"Fossies" - the Fresh Open Source Software Archive

Member "aif-2.1.1/share/arno-iptables-firewall/plugins/adaptive-ban-helper" (16 Sep 2020, 5912 Bytes) of package /linux/privat/aif-2.1.1.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "adaptive-ban-helper": 2.1.0_vs_2.1.1.

    1 # The plugin configuration file
    2 ###############################
    3 PLUGIN_CONF_FILE="adaptive-ban.conf"
    4 
    5 # Preinit return value for success
    6 PLUGIN_RET_VAL=0
    7 
    8 TEMPFILE="/var/tmp/aif_adaptive_ban.temp"
    9 
   10 # Check sanity of environment
   11 adaptive_ban_helper_sanity_check()
   12 {
   13   # Check whether chains exists
   14   if ! check_for_chain ADAPTIVE_BAN_CHAIN; then
   15     echo "** ERROR: ADAPTIVE_BAN_CHAIN does not exist! **" >&2
   16     return 1
   17   fi
   18 
   19   if ! check_for_chain ADAPTIVE_BAN_DROP_CHAIN; then
   20     echo "** ERROR: ADAPTIVE_BAN_DROP_CHAIN does not exist! **" >&2
   21     return 1
   22   fi
   23 
   24   if [ ! -f "$ADAPTIVE_BAN_FILE" ]; then
   25     echo "** ERROR: Input log file $ADAPTIVE_BAN_FILE does not exist! **" >&2
   26     return 1
   27   fi
   28 
   29   return 0
   30 }
   31 
   32 
   33 adaptive_ban_helper_do_work()
   34 {
   35   local filetime=0
   36 
   37   if [ "$filetime" != "$(date -r "$ADAPTIVE_BAN_FILE" "+%s")" ]; then
   38     filter "$ADAPTIVE_BAN_FILE" "$ADAPTIVE_BAN_COUNT" "$ADAPTIVE_BAN_TYPES"
   39 
   40     filetime="$(date -r "$ADAPTIVE_BAN_FILE" "+%s")"
   41   fi
   42 
   43   return 0
   44 }
   45 
   46 
   47 filter()
   48 {
   49   local file="$1" count="$2" type types PREFIX HOST IFS
   50 
   51   shift 2
   52   types="$@"
   53 
   54   # regex to pull out offending IPv4/IPv6 address
   55   #
   56   HOST="([0-9a-fA-F:.]{7,})"
   57 
   58   unset IFS
   59   for type in $types; do
   60 
   61     # regex match the start of the syslog string
   62     #
   63     PREFIX=".*${type}\[[0-9]*]:[[:space:]]*"
   64 
   65     case "$type" in
   66       sshd) filter_sshd "$file" "$PREFIX" "$HOST"
   67          ;;
   68       asterisk) filter_asterisk "$file" "$PREFIX" "$HOST"
   69          ;;
   70       lighttpd) filter_lighttpd "$file" "$PREFIX" "$HOST"
   71          ;;
   72       mini_httpd) filter_mini_httpd "$file" "$PREFIX" "$HOST"
   73          ;;
   74       pptpd) filter_pptpd "$file" "$PREFIX" "$HOST"
   75          ;;
   76       *) echo "Unsupported type \"$type\"" >&2
   77          continue
   78          ;;
   79     esac
   80     if [ $? -ne 0 ]; then
   81       echo "Filter error for type \"$type\"" >&2
   82     else
   83       count_attempts_then_ban "$count" "$type"
   84     fi
   85     rm -f "$TEMPFILE"
   86   done
   87 }
   88 
   89 
   90 filter_sshd()
   91 {
   92   local file="$1" PREFIX="$2" HOST="$3"
   93 
   94   sed -n -r -e "s/^${PREFIX}Failed (password|publickey) for .* from ${HOST}( port [0-9]*)?( ssh[0-9]*)?$/\2/p" \
   95             -e "s/^${PREFIX}[iI](llegal|nvalid) user .* from ${HOST}[[:space:]]*$/\2/p" \
   96                "$file" >"$TEMPFILE"
   97 }
   98 
   99 filter_asterisk()
  100 {
  101   local file="$1" PREFIX="$2" HOST="$3"
  102 
  103   sed -n -r -e "s/^${PREFIX}NOTICE.* .*: Registration from '.*' failed for '${HOST}' - Wrong password$/\1/p" \
  104             -e "s/^${PREFIX}NOTICE.* .*: Registration from '.*' failed for '${HOST}' - No matching peer found$/\1/p" \
  105             -e "s/^${PREFIX}NOTICE.* .*: Registration from '.*' failed for '${HOST}' - Username\/auth name mismatch$/\1/p" \
  106             -e "s/^${PREFIX}NOTICE.* .*: Registration from '.*' failed for '${HOST}' - Device does not match ACL$/\1/p" \
  107             -e "s/^${PREFIX}NOTICE.* '${HOST}' - Dialplan Noted Suspicious IP Address$/\1/p" \
