
85 |
|
|
|
86 |
|
|
echo_log # Before starting, output a blank line. |
87 |
|
|
logmessage "Session started ($A)." |
88 |
|
|
|
89 |
|
|
return |
90 |
|
|
} |
91 |
|
|
|
92 |
|
|
# Syntax: logmessage "<Message>" |
93 |
|
|
# |
94 |
|
|
logmessage() { |
95 |
|
|
echo_log "`date +'%b %e %H:%M:%S'` $N[$$]: $1" |
96 |
|
|
|
97 |
|
|
return $? |
98 |
|
|
} |
99 |
|
|
|
100 |
|
|
# Syntax: syslogwarning "<Message>" |
101 |
|
|
# |
102 |
|
|
syslogwarning() { |
103 |
|
|
logger -p warning -t $N[$$] $1 |
104 |
|
|
|
105 |
|
|
return $? |
106 |
|
|
} |
107 |
|
|
|
108 |
|
|
#--------------------------------------------------------------------- |
109 |
|
|
#- Signal trapping: |
110 |
|
|
|
111 |
|
|
trap 'logmessage "Recieved signal 1 (SIGHUP)."; end' 1 |
112 |
|
|
trap 'logmessage "Recieved signal 2 (SIGINT)."; end' 2 |
113 |
|
|
trap 'logmessage "Recieved signal 3 (SIGQUIT)."; end' 3 |
114 |
|
|
#trap 'logmessage "Recieved signal 4 (SIGILL)."; end' 4 |
115 |
|
|
#trap 'logmessage "Recieved signal 6 (SIGABRT)."; end' 6 |
116 |
|
|
trap 'logmessage "Recieved signal 9 (SIGKILL)."; end' 9 |
117 |
|
|
trap 'logmessage "Recieved signal 15 (SIGTERM)."; end' 15 |
118 |
|
|
|
119 |
|
|
#--------------------------------------------------------------------- |
120 |
|
|
#- Constants: |
121 |
|
|
|
122 |
|
|
# Extract the basename: |
123 |
|
|
N=$(basename $0) |
124 |
|
|
|
125 |
|
|
# Format the CVS ID line: |
126 |
|
|
|
127 |
|
|
I=${I:5} |
128 |
|
|
|
129 |
|
|
if [ -n "$I" ]; then |
130 |
|
|
#while read Name Ver Date Time User Exp; do |
131 |
|
|
# A="${Name/,v} v$Ver by $User ($Date, $Time)" |
132 |
|
|
#done < <(echo $I) |
133 |
|
|
A=$I |
134 |
|
|
else |
135 |
|
|
A="No CVS ID yet" |
136 |
|
|
fi |
137 |
|
|
|
138 |
|
|
#- Match masks: |
139 |
|
|
|
140 |
|
|
# Example lines from '/var/log/auth.log' where SSH login failed: |
141 |
|
|
#"Jan 1 00:00:00 machine sshd[1000]: Illegal user admin from 127.0.0.1" |
142 |
|
|
#"Jan 1 00:00:00 machine sshd[1000]: Failed password for root from 127.0.0.1 port 30000 ssh2" |
143 |
|
|
#"Jan 1 00:00:00 machine sshd[1000]: error: PAM: Authentication failure for root from 127.0.0.1" |
144 |
|
|
|
145 |
|
|
# Match mask for illegal SSH user login attempt: |
146 |
|
|
MatchP1='* sshd*: Illegal user *' |
147 |
|
|
|
148 |
|
|
# Match masks for SSH logins w/ failed password: |
149 |
|
|
MatchN2='* sshd*: Failed * for illegal user * from *' |
150 |
|
|
MatchP2='* sshd*: Failed password for * from *' |
151 |
|
|
|
152 |
|
|
# Match mask for SSH logins w/ incorrect password: |
153 |
|
|
MatchN3='* sshd*: error: PAM: Authentication failure for illegal user * from *' |
154 |
|
|
MatchP3='* sshd*: error: PAM: Authentication failure for * from *' |
155 |
|
|
|
156 |
|
|
