diff options
| author | Olivier Mehani <shtrom@ssji.net> | 2016-08-16 14:03:45 +0200 |
|---|---|---|
| committer | Olivier Mehani <shtrom@ssji.net> | 2016-08-16 14:03:45 +0200 |
| commit | 0d4a749c73fb0bade6e7005e346461da8f466e94 (patch) | |
| tree | febbbc9b7963d5953dd6a0d90215493c5deea871 | |
| parent | fc93de888539ecc86b0e674bbf588489ae5d1c8b (diff) | |
[denyhost] More optimisation
Signed-off-by: Olivier Mehani <shtrom@ssji.net>
| -rwxr-xr-x | openbsd/denyhost.sh | 52 |
1 files changed, 27 insertions, 25 deletions
diff --git a/openbsd/denyhost.sh b/openbsd/denyhost.sh index 5d0385b..0ad126b 100755 --- a/openbsd/denyhost.sh +++ b/openbsd/denyhost.sh @@ -18,25 +18,22 @@ # LOCAL_ADDR=root@`hostname` -HTTP_LOG=/srv/www/log/access_log +HTTP_LOG=/srv/www/logs/access_log HTTP_PATTERN="etc.passwd" SSH_LOG=/var/log/authlog -SSH_PATTERN=".*(Invalid user|Failed password).*from ([0-9.]+).*" +SSH_PATTERN=".*\(Invalid user\|Failed password\).*from \([0-9a-fA-F.:]\+\).*" AUTHTRIES=3 # single digit BLOCKERS_FILE=/etc/blockers.list -TMP_DIR=/var/tmp +TMP_DIR=/tmp PATH=/usr/local/bin:$PATH -NEW_BLOCKERS_FILE=`mktemp ${TMP_DIR}/blockers.list.XXXXXX` -HTTP_FILTERED_LOG=`mktemp ${TMP_DIR}/http.log.XXXXXX` -SSH_FILTERED_LOG=`mktemp ${TMP_DIR}/ssh.log.XXXXXX` PIDFILE=/var/run/denyhost.sh.pid MAIL=mail # Exit if another instance is already running. -if test -e $PIDFILE && kill -0 `cat $PIDFILE` > /dev/null; then +if test -e $PIDFILE && kill -0 `cat $PIDFILE` 2>/dev/null; then echo "$0 process already running (`cat $PIDFILE`), exiting" >&2 exit 0 else @@ -45,19 +42,19 @@ fi function process_ip { - HOST_FILE=`mktemp ${TMP_DIR}/host.XXXXXX` + HOST_FILE=`mktemp ${TMP_DIR}/denyhost.host.XXXXXX` host $IP > $HOST_FILE HOSTS=`gsed -n "s/.*\(:\|domain name pointer\) \(.\+\)/\2/p" $HOST_FILE | \ gsed ':a N;s/\n/, /g; ta'` - WHOIS_FILE=`mktemp ${TMP_DIR}/whois.XXXXXX` + WHOIS_FILE=`mktemp ${TMP_DIR}/denyhost.whois.XXXXXX` whois $IP > $WHOIS_FILE ABUSE=`extract_email $WHOIS_FILE` - HTTP_HOST_LOG=`mktemp ${TMP_DIR}/host_http.log.XXXXXX` + HTTP_HOST_LOG=`mktemp ${TMP_DIR}/denyhost.host_http.log.XXXXXX` grep $IP $HTTP_FILTERED_LOG > $HTTP_HOST_LOG - SSH_HOST_LOG=`mktemp ${TMP_DIR}/host_ssh.log.XXXXXX` + SSH_HOST_LOG=`mktemp ${TMP_DIR}/denyhost.host_ssh.log.XXXXXX` grep $IP $SSH_FILTERED_LOG > $SSH_HOST_LOG LOGINS=`gsed -n "s/.