diff options
| author | Olivier Mehani <shtrom@ssji.net> | 2017-07-22 12:41:16 +0200 |
|---|---|---|
| committer | Olivier Mehani <shtrom@ssji.net> | 2017-07-22 13:11:53 +0200 |
| commit | 93c82ccf926d112c9010fc8a2a496d0b6f9425ca (patch) | |
| tree | 433d33cca2bf801fc6c74d497b0b9ee1d2f63f31 /openbsd | |
| parent | 8a3c3cd9a5bebd9e66a4a95871a54d80e28ae846 (diff) | |
[denyhosts] Cleanup syntax
Signed-off-by: Olivier Mehani <shtrom@ssji.net>
Diffstat (limited to 'openbsd')
| -rwxr-xr-x | openbsd/denyhost.sh | 100 |
1 files changed, 50 insertions, 50 deletions
diff --git a/openbsd/denyhost.sh b/openbsd/denyhost.sh index da59588..4a149dc 100755 --- a/openbsd/denyhost.sh +++ b/openbsd/denyhost.sh @@ -17,7 +17,7 @@ # also be a good idea) # -LOCAL_ADDR=root@`hostname` +LOCAL_ADDR=root@$(hostname) HTTP_LOG=/srv/www/logs/access_log HTTP_PATTERN="etc.passwd" SSH_LOG=/var/log/authlog @@ -27,57 +27,57 @@ EXPIRY=604800 # s; 1w BLOCKERS_FILE=/etc/blockers.list TMP_DIR=/tmp -PATH=/usr/local/bin:$PATH +PATH=/usr/local/bin:${PATH} PIDFILE=/var/run/denyhost.sh.pid MAIL=mail # Exit if another instance is already running. -if test -e $PIDFILE && kill -0 `cat $PIDFILE` 2>/dev/null; then - echo "$0 process already running (`cat $PIDFILE`), exiting" >&2 +if test -e ${PIDFILE} && kill -0 $(cat ${PIDFILE}) 2>/dev/null; then + echo "$0 process already running ($(cat ${PIDFILE})), exiting" >&2 exit 0 else - echo $$ > $PIDFILE + echo $$ > ${PIDFILE} fi function process_ip { - HOST_FILE=`mktemp ${TMP_DIR}/denyhost.host.XXXXXX` - host $IP > $HOST_FILE - HOSTS=`gsed -n "s/.*\(:\|domain name pointer\) \(.\+\)/\2/p" $HOST_FILE | \ - gsed ':a N;s/\n/, /g; ta'` - - WHOIS_FILE=`mktemp ${TMP_DIR}/denyhost.whois.XXXXXX` - whois $IP > $WHOIS_FILE - ABUSE=`extract_email $WHOIS_FILE` - - HTTP_HOST_LOG=`mktemp ${TMP_DIR}/denyhost.host_http.log.XXXXXX` - grep $IP $HTTP_FILTERED_LOG > $HTTP_HOST_LOG - - SSH_HOST_LOG=`mktemp ${TMP_DIR}/denyhost.host_ssh.log.XXXXXX` - grep $IP $SSH_FILTERED_LOG > $SSH_HOST_LOG - LOGINS=`gsed -n "s/.*sshd\[[0-9]\+\]: \(Invalid user\|Failed password for\( invalid user\)\?\) \([^[:space:]]\+\) from.*/\3/p" $SSH_HOST_LOG | \ - sort | uniq | gsed ':a N;s/\n/, /g; ta'` - - if [ -z "$ABUSE" ]; then - NETS=`gsed -n "s/.*\(NET-[-0-9]\+\).*/\1/p" $WHOIS_FILE` - for NET in $NETS; do - whois $NET >> $WHOIS_FILE + HOST_FILE=$(mktemp ${TMP_DIR}/denyhost.host.XXXXXX) + host ${IP} > ${HOST_FILE} + HOSTS=$(gsed -n "s/.*\(:\|domain name pointer\) \(.\+\)/\2/p" ${HOST_FILE} | \ + gsed ':a N;s/\n/, /g; ta') + + WHOIS_FILE=$(mktemp ${TMP_DIR}/denyhost.whois.XXXXXX) + whois ${IP} > ${WHOIS_FILE} + ABUSE=$(extract_email ${WHOIS_FILE}) + + HTTP_HOST_LOG=$(mktemp ${TMP_DIR}/denyhost.host_http.log.XXXXXX) + grep ${IP} ${HTTP_FILTERED_LOG} > ${HTTP_HOST_LOG} + + SSH_HOST_LOG=$(mktemp ${TMP_DIR}/denyhost.host_ssh.log.XXXXXX) + grep ${IP} ${SSH_FILTERED_LOG} > ${SSH_HOST_LOG} + LOGINS=$(gsed -n "s/.*sshd\[[0-9]\+\]: \(Invalid user\|Failed password for\( invalid user\)\?\) \([^[:space:]]\+\) from.