Current location

narf Source control manager Git

summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOlivier Mehani <shtrom@ssji.net>2016-08-16 14:03:45 +0200
committerOlivier Mehani <shtrom@ssji.net>2016-08-16 14:03:45 +0200
commit0d4a749c73fb0bade6e7005e346461da8f466e94 (patch)
treefebbbc9b7963d5953dd6a0d90215493c5deea871
parentfc93de888539ecc86b0e674bbf588489ae5d1c8b (diff)
[denyhost] More optimisation
Signed-off-by: Olivier Mehani <shtrom@ssji.net>
-rwxr-xr-xopenbsd/denyhost.sh52
1 files changed, 27 insertions, 25 deletions
diff --git a/openbsd/denyhost.sh b/openbsd/denyhost.sh
index 5d0385b..0ad126b 100755
--- a/openbsd/denyhost.sh
+++ b/openbsd/denyhost.sh
@@ -18,25 +18,22 @@
#
LOCAL_ADDR=root@`hostname`
-HTTP_LOG=/srv/www/log/access_log
+HTTP_LOG=/srv/www/logs/access_log
HTTP_PATTERN="etc.passwd"
SSH_LOG=/var/log/authlog
-SSH_PATTERN=".*(Invalid user|Failed password).*from ([0-9.]+).*"
+SSH_PATTERN=".*\(Invalid user\|Failed password\).*from \([0-9a-fA-F.:]\+\).*"
AUTHTRIES=3 # single digit
BLOCKERS_FILE=/etc/blockers.list
-TMP_DIR=/var/tmp
+TMP_DIR=/tmp
PATH=/usr/local/bin:$PATH
-NEW_BLOCKERS_FILE=`mktemp ${TMP_DIR}/blockers.list.XXXXXX`
-HTTP_FILTERED_LOG=`mktemp ${TMP_DIR}/http.log.XXXXXX`
-SSH_FILTERED_LOG=`mktemp ${TMP_DIR}/ssh.log.XXXXXX`
PIDFILE=/var/run/denyhost.sh.pid
MAIL=mail
# Exit if another instance is already running.
-if test -e $PIDFILE && kill -0 `cat $PIDFILE` > /dev/null; then
+if test -e $PIDFILE && kill -0 `cat $PIDFILE` 2>/dev/null; then
echo "$0 process already running (`cat $PIDFILE`), exiting" >&2
exit 0
else
@@ -45,19 +42,19 @@ fi
function process_ip
{
- HOST_FILE=`mktemp ${TMP_DIR}/host.XXXXXX`
+ HOST_FILE=`mktemp ${TMP_DIR}/denyhost.host.XXXXXX`
host $IP > $HOST_FILE
HOSTS=`gsed -n "s/.*\(:\|domain name pointer\) \(.\+\)/\2/p" $HOST_FILE | \
gsed ':a N;s/\n/, /g; ta'`
- WHOIS_FILE=`mktemp ${TMP_DIR}/whois.XXXXXX`
+ WHOIS_FILE=`mktemp ${TMP_DIR}/denyhost.whois.XXXXXX`
whois $IP > $WHOIS_FILE
ABUSE=`extract_email $WHOIS_FILE`
- HTTP_HOST_LOG=`mktemp ${TMP_DIR}/host_http.log.XXXXXX`
+ HTTP_HOST_LOG=`mktemp ${TMP_DIR}/denyhost.host_http.log.XXXXXX`
grep $IP $HTTP_FILTERED_LOG > $HTTP_HOST_LOG
- SSH_HOST_LOG=`mktemp ${TMP_DIR}/host_ssh.log.XXXXXX`
+ SSH_HOST_LOG=`mktemp ${TMP_DIR}/denyhost.host_ssh.log.XXXXXX`
grep $IP $SSH_FILTERED_LOG > $SSH_HOST_LOG
