forked from ossec/ossec-hids
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhost-deny.sh
executable file
·147 lines (121 loc) · 3.46 KB
/
host-deny.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
#!/bin/sh
# Adds an IP to the /etc/hosts.deny file
# Requirements: sshd and other binaries with tcp wrappers support
# Expect: srcip
# Author: Daniel B. Cid
# Last modified: Nov 09, 2005
ACTION=$1
USER=$2
IP=$3
LOCAL=`dirname $0`;
cd $LOCAL
cd ../
PWD=`pwd`
LOCK="${PWD}/host-deny-lock"
LOCK_PID="${PWD}/host-deny-lock/pid"
UNAME=`uname`
# This number should be more than enough (even if a hundred
# instances of this script is ran together). If you have
# a really loaded env, you can increase it to 75 or 100.
MAX_ITERATION="50"
# Lock function
lock()
{
i=0;
# Providing a lock.
while [ 1 ]; do
mkdir ${LOCK} > /dev/null 2>&1
MSL=$?
if [ "${MSL}" = "0" ]; then
# Lock acquired (setting the pid)
echo "$$" > ${LOCK_PID}
return;
fi
# Getting currently/saved PID locking the file
C_PID=`cat ${LOCK_PID} 2>/dev/null`
if [ "x" = "x${S_PID}" ]; then
S_PID=${C_PID}
fi
# Breaking out of the loop after X attempts
if [ "x${C_PID}" = "x${S_PID}" ]; then
i=`expr $i + 1`;
fi
sleep $i;
i=`expr $i + 1`;
# So i increments 2 by 2 if the pid does not change.
# If the pid keeps changing, we will increments one
# by one and fail after MAX_ITERACTION
if [ "$i" = "${MAX_ITERATION}" ]; then
echo "`date` Unable to execute. Locked: $0" \
>> ${PWD}/ossec-hids-responses.log
# Unlocking and exiting
unlock;
exit 1;
fi
done
}
# Unlock function
unlock()
{
rm -rf ${LOCK}
}
# Logging the call
echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
# IP Address must be provided
if [ "x${IP}" = "x" ]; then
echo "$0: Missing argument <action> <user> (ip)"
exit 1;
fi
# Checking for invalid entries (lacking "." or ":", etc)
echo "${IP}" | egrep "\.|\:" > /dev/null 2>&1
if [ ! $? = 0 ]; then
echo "`date` Invalid ip/hostname entry: ${IP}" >> ${PWD}/../logs/active-responses.log
exit 1;
fi
# Adding the ip to hosts.deny
if [ "x${ACTION}" = "xadd" ]; then
# Looking for duplication
IPKEY=$(grep -w "${IP}" /etc/hosts.deny)
if [ ! -z "$IPKEY" ]; then
echo "IP ${IP} already exists on host.deny..." >> ${PWD}/../logs/active-responses.log
exit 1
fi
lock;
echo "${IP}" | grep "\:" > /dev/null 2>&1
if [ $? = 0 ]; then
IP="[${IP}]"
fi
if [ "X$UNAME" = "XFreeBSD" ]; then
echo "ALL : ${IP} : deny" >> /etc/hosts.allow
else
echo "ALL:${IP}" >> /etc/hosts.deny
fi
unlock;
exit 0;
# Deleting from hosts.deny
elif [ "x${ACTION}" = "xdelete" ]; then
lock;
TMP_FILE=`mktemp ${PWD}/ossec-hosts.XXXXXXXXXX`
if [ "X${TMP_FILE}" = "X" ]; then
# Cheap fake tmpfile, but should be harder then no random data
TMP_FILE="${PWD}/ossec-hosts.`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1 `"
fi
echo "${IP}" | grep "\:" > /dev/null 2>&1
if [ $? = 0 ]; then
IP="\[${IP}\]"
fi
if [ "X$UNAME" = "XFreeBSD" ]; then
cat /etc/hosts.allow | grep -v "ALL : ${IP} : deny$"> ${TMP_FILE}
mv ${TMP_FILE} /etc/hosts.allow
else
cat /etc/hosts.deny | grep -v "ALL:${IP}$"> ${TMP_FILE}
cat ${TMP_FILE} > /etc/hosts.deny
rm ${TMP_FILE}
fi
unlock;
exit 0;
# Invalid action
else
echo "$0: invalid action: ${ACTION}"
fi
exit 1;