*/\3/p" ${SSH_HOST_LOG} | \ + sort | uniq | gsed ':a N;s/\n/, /g; ta') + + if [ -z "${ABUSE}" ]; then + NETS=$(gsed -n "s/.*\(NET-[-0-9]\+\).*/\1/p" ${WHOIS_FILE}) + for NET in ${NETS}; do + whois ${NET} >> ${WHOIS_FILE} done - ABUSE=`extract_email $WHOIS_FILE` + ABUSE=$(extract_email ${WHOIS_FILE}) fi - if [ -z "$ABUSE" ]; then + if [ -z "${ABUSE}" ]; then DEST_ADDR="${LOCAL_ADDR}" - SUBJECT="Host $IP (admin unknown) is compromised" + SUBJECT="Host ${IP} (admin unknown) is compromised" else - DEST_ADDR="$ABUSE" - CC="-c $LOCAL_ADDR" - SUBJECT="Host $IP is compromised" + DEST_ADDR="${ABUSE}" + CC="-c ${LOCAL_ADDR}" + SUBJECT="Host ${IP} is compromised" fi ( - if [ -n "$ABUSE" ]; then + if [ -n "${ABUSE}" ]; then cat << EOF Greetings, @@ -85,7 +85,7 @@ Greetings, <shtrom-admin@ssji.net> ] Unauthorised login attempts have recently been observed from an IP address -in one of your administrative ranges ($IP), as identified by WHOIS +in one of your administrative ranges (${IP}), as identified by WHOIS information. Please find below reports from the blocking system, including logs of @@ -96,23 +96,23 @@ message to its administrator in charge. EOF fi - echo "Offending IP: $IP" - echo "Hostnames: $HOSTS" - echo "Abuse addresses: $ABUSE" - echo "Usernames tried: $LOGINS" + echo "Offending IP: ${IP}" + echo "Hostnames: ${HOSTS}" + echo "Abuse addresses: ${ABUSE}" + echo "Usernames tried: ${LOGINS}" echo echo "Host and WHOIS information:" - cat $HOST_FILE - cat $WHOIS_FILE + cat ${HOST_FILE} + cat ${WHOIS_FILE} echo echo "Incriminating logs (HTTP):" - cat $HTTP_HOST_LOG + cat ${HTTP_HOST_LOG} echo echo "Incriminating logs (SSH):" - cat $SSH_HOST_LOG - ) | $MAIL ${CC} -s "${SUBJECT}" $DEST_ADDR + cat ${SSH_HOST_LOG} + ) | ${MAIL} ${CC} -s "${SUBJECT}" ${DEST_ADDR} - rm -f $HOST_FILE $WHOIS_FILE $SSH_HOST_LOG $HTTP_HOST_LOG + rm -f ${HOST_FILE} ${WHOIS_FILE} ${SSH_HOST_LOG} ${HTTP_HOST_LOG} } function extract_email @@ -134,7 +134,7 @@ function extract_email sort | uniq | gsed ':a N;s/\n/, /g; ta' } -NEW_BLOCKERS_FILE=`mktemp ${TMP_DIR}/denyhost.blockers.list.XXXXXX` +NEW_BLOCKERS_FILE=$(mktemp ${TMP_DIR}/denyhost.blockers.list.XXXXXX) # HTTP exploiters grep ${HTTP_PATTERN} ${HTTP_LOG} \ @@ -144,7 +144,7 @@ grep ${HTTP_PATTERN} ${HTTP_LOG} \ > ${NEW_BLOCKERS_FILE} # SSH exploiters -SSH_FILTERED_LOG=`mktemp ${TMP_DIR}/denyhost.ssh.log.XXXXXX` +SSH_FILTERED_LOG=$(mktemp ${TMP_DIR}/denyhost.ssh.log.XXXXXX) > ${SSH_FILTERED_LOG} gsed -n " \ /Received disconnect/d; \ @@ -152,15 +152,15 @@ gsed -n " \ " ${SSH_LOG} \ | sort \ | uniq -c \ - | gsed "/^ *[1-$authtries] */d;s/.* //" \ + | gsed "/^ *[1-${authtries}] */d;s/.* //" \ >> ${NEW_BLOCKERS_FILE} -for IP in `cat $NEW_BLOCKERS_FILE | sort | uniq | grep -v -f ${BLOCKERS_FILE}`; do - process_ip $IP +for IP in $(cat ${NEW_BLOCKERS_FILE} | sort | uniq | grep -v -f ${BLOCKERS_FILE}); do + process_ip ${IP} done # Flush entries older than a week -pfctl -t kiddies -T expire $EXPIRY 1>/dev/null 2>&1 +pfctl -t kiddies -T expire ${EXPIRY} 1>/dev/null 2>&1 # Add new entries pfctl -t kiddies -Tadd -f ${NEW_BLOCKERS_FILE} 1>/dev/null 2>&1 |