LOGINS=`gsed -n "s/.*sshd\[[0-9]\+\]: \(Invalid user\|Failed password for\( invalid user\)\?\) \([^[:space:]]\+\) from.*/\3/p" $SSH_HOST_LOG | \
sort | uniq | gsed ':a N;s/\n/, /g; ta'`
@@ -70,16 +67,16 @@ function process_ip
ABUSE=`extract_email $WHOIS_FILE`
fi
- if [ ! -z "$ABUSE" ]; then
- DEST_ADDR="$ABUSE"
- CC_ADDR="$LOCAL_ADDR"
- SUBJECT="Host $IP is compromised"
- else
+ if [ -z "$ABUSE" ]; then
DEST_ADDR="${LOCAL_ADDR}"
SUBJECT="Host $IP (admin unknown) is compromised"
+ else
+ DEST_ADDR="$ABUSE"
+ CC="-c $LOCAL_ADDR"
+ SUBJECT="Host $IP is compromised"
fi
(
- if [ -z "$ABUSE" ]; then
+ if [ -n "$ABUSE" ]; then
cat << EOF
Greetings,
@@ -112,7 +109,7 @@ EOF
echo
echo "Incriminating logs (SSH):"
cat $SSH_HOST_LOG
- ) | $MAIL -c ${CC} -s "${SUBJECT}" $DEST_ADDR
+ ) | $MAIL ${CC} -s "${SUBJECT}" $DEST_ADDR
rm -f $HOST_FILE $WHOIS_FILE $SSH_HOST_LOG $HTTP_HOST_LOG
}
@@ -136,21 +133,25 @@ function extract_email
sort | uniq | gsed ':a N;s/\n/, /g; ta'
}
-echo -n > {$NEW_BLOCKERS_FILE}
+NEW_BLOCKERS_FILE=`mktemp ${TMP_DIR}/denyhost.blockers.list.XXXXXX`
# HTTP exploiters
-grep -v -f ${BLOCKERS_FILE} ${HTTP_LOG} > ${HTTP_FILTERED_LOG}
+HTTP_FILTERED_LOG=`mktemp ${TMP_DIR}/denyhost.http.log.XXXXXX`
+grep -v -f ${BLOCKERS_FILE} ${HTTP_LOG} \
+ > ${HTTP_FILTERED_LOG}
grep ${HTTP_PATTERN} ${HTTP_FILTERED_LOG} | cut -d" " -f 2 | \
uniq >> ${NEW_BLOCKERS_FILE}
# SSH exploiters
+SSH_FILTERED_LOG=`mktemp ${TMP_DIR}/denyhost.ssh.log.XXXXXX`
grep -v "Received disconnect" ${SSH_LOG} | \
- grep -v -f ${BLOCKERS_FILE} | \
+ grep -v -f ${BLOCKERS_FILE} \
> ${SSH_FILTERED_LOG}
-sed -En "s/${SSH_PATTERN}/\2/p" ${SSH_FILTERED_LOG} | \
+gsed -n "s/${SSH_PATTERN}/\2/p" ${SSH_FILTERED_LOG} | \
sort | uniq -c | \
- sed "/^ *[1-$AUTHTRIES] */d;s/.* //" \
+ gsed "/^ *1 */d;s/.* //" \
>> ${NEW_BLOCKERS_FILE}
+ # gsed "/^ *[1-$AUTHTRIES] */d;s/.* //" \
for IP in `cat $NEW_BLOCKERS_FILE`; do
process_ip $IP
@@ -161,6 +162,7 @@ pfctl -t kiddies -T expire 25200 1>/dev/null 2>&1
# Add new entries
pfctl -t kiddies -Tadd -f ${NEW_BLOCKERS_FILE} 1>/dev/null 2>&1
-mv ${NEW_BLOCKERS_FILE} ${BLOCKERS_FILE}
+pfctl -t kiddies -Tshow | sed 's/^ *//' > ${BLOCKERS_FILE}
-rm ${HTTP_FILTERED_LOG} ${SSH_FILTERED_LOG} ${PIDFILE}
+rm ${HTTP_FILTERED_LOG} ${SSH_FILTERED_LOG} ${NEW_BLOCKERS_FILE}
+rm ${PIDFILE}