# Example lines from '/var/log/auth.log' where FTP login failed: |
157 |
|
|
#"Jan 1 00:00:00 machine ftpd[17986]: FTP LOGIN FAILED FROM host.domain, root" |
158 |
|
|
|
159 |
|
|
MatchFTP_P1='* ftpd*: FTP LOGIN FAILED FROM *, *' |
160 |
|
|
|
161 |
|
|
#--------------------------------------------------------------------- |
162 |
|
|
#- Initialise: |
163 |
|
|
|
164 |
|
|
init |
165 |
|
|
|
166 |
|
|
#--------------------------------------------------------------------- |
167 |
|
|
#- Default parameters: |
168 |
|
|
|
169 |
|
|
# The log file to be scanned for intrusion attempts: |
170 |
|
|
# (default: "SCANLOG=/var/log/syslog") |
171 |
|
|
[ -z "$SCANLOG" ] && [ -e /var/log/syslog ] && SCANLOG=/var/log/syslog |
172 |
|
|
|
173 |
|
|
# On start seek and parse log file from beginning: |
174 |
|
|
# (default: "SEEKSTART=1") |
175 |
|
|
[ -z "$SEEKSTART" ] && SEEKSTART=1 |
176 |
|
|
|
177 |
|
|
# Follow the scan log file: |
178 |
|
|
# (default: "LOGFOLLOW=1") |
179 |
|
|
[ -z "$LOGFOLLOW" ] && LOGFOLLOW=1 |
180 |
|
|
|
181 |
|
|
# Time between log file scans (in seconds): |
182 |
|
|
# (default: "INTERVAL=1") |
183 |
|
|
[ -z "$INTERVAL" ] && INTERVAL=1 |
184 |
|
|
|
185 |
|
|
# Drop when illegal SSH login username: |
186 |
|
|
# (default: "DROP_SSH_ILLEGALUSER=1") |
187 |
|
|
[ -z "$DROP_SSH_ILLEGALUSER" ] && DROP_SSH_ILLEGALUSER=1 |
188 |
|
|
|
189 |
|
|
# Drop when FTP login failed: |
190 |
|
|
# (default: "DROP_FTP_FAILEDLOGIN=1") |
191 |
|
|
[ -z "$DROP_FTP_FAILEDLOGIN" ] && DROP_FTP_FAILEDLOGIN=1 |
192 |
|
|
|
193 |
|
|
# Log address dropping to the system log: |
194 |
|
|
# (default: "LOG_DROPPED=1") |
195 |
|
|
[ -z "$LOG_DROPPED" ] && LOG_DROPPED=1 |
196 |
|
|
|
197 |
|
|
# Pretend operation(s) (parse only): |
198 |
|
|
# (default: "PRETEND=0") |
199 |
|
|
[ -z "$PRETEND" ] && PRETEND=0 |
200 |
|
|
|
201 |
|
|
#--------------------------------------------------------------------- |
202 |
|
|
#- Early exit conditions: |
203 |
|
|
|
204 |
|
|
if [ -z "$SCANLOG" ] || [ ! -f "$SCANLOG" ]; then |
205 |
|
|
logmessage "ERROR: No log file to scan. Nothing to do for me." |
206 |
|
|
end 1 |
207 |
|
|
fi |
208 |
|
|
|
209 |
|
|
if [ $SEEKSTART != 1 ] && [ $LOGFOLLOW == 0 ]; then |
210 |
|
|
logmessage "ERROR: No seek, no follow. Nothing to do for me." |
211 |
|
|
end 1 |
212 |
|
|
fi |
213 |
|
|
|
214 |
|
|
#--------------------------------------------------------------------- |
215 |
|
|
|
216 |
|
|
# Flag for marking the first run: |
217 |
|
|
FirstRun=1 |
218 |
|
|
|
219 |
|
|
while [ -e $SCANLOG ]; do |
220 |
|
|
|
221 |
|
|
#LogSize=`du -b $SCANLOG | cut -f1` |
222 |
|
|
LogSize=$(stat -c %s $SCANLOG) |
223 |
|
|
|
224 |
|
|
if [ "$FirstRun" == 1 ]; then |
225 |
|
|
if [ "$SEEKSTART" == 1 ]; then |
226 |
|
|