*sshd\[[0-9]\+\]: \(Invalid user\|Failed password for\( invalid user\)\?\) \([^[:space:]]\+\) from.*/\3/p" $SSH_HOST_LOG | \ sort | uniq | gsed ':a N;s/\n/, /g; ta'` @@ -70,16 +67,16 @@ function process_ip ABUSE=`extract_email $WHOIS_FILE` fi - if [ ! -z "$ABUSE" ]; then - DEST_ADDR="$ABUSE" - CC_ADDR="$LOCAL_ADDR" - SUBJECT="Host $IP is compromised" - else + if [ -z "$ABUSE" ]; then DEST_ADDR="${LOCAL_ADDR}" SUBJECT="Host $IP (admin unknown) is compromised" + else + DEST_ADDR="$ABUSE" + CC="-c $LOCAL_ADDR" + SUBJECT="Host $IP is compromised" fi ( - if [ -z "$ABUSE" ]; then + if [ -n "$ABUSE" ]; then cat << EOF Greetings, @@ -112,7 +109,7 @@ EOF echo echo "Incriminating logs (SSH):" cat $SSH_HOST_LOG - ) | $MAIL -c ${CC} -s "${SUBJECT}" $DEST_ADDR + ) | $MAIL ${CC} -s "${SUBJECT}" $DEST_ADDR rm -f $HOST_FILE $WHOIS_FILE $SSH_HOST_LOG $HTTP_HOST_LOG } @@ -136,21 +133,25 @@ function extract_email sort | uniq | gsed ':a N;s/\n/, /g; ta' } -echo -n > {$NEW_BLOCKERS_FILE} +NEW_BLOCKERS_FILE=`mktemp ${TMP_DIR}/denyhost.blockers.list.XXXXXX` # HTTP exploiters -grep -v -f ${BLOCKERS_FILE} ${HTTP_LOG} > ${HTTP_FILTERED_LOG} +HTTP_FILTERED_LOG=`mktemp ${TMP_DIR}/denyhost.http.log.XXXXXX` +grep -v -f ${BLOCKERS_FILE} ${HTTP_LOG} \ + > ${HTTP_FILTERED_LOG} grep ${HTTP_PATTERN} ${HTTP_FILTERED_LOG} | cut -d" " -f 2 | \ uniq >> ${NEW_BLOCKERS_FILE} # SSH exploiters +SSH_FILTERED_LOG=`mktemp ${TMP_DIR}/denyhost.ssh.log.XXXXXX` grep -v "Received disconnect" ${SSH_LOG} | \ - grep -v -f ${BLOCKERS_FILE} | \ + grep -v -f ${BLOCKERS_FILE} \ > ${SSH_FILTERED_LOG} -sed -En "s/${SSH_PATTERN}/\2/p" ${SSH_FILTERED_LOG} | \ +gsed -n "s/${SSH_PATTERN}/\2/p" ${SSH_FILTERED_LOG} | \ sort | uniq -c | \ - sed "/^ *[1-$AUTHTRIES] */d;s/.* //" \ + gsed "/^ *1 */d;s/.* //" \ >> ${NEW_BLOCKERS_FILE} + # gsed "/^ *[1-$AUTHTRIES] */d;s/.* //" \ for IP in `cat $NEW_BLOCKERS_FILE`; do process_ip $IP @@ -161,6 +162,7 @@ pfctl -t kiddies -T expire 25200 1>/dev/null 2>&1 # Add new entries pfctl -t kiddies -Tadd -f ${NEW_BLOCKERS_FILE} 1>/dev/null 2>&1 -mv ${NEW_BLOCKERS_FILE} ${BLOCKERS_FILE} +pfctl -t kiddies -Tshow | sed 's/^ *//' > ${BLOCKERS_FILE} -rm ${HTTP_FILTERED_LOG} ${SSH_FILTERED_LOG} ${PIDFILE} +rm ${HTTP_FILTERED_LOG} ${SSH_FILTERED_LOG} ${NEW_BLOCKERS_FILE} +rm ${PIDFILE} |
