is a log monitor that protects networked hosts from brute force attacks against services, most notably SSH.
| sshguard.in (sshguard-2.4.1) | : | sshguard.in (sshguard-2.4.2) |
|---|
| | |
| skipping to change at line 12 | | skipping to change at line 12 |
|---|
| # sshguard -- protect hosts from brute-force attacks | | # sshguard -- protect hosts from brute-force attacks |
| | |
| libexec="@libexecdir@" | | libexec="@libexecdir@" |
| version="@sshguardversion@" | | version="@sshguardversion@" |
| | |
| err() { | | err() { |
| echo "sshguard: $1" >&2 | | echo "sshguard: $1" >&2 |
| } | | } |
| | |
| setflag() { | | setflag() { |
|
| if [ ! -z "$2" ]; then | | if [ -n "$2" ]; then |
| flags="$flags -$1 $2" | | flags="$flags -$1 $2" |
| fi | | fi |
| } | | } |
| | |
| usage() { | | usage() { |
| cat << EOF | | cat << EOF |
| Usage: sshguard [-v] [-h] | | Usage: sshguard [-v] [-h] |
| [-a BLACKLIST-THRESHOLD] [-b BLACKLIST-FILE] | | [-a BLACKLIST-THRESHOLD] [-b BLACKLIST-FILE] |
| [-i PID-FILE] [-p BLOCK_TIME] | | [-i PID-FILE] [-p BLOCK_TIME] |
| [-s DETECTION_TIME] [-w IP-ADDRESS | WHITELIST-FILE] | | [-s DETECTION_TIME] [-w IP-ADDRESS | WHITELIST-FILE] |
| EOF | | EOF |
| } | | } |
| | |
| clean_and_exit() { | | clean_and_exit() { |
|
| if [ ! -z "$PID_FILE" ]; then | | if [ -n "$PID_FILE" ]; then |
| rm -f "$PID_FILE" | | rm -f "$PID_FILE" |
| fi | | fi |
| exit | | exit |
| } | | } |
| | |
| # Source configuration file | | # Source configuration file |
| config="@sysconfdir@/sshguard.conf" | | config="@sysconfdir@/sshguard.conf" |
| if [ ! -r $config ]; then | | if [ ! -r $config ]; then |
| err "Could not read '$config'" | | err "Could not read '$config'" |
| err "Please configure SSHGuard." | | err "Please configure SSHGuard." |
| | |
| skipping to change at line 75 | | skipping to change at line 75 |
|---|
| exit 78 | | exit 78 |
| fi | | fi |
| | |
| # Read config in to flags | | # Read config in to flags |
| setflag 'a' "$THRESHOLD" | | setflag 'a' "$THRESHOLD" |
| setflag 'b' "$BLACKLIST_FILE" | | setflag 'b' "$BLACKLIST_FILE" |
| setflag 'p' "$BLOCK_TIME" | | setflag 'p' "$BLOCK_TIME" |
| setflag 's' "$DETECTION_TIME" | | setflag 's' "$DETECTION_TIME" |
| setflag 'N' "$IPV6_SUBNET" | | setflag 'N' "$IPV6_SUBNET" |
| setflag 'n' "$IPV4_SUBNET" | | setflag 'n' "$IPV4_SUBNET" |
|
| if [ ! -z "$WHITELIST_ARG" ]; then | | if [ -n "$WHITELIST_ARG" ]; then |
| for arg in $WHITELIST_ARG; do | | for arg in $WHITELIST_ARG; do |
| flags="$flags -w $arg" | | flags="$flags -w $arg" |
| done | | done |
|
| elif [ ! -z "$WHITELIST_FILE" ]; then | | elif [ -n "$WHITELIST_FILE" ]; then |
| flags="$flags -w $WHITELIST_FILE" | | flags="$flags -w $WHITELIST_FILE" |
| fi | | fi |
| | |
| # Log source selection order: | | # Log source selection order: |
| # runtime args, logreader and files, logreader, files, or stdin | | # runtime args, logreader and files, logreader, files, or stdin |
| shift $((OPTIND-1)) | | shift $((OPTIND-1)) |
|
| if [ ! -z "$@" ]; then | | if [ $# -gt 0 ]; then |
| tailcmd="$libexec/sshg-logtail $@" | | tailcmd="$libexec/sshg-logtail $@" |
|
| elif [ \( ! -z "$LOGREADER" \) -a \( ! -z "$FILES" \) ]; then | | elif [ -n "$LOGREADER" -a -n "$FILES" ]; then |
| LOGREADER="$LOGREADER | grep --line-buffered '^'" | | LOGREADER="$LOGREADER | grep --line-buffered '^'" |
| FILESREAD="$libexec/sshg-logtail $FILES | grep --line-buffered '^'" | | FILESREAD="$libexec/sshg-logtail $FILES | grep --line-buffered '^'" |
| tailcmd="( $LOGREADER & $FILESREAD )" | | tailcmd="( $LOGREADER & $FILESREAD )" |
|
| elif [ ! -z "$LOGREADER" ]; then | | elif [ -n "$LOGREADER" ]; then |
| tailcmd="$LOGREADER" | | tailcmd="$LOGREADER" |
|
| elif [ ! -z "$FILES" ]; then | | elif [ -n "$FILES" ]; then |
| tailcmd="$libexec/sshg-logtail $FILES" | | tailcmd="$libexec/sshg-logtail $FILES" |
| elif [ -z "$tailcmd" ]; then | | elif [ -z "$tailcmd" ]; then |
| err "$config is missing FILES and LOGREADER; please specify one" | | err "$config is missing FILES and LOGREADER; please specify one" |
| exit 1 | | exit 1 |
| fi | | fi |
| | |
|
| if [ ! -z "$PID_FILE" ]; then | | if [ -n "$PID_FILE" ]; then |
| if [ ! -e "$PID_FILE" ]; then | | if [ ! -e "$PID_FILE" ]; then |
| echo "$$" > $PID_FILE | | echo "$$" > $PID_FILE |
| else | | else |
| err "$PID_FILE already exists; is SSHGuard already running?" | | err "$PID_FILE already exists; is SSHGuard already running?" |
| exit 1 | | exit 1 |
| fi | | fi |
| fi | | fi |
| | |
|
| | # Select PARSER from configuration file or use default. Add POST_PARSER from |
| | # configuration file if it exists. |
| | RUN_PARSER=${PARSER:-$libexec/sshg-parser} |
| | if [ -n "$POST_PARSER" ]; then |
| | RUN_PARSER="$RUN_PARSER | $POST_PARSER" |
| | fi |
| | |
| # Make sure to kill entire process group (subshell) on exit/interrupts. | | # Make sure to kill entire process group (subshell) on exit/interrupts. |
| trap "clean_and_exit" INT TERM | | trap "clean_and_exit" INT TERM |
| trap "kill 0" EXIT | | trap "kill 0" EXIT |
| | |
|
| eval $tailcmd | $libexec/sshg-parser | \ | | eval $tailcmd | eval "$RUN_PARSER" | \ |
| $libexec/sshg-blocker $flags | $BACKEND & | | $libexec/sshg-blocker $flags | $BACKEND & |
| wait | | wait |
| | | |
| End of changes. 11 change blocks. |
|---|
| 10 lines changed or deleted | | 17 lines changed or added |
|---|
"Fossies" - the Fresh Open Source Software Archive 