logmessage "Reading '$SCANLOG' from start. File size is '$LogSize' bytes." |
227 |
|
|
else |
228 |
|
|
OldLogSize=$LogSize |
229 |
|
|
fi |
230 |
|
|
fi |
231 |
|
|
|
232 |
|
|
if ((LogSize > OldLogSize)); then |
233 |
|
|
|
234 |
|
|
tail --bytes=$[LogSize - OldLogSize] $SCANLOG | \ |
235 |
|
|
while read LogFileLine; do |
236 |
|
|
|
237 |
rabit |
1.2 |
DateTime=`echo "\$LogFileLine" | awk -F' ' '{ print $1 " " $2 " " $3 }'` |
238 |
|
|
LogFileMsg=`echo "\$LogFileLine" | awk -F' ' '{ $1=""; $2=""; $3=""; print $0 }'` |
239 |
|
|
|
240 |
rabit |
1.1 |
case "$LogFileLine" in |
241 |
|
|
|
242 |
|
|
($MatchP1) |
243 |
rabit |
1.2 |
Username=`echo "\$LogFileMsg" | cut -d' ' -f8` |
244 |
|
|
IP=`echo "\$LogFileMsg" | cut -d' ' -f10` |
245 |
rabit |
1.1 |
logmessage "SSH: illegal login as '$Username' from '$IP' at '$DateTime'." |
246 |
|
|
[ "$DROP_SSH_ILLEGALUSER" == 1 ] && dropaddress $IP |
247 |
|
|
;; |
248 |
|
|
|
249 |
|
|
($MatchN2) |
250 |
|
|
;; |
251 |
|
|
|
252 |
|
|
($MatchP2) |
253 |
rabit |
1.2 |
Username=`echo "\$LogFileMsg" | cut -d' ' -f9` |
254 |
|
|
IP=`echo "\$LogFileMsg" | cut -d' ' -f11` |
255 |
rabit |
1.1 |
logmessage "SSH: failed password for '$Username' from '$IP' at '$DateTime'." |
256 |
|
|
dropaddress $IP |
257 |
|
|
;; |
258 |
|
|
|
259 |
|
|
($MatchN3) |
260 |
|
|
;; |
261 |
|
|
|
262 |
|
|
($MatchP3) |
263 |
rabit |
1.2 |
Username=`echo "\$LogFileMsg" | cut -d' ' -f11` |
264 |
|
|
IP=`echo "\$LogFileMsg" | cut -d' ' -f13` |
265 |
rabit |
1.1 |
logmessage "SSH: incorrect password for '$Username' from '$IP' at '$DateTime'." |
266 |
|
|
dropaddress $IP |
267 |
|
|
;; |
268 |
|
|
|
269 |
|
|
($MatchFTP_P1) |
270 |
rabit |
1.2 |
Address=`echo "\$LogFileMsg" | cut -d' ' -f10` |
271 |
|
|
Username=`echo "\$LogFileMsg" | cut -d' ' -f11` |
272 |
rabit |
1.1 |
Address=${Address/,} |
273 |
|
|
IP=$(resolveip -s $Address) |
274 |
|
|
logmessage "FTP: failed login as '$Username' from '$IP' at '$DateTime'." |
275 |
|
|
[ "$DROP_FTP_FAILEDLOGIN" == 1 ] && dropaddress $IP |
276 |
|
|
;; |
277 |
|
|
|
278 |
|
|
esac |
279 |
|
|
done |
280 |
|
|
|
281 |
|
|
elif ((OldLogSize > LogSize)); then |
282 |
|
|
logmessage "'$SCANLOG' has been truncated. New file size is '$LogSize' bytes." |
283 |
|
|
fi |
284 |
|
|
|
285 |
|
|
OldLogSize=$LogSize |
286 |
|
|
|
287 |
|
|
[ "$LOGFOLLOW" != 1 ] && end |
288 |
|
|
|
289 |
|
|
[ "$FirstRun" == 1 ] && [ "$LOGFOLLOW" == 1 ] && \ |
290 |
|
|
logmessage "Following. Scanning '$SCANLOG' every '$INTERVAL' second(s)." |
291 |
|
|
|
292 |
|
|
# First run just ended: |
293 |
|
|
FirstRun=0 |
294 |
|
|
|
295 |
|
|
# Make the defined pause: |
296 |
|
|
sleep $INTERVAL |
297 |
|
|
done |
298 |
|
|
|
299 |
|
|
#--------------------------------------------------------------------- |