Current location

narf Source control manager Git

summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOlivier Mehani <shtrom@ssji.net>2017-07-22 12:41:16 +0200
committerOlivier Mehani <shtrom@ssji.net>2017-07-22 13:11:53 +0200
commit93c82ccf926d112c9010fc8a2a496d0b6f9425ca (patch)
tree433d33cca2bf801fc6c74d497b0b9ee1d2f63f31
parent8a3c3cd9a5bebd9e66a4a95871a54d80e28ae846 (diff)
[denyhosts] Cleanup syntax
Signed-off-by: Olivier Mehani <shtrom@ssji.net>
-rwxr-xr-xopenbsd/denyhost.sh100
1 files changed, 50 insertions, 50 deletions
diff --git a/openbsd/denyhost.sh b/openbsd/denyhost.sh
index da59588..4a149dc 100755
--- a/openbsd/denyhost.sh
+++ b/openbsd/denyhost.sh
@@ -17,7 +17,7 @@
# also be a good idea)
#
-LOCAL_ADDR=root@`hostname`
+LOCAL_ADDR=root@$(hostname)
HTTP_LOG=/srv/www/logs/access_log
HTTP_PATTERN="etc.passwd"
SSH_LOG=/var/log/authlog
@@ -27,57 +27,57 @@ EXPIRY=604800 # s; 1w
BLOCKERS_FILE=/etc/blockers.list
TMP_DIR=/tmp
-PATH=/usr/local/bin:$PATH
+PATH=/usr/local/bin:${PATH}
PIDFILE=/var/run/denyhost.sh.pid
MAIL=mail
# Exit if another instance is already running.
-if test -e $PIDFILE && kill -0 `cat $PIDFILE` 2>/dev/null; then
- echo "$0 process already running (`cat $PIDFILE`), exiting" >&2
+if test -e ${PIDFILE} && kill -0 $(cat ${PIDFILE}) 2>/dev/null; then
+ echo "$0 process already running ($(cat ${PIDFILE})), exiting" >&2
exit 0
else
- echo $$ > $PIDFILE
+ echo $$ > ${PIDFILE}
fi
function process_ip
{
- HOST_FILE=`mktemp ${TMP_DIR}/denyhost.host.XXXXXX`
- host $IP > $HOST_FILE
- HOSTS=`gsed -n "s/.*\(:\|domain name pointer\) \(.\+\)/\2/p" $HOST_FILE | \
- gsed ':a N;s/\n/, /g; ta'`
-
- WHOIS_FILE=`mktemp ${TMP_DIR}/denyhost.whois.XXXXXX`
- whois $IP > $WHOIS_FILE
- ABUSE=`extract_email $WHOIS_FILE`
-
- HTTP_HOST_LOG=`mktemp ${TMP_DIR}/denyhost.host_http.log.XXXXXX`
- grep $IP $HTTP_FILTERED_LOG > $HTTP_HOST_LOG
-
- SSH_HOST_LOG=`mktemp ${TMP_DIR}/denyhost.host_ssh.log.XXXXXX`
- grep $IP $SSH_FILTERED_LOG > $SSH_HOST_LOG
- LOGINS=`gsed -n "s/.*sshd\[[0-9]\+\]: \(Invalid user\|Failed password for\( invalid user\)\?\) \([^[:space:]]\+\) from.*/\3/p" $SSH_HOST_LOG | \
- sort | uniq | gsed ':a N;s/\n/, /g; ta'`
-
- if [ -z "$ABUSE" ]; then
- NETS=`gsed -n "s/.*\(NET-[-0-9]\+\).*/\1/p" $WHOIS_FILE`
- for NET in $NETS; do
- whois $NET >> $WHOIS_FILE
+ HOST_FILE=$(mktemp ${TMP_DIR}/denyhost.host.XXXXXX)
+ host ${IP} > ${HOST_FILE}
+ HOSTS=$(gsed -n "s/.*\(:\|domain name pointer\) \(.\+\)/\2/p" ${HOST_FILE} | \
+ gsed ':a N;s/\n/, /g; ta')
+
+ WHOIS_FILE=$(mktemp ${TMP_DIR}/denyhost.whois.XXXXXX)
+ whois ${IP} > ${WHOIS_FILE}
+ ABUSE=$(extract_email ${WHOIS_FILE})
+
+ HTTP_HOST_LOG=$(mktemp ${TMP_DIR}/denyhost.host_http.log.XXXXXX)
+ grep ${IP} ${HTTP_FILTERED_LOG} > ${HTTP_HOST_LOG}
+
+ SSH_HOST_LOG=$(mktemp ${TMP_DIR}/denyhost.host_ssh.log.XXXXXX)
+ grep ${IP} ${SSH_FILTERED_LOG} > ${SSH_HOST_LOG}
+ LOGINS=$(gsed -n "s/.*sshd\[[0-9]\+\]: \(Invalid user\|Failed password for\( invalid user\)\?\) \([^[:space:]]\+\) from.*/\3/p" ${SSH_HOST_LOG} | \
+ sort | uniq | gsed ':a N;s/\n/, /g; ta')
