/[cvs]/nfo/projects/anfud/bin/anfud.sh
ViewVC logotype

Annotation of /nfo/projects/anfud/bin/anfud.sh

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.2 - (hide annotations)
Sat Dec 10 12:25:34 2005 UTC (19 years, 1 month ago) by rabit
Branch: MAIN
CVS Tags: HEAD
Changes since 1.1: +12 -13 lines
File MIME type: application/x-sh
Fix: Date/Time bug.

1 rabit 1.1 #!/bin/sh
2     #---------------------------------------------------------------------
3     #- Adjusting net filter updater daemon
4     #- rabit@netfrag.org, 01.11.2004
5 rabit 1.2 I='$Id: anfud.sh,v 1.1 2004/11/12 08:05:09 rabit Exp $'
6 rabit 1.1 #---------------------------------------------------------------------
7     #- Functions:
8    
9     # Syntax: dropaddress <IP_address>
10     #
11     dropaddress() {
12     local IP LogMsg RegEx RuleCount
13    
14     if [ -n "$EXCLUDE" ]; then
15     for IP in $EXCLUDE; do
16     case $1 in
17     ($IP)
18     logmessage "Ignoring excluded address '$1'."
19     return 1
20     ;;
21     esac
22     done
23     fi
24    
25     RegEx='DROP.*'$1
26     RuleCount=`iptables -L INPUT -n | egrep $RegEx | wc -l`
27    
28     if [ $RuleCount == 0 ]; then
29    
30     if [ "$PRETEND" == 1 ]; then
31     logmessage "(PRETEND) Dropping rule for address '$1' now would be inserted."
32     else
33     iptables -I INPUT -s $1 -j DROP
34    
35     LogMsg="Dropping rule for address '$1' has been inserted."
36     logmessage "$LogMsg"
37    
38     [ -n "$LOG_DROPPED" ] && syslogwarning "$LogMsg"
39     fi
40    
41     else
42     logmessage "Address '$1' already gets dropped by $RuleCount rule(s). Doing nothing."
43     fi
44    
45     return
46     }
47    
48     # Syntax: echo_log [<Message>]
49     #
50     echo_log() {
51     [ -n "$LOGTARGET" ] && echo $1 >>$LOGTARGET
52    
53     return $?
54     }
55    
56     # Syntax: end [<ExitVal>]
57     #
58     end() {
59     ExitVal=${1:-0}
60    
61     logmessage "Closing session. Exit code is '$ExitVal'."
62    
63     exit $ExitVal
64    
65     return
66     }
67    
68     # Syntax: includeconf
69     #
70     includeconf() {
71     # If existant, include the 'anfud.conf' file:
72     [ -e /etc/anfud.conf ] && source /etc/anfud.conf
73    
74     return $?
75     }
76    
77     # Syntax: init
78     #
79     init() {
80     # Include the configuration file:
81     includeconf
82    
83     # Set the default output log target:
84     [ -z "$LOGTARGET" ] && LOGTARGET=/var/log/anfud.log
85    
86     echo_log # Before starting, output a blank line.
87     logmessage "Session started ($A)."
88    
89     return
90     }
91    
92     # Syntax: logmessage "<Message>"
93     #
94     logmessage() {
95     echo_log "`date +'%b %e %H:%M:%S'` $N[$$]: $1"
96    
97     return $?
98     }
99    
100     # Syntax: syslogwarning "<Message>"
101     #
102     syslogwarning() {
103     logger -p warning -t $N[$$] $1
104    
105     return $?