+
+ if [ -z "${ABUSE}" ]; then
+ NETS=$(gsed -n "s/.*\(NET-[-0-9]\+\).*/\1/p" ${WHOIS_FILE})
+ for NET in ${NETS}; do
+ whois ${NET} >> ${WHOIS_FILE}
done
- ABUSE=`extract_email $WHOIS_FILE`
+ ABUSE=$(extract_email ${WHOIS_FILE})
fi
- if [ -z "$ABUSE" ]; then
+ if [ -z "${ABUSE}" ]; then
DEST_ADDR="${LOCAL_ADDR}"
- SUBJECT="Host $IP (admin unknown) is compromised"
+ SUBJECT="Host ${IP} (admin unknown) is compromised"
else
- DEST_ADDR="$ABUSE"
- CC="-c $LOCAL_ADDR"
- SUBJECT="Host $IP is compromised"
+ DEST_ADDR="${ABUSE}"
+ CC="-c ${LOCAL_ADDR}"
+ SUBJECT="Host ${IP} is compromised"
fi
(
- if [ -n "$ABUSE" ]; then
+ if [ -n "${ABUSE}" ]; then
cat << EOF
Greetings,
@@ -85,7 +85,7 @@ Greetings,
<shtrom-admin@ssji.net> ]
Unauthorised login attempts have recently been observed from an IP address
-in one of your administrative ranges ($IP), as identified by WHOIS
+in one of your administrative ranges (${IP}), as identified by WHOIS
information.
Please find below reports from the blocking system, including logs of
@@ -96,23 +96,23 @@ message to its administrator in charge.
EOF
fi
- echo "Offending IP: $IP"
- echo "Hostnames: $HOSTS"
- echo "Abuse addresses: $ABUSE"
- echo "Usernames tried: $LOGINS"
+ echo "Offending IP: ${IP}"
+ echo "Hostnames: ${HOSTS}"
+ echo "Abuse addresses: ${ABUSE}"
+ echo "Usernames tried: ${LOGINS}"
echo
echo "Host and WHOIS information:"
- cat $HOST_FILE
- cat $WHOIS_FILE
+ cat ${HOST_FILE}
+ cat ${WHOIS_FILE}
echo
echo "Incriminating logs (HTTP):"
- cat $HTTP_HOST_LOG
+ cat ${HTTP_HOST_LOG}
echo
echo "Incriminating logs (SSH):"
- cat $SSH_HOST_LOG
- ) | $MAIL ${CC} -s "${SUBJECT}" $DEST_ADDR
+ cat ${SSH_HOST_LOG}
+ ) | ${MAIL} ${CC} -s "${SUBJECT}" ${DEST_ADDR}
- rm -f $HOST_FILE $WHOIS_FILE $SSH_HOST_LOG $HTTP_HOST_LOG
+ rm -f ${HOST_FILE} ${WHOIS_FILE} ${SSH_HOST_LOG} ${HTTP_HOST_LOG}
}
function extract_email
@@ -134,7 +134,7 @@ function extract_email
sort | uniq | gsed ':a N;s/\n/, /g; ta'
}
-NEW_BLOCKERS_FILE=`mktemp ${TMP_DIR}/denyhost.blockers.list.XXXXXX`
+NEW_BLOCKERS_FILE=$(mktemp ${TMP_DIR}/denyhost.blockers.list.XXXXXX)
# HTTP exploiters
grep ${HTTP_PATTERN} ${HTTP_LOG} \
@@ -144,7 +144,7 @@ grep ${HTTP_PATTERN} ${HTTP_LOG} \
> ${NEW_BLOCKERS_FILE}
# SSH exploiters
-SSH_FILTERED_LOG=`mktemp ${TMP_DIR}/denyhost.ssh.log.XXXXXX`
+SSH_FILTERED_LOG=$(mktemp ${TMP_DIR}/denyhost.ssh.log.XXXXXX)
> ${SSH_FILTERED_LOG}
gsed -n " \
/Received disconnect/d; \
@@ -152,15 +152,15 @@ gsed -n " \
" ${SSH_LOG} \
| sort \
| uniq -c \
- | gsed "/^ *[1-$authtries] */d;s/.* //" \
+ | gsed "/^ *[1-${authtries}] */d;s/.* //" \
>> ${NEW_BLOCKERS_FILE}
-for IP in `cat $NEW_BLOCKERS_FILE | sort | uniq | grep -v -f ${BLOCKERS_FILE}`; do
- process_ip $IP
+for IP in $(cat ${NEW_BLOCKERS_FILE} | sort | uniq | grep -v -f ${BLOCKERS_FILE}); do
+ process_ip ${IP}
done
# Flush entries older than a week
-pfctl -t kiddies -T expire $EXPIRY 1>/dev/null 2>&1
+pfctl -t kiddies -T expire ${EXPIRY} 1>/dev/null 2>&1
# Add new entries
pfctl -t kiddies -Tadd -f ${NEW_BLOCKERS_FILE} 1>/dev/null 2>&1