106     }
107    
108     #---------------------------------------------------------------------
109     #- Signal trapping:
110    
111     trap 'logmessage "Recieved signal 1 (SIGHUP)."; end' 1
112     trap 'logmessage "Recieved signal 2 (SIGINT)."; end' 2
113     trap 'logmessage "Recieved signal 3 (SIGQUIT)."; end' 3
114     #trap 'logmessage "Recieved signal 4 (SIGILL)."; end' 4
115     #trap 'logmessage "Recieved signal 6 (SIGABRT)."; end' 6
116     trap 'logmessage "Recieved signal 9 (SIGKILL)."; end' 9
117     trap 'logmessage "Recieved signal 15 (SIGTERM)."; end' 15
118    
119     #---------------------------------------------------------------------
120     #- Constants:
121    
122     # Extract the basename:
123     N=$(basename $0)
124    
125     # Format the CVS ID line:
126    
127     I=${I:5}
128    
129     if [ -n "$I" ]; then
130     #while read Name Ver Date Time User Exp; do
131     # A="${Name/,v} v$Ver by $User ($Date, $Time)"
132     #done < <(echo $I)
133     A=$I
134     else
135     A="No CVS ID yet"
136     fi
137    
138     #- Match masks:
139    
140     # Example lines from '/var/log/auth.log' where SSH login failed:
141     #"Jan 1 00:00:00 machine sshd[1000]: Illegal user admin from 127.0.0.1"
142     #"Jan 1 00:00:00 machine sshd[1000]: Failed password for root from 127.0.0.1 port 30000 ssh2"
143     #"Jan 1 00:00:00 machine sshd[1000]: error: PAM: Authentication failure for root from 127.0.0.1"
144    
145     # Match mask for illegal SSH user login attempt:
146     MatchP1='* sshd*: Illegal user *'
147    
148     # Match masks for SSH logins w/ failed password:
149     MatchN2='* sshd*: Failed * for illegal user * from *'
150     MatchP2='* sshd*: Failed password for * from *'
151    
152     # Match mask for SSH logins w/ incorrect password:
153     MatchN3='* sshd*: error: PAM: Authentication failure for illegal user * from *'
154     MatchP3='* sshd*: error: PAM: Authentication failure for * from *'
155    
156     # Example lines from '/var/log/auth.log' where FTP login failed:
157     #"Jan 1 00:00:00 machine ftpd[17986]: FTP LOGIN FAILED FROM host.domain, root"
158    
159     MatchFTP_P1='* ftpd*: FTP LOGIN FAILED FROM *, *'
160    
161     #---------------------------------------------------------------------
162     #- Initialise:
163    
164     init
165    
166     #---------------------------------------------------------------------
167     #- Default parameters:
168    
169     # The log file to be scanned for intrusion attempts:
170     # (default: "SCANLOG=/var/log/syslog")
171     [ -z "$SCANLOG" ] && [ -e /var/log/syslog ] && SCANLOG=/var/log/syslog
172    
173     # On start seek and parse log file from beginning:
174     # (default: "SEEKSTART=1")
175     [ -z "$SEEKSTART" ] && SEEKSTART=1
176    
177     # Follow the scan log file:
178     # (default: "LOGFOLLOW=1")
179     [ -z "$LOGFOLLOW" ] && LOGFOLLOW=1
180    
181     # Time between log file scans (in seconds):
182     # (default: "INTERVAL=1")
183     [ -z "$INTERVAL" ] && INTERVAL=1
184    
185     # Drop when illegal SSH login username:
186     # (default: "DROP_SSH_ILLEGALUSER=1")
187     [ -z "$DROP_SSH_ILLEGALUSER" ] && DROP_SSH_ILLEGALUSER=1
188    
189     # Drop when FTP login failed:
190     # (default: "DROP_FTP_FAILEDLOGIN=1")
191     [ -z "$DROP_FTP_FAILEDLOGIN" ] && DROP_FTP_FAILEDLOGIN=1
192    
193     # Log address dropping to the system log:
194     # (default: "LOG_DROPPED=1")
195     [ -z "$LOG_DROPPED" ] && LOG_DROPPED=1
196    
197     # Pretend operation(s) (parse only):
198     # (default: "PRETEND=0")
199     [ -z "$PRETEND" ] && PRETEND=0
200    
201     #---------------------------------------------------------------------
202     #- Early exit conditions:
203    
204     if [ -z "$SCANLOG" ] || [ ! -f "$SCANLOG" ]; then
205     logmessage "ERROR: No log file to scan. Nothing to do for me."
206     end 1
207     fi
208    
209     if [ $SEEKSTART != 1 ] && [ $LOGFOLLOW == 0 ]; then
210     logmessage "ERROR: No seek, no follow. Nothing to do for me."
211     end 1
212     fi
213    
214     #---------------------------------------------------------------------
215    
216     # Flag for marking the first run:
217     FirstRun=1
218    
219     while [ -e $SCANLOG ]; do
220    
221     #LogSize=`du -b $SCANLOG | cut -f1`
222     LogSize=$(stat -c %s $SCANLOG)
223    
224     if [ "$FirstRun" == 1 ]; then
225     if [ "$SEEKSTART" == 1 ]; then
226     logmessage "Reading '$SCANLOG' from start. File size is '$LogSize' bytes."
227     else
228     OldLogSize=$LogSize
229     fi
230     fi
231    
232     if ((LogSize > OldLogSize)); then
233    
234     tail --bytes=$[LogSize - OldLogSize] $SCANLOG | \
235     while read LogFileLine; do
236    
237 rabit 1.2 DateTime=`echo "\$LogFileLine" | awk -F' ' '{ print $1 " " $2 " " $3 }'`
238     LogFileMsg=`echo "\$LogFileLine" | awk -F' ' '{ $1=""; $2=""; $3=""; print $0 }'`
239    
240 rabit 1.1 case "$LogFileLine" in
241    
242     ($MatchP1)
243 rabit 1.2 Username=`echo "\$LogFileMsg" | cut -d' ' -f8`
244     IP=`echo "\$LogFileMsg" | cut -d' ' -f10`
245 rabit 1.1 logmessage "SSH: illegal login as '$Username' from '$IP' at '$DateTime'."
246     [ "$DROP_SSH_ILLEGALUSER" == 1 ] && dropaddress $IP
247     ;;
248    
249     ($MatchN2)
250     ;;
251    
252     ($MatchP2)
253 rabit 1.2 Username=`echo "\$LogFileMsg" | cut -d' ' -f9`
254     IP=`echo "\$LogFileMsg" | cut -d' ' -f11`
255 rabit 1.1 logmessage "SSH: failed password for '$Username' from '$IP' at '$DateTime'."
256     dropaddress $IP
257     ;;
258    
259     ($MatchN3)
260     ;;
261    
262     ($MatchP3)
263 rabit 1.2 Username=`echo "\$LogFileMsg" | cut -d' ' -f11`
264     IP=`echo "\$LogFileMsg" | cut -d' ' -f13`
265 rabit 1.1 logmessage "SSH: incorrect password for '$Username' from '$IP' at '$DateTime'."
266     dropaddress $IP
267     ;;
268    
269     ($MatchFTP_P1)
270 rabit 1.2 Address=`echo "\$LogFileMsg" | cut -d' ' -f10`
271     Username=`echo "\$LogFileMsg" | cut -d' ' -f11`
272 rabit 1.1 Address=${Address/,}
273     IP=$(resolveip -s $Address)
274     logmessage "FTP: failed login as '$Username' from '$IP' at '$DateTime'."
275     [ "$DROP_FTP_FAILEDLOGIN" == 1 ] && dropaddress $IP
276     ;;
277    
278     esac
279     done
280    
281     elif ((OldLogSize > LogSize)); then
282     logmessage "'$SCANLOG' has been truncated. New file size is '$LogSize' bytes."
283     fi
284    
285     OldLogSize=$LogSize
286    
287     [ "$LOGFOLLOW" != 1 ] && end
288    
289     [ "$FirstRun" == 1 ] && [ "$LOGFOLLOW" == 1 ] && \
290     logmessage "Following. Scanning '$SCANLOG' every '$INTERVAL' second(s)."
291    
292     # First run just ended:
293     FirstRun=0
294    
295     # Make the defined pause:
296     sleep $INTERVAL
297     done
298    
299     #---------------------------------------------------------------------

MailToCvsAdmin">MailToCvsAdmin
ViewVC Help
Powered by ViewVC 1.1.26 RSS 2.0 feed