  108             -e "s/^${PREFIX}NOTICE.* ${HOST} failed to authenticate as '.*'$/\1/p" \
  109             -e "s/^${PREFIX}NOTICE.* .*: No registration for peer '.*' \(from ${HOST}\)$/\1/p" \
  110             -e "s/^${PREFIX}NOTICE.* .*: Host ${HOST} failed MD5 authentication for '.*' \(.*\)$/\1/p" \
  111                "$file" >"$TEMPFILE"
  112 }
  113 
  114 filter_lighttpd()
  115 {
  116   local file="$1" PREFIX="$2" HOST="$3"
  117 
  118   sed -n -r -e "s/^${PREFIX}.* password doesn't match for .* IP: ${HOST}[[:space:]]*$/\1/p" \
  119             -e "s/^${PREFIX}.* get_password failed, IP: ${HOST}[[:space:]]*$/\1/p" \
  120                "$file" >"$TEMPFILE"
  121 }
  122 
  123 filter_mini_httpd()
  124 {
  125   local file="$1" PREFIX="$2" HOST="$3"
  126 
  127   sed -n -r -e "s/^${PREFIX}${HOST} authentication failure - access denied$/\1/p" \
  128                "$file" >"$TEMPFILE"
  129 }
  130 
  131 filter_pptpd()
  132 {
  133   local file="$1" PREFIX="$2" HOST="$3" PPP_PREFIX=".*pppd\[[0-9]*]:[[:space:]]*"
  134 
  135   sed -n -r -e "/^${PPP_PREFIX}.* failed CHAP authentication$/ {N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;\
  136                s/^.*\n${PREFIX}CTRL: Client ${HOST} control connection finished\n.*$/\1/p}" \
  137                "$file" >"$TEMPFILE"
  138 }
  139 
  140 count_attempts_then_ban()
  141 {
  142   local count="$1" type="$2" line host IFS
  143 
  144   # Remove possible IPv4 port numbers, IPv4:PORT -> IPv4
  145   sed -i -r -e 's/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):[0-9]+$/\1/' "$TEMPFILE"
  146 
  147   IFS=$EOL
  148   for line in $(sort "$TEMPFILE" | uniq -c); do
  149     if [ "$(echo "$line" | awk '{ print $1; }')" -ge "$count" ]; then
  150       host="$(echo "$line" | awk '{ print $2; }')"
  151       ban_host "$host" "$type"
  152     fi
  153   done
  154 }
  155 
  156 ban_host()
  157 {
  158   local host="$1" type="$2"
  159 
  160   get_numeric_ip_version "$host"
  161   case $? in
  162   4)
  163     if ! ip4tables -n -L ADAPTIVE_BAN_CHAIN | grep -q " ${host//./\.}[/ ]"; then
  164       ip4tables -A ADAPTIVE_BAN_CHAIN -s $host -j ADAPTIVE_BAN_DROP_CHAIN
  165       if [ $? -eq 0 ]; then
  166         echo "Banned IPv4 host: $host  Filter type: $type" >&2
  167       fi
  168     fi
  169     ;;
  170   6)
  171     if [ "$IPV6_SUPPORT" = "1" ]; then
  172       if ! ip6tables -n -L ADAPTIVE_BAN_CHAIN | grep -q " ${host}[/ ]"; then
  173         ip6tables -A ADAPTIVE_BAN_CHAIN -s $host -j ADAPTIVE_BAN_DROP_CHAIN
  174         if [ $? -eq 0 ]; then
  175           echo "Banned IPv6 host: $host  Filter type: $type" >&2
  176         fi
  177       fi
  178     fi
  179     ;;
  180   esac
  181 }
  182 
  183 check_for_chain()
  184 {
  185   local err
  186 
  187   ip4tables -n -L "$1" >/dev/null 2>&1
  188   err=$?
  189 
  190   if [ "$IPV6_SUPPORT" = "1" -a $err -eq 0 ]; then
  191     ip6tables -n -L "$1" >/dev/null 2>&1
  192     err=$?
  193   fi
  194 
  195   return $err
  196 }
  197 
  198 ############
  199 # Mainline #
  200 ############
  201 
  202 # Check where to find the config file
  203 CONF_FILE=""
  204 if [ -n "$PLUGIN_CONF_PATH" ]; then
  205   CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
  206 fi
  207 
  208 # Check if the config file exists
  209 if [ ! -f "$CONF_FILE" ]; then
  210   echo "** ERROR: Config file \"$CONF_FILE\" not found! **" >&2
  211   PLUGIN_RET_VAL=1
  212 else
  213   # Source the plugin config file
  214   . "$CONF_FILE"
  215 
  216   # Only proceed if environment ok
  217   if ! adaptive_ban_helper_sanity_check; then
  218     PLUGIN_RET_VAL=1
  219   else
  220     # Parse rules
  221     if ! adaptive_ban_helper_do_work; then
  222       PLUGIN_RET_VAL=1
  223     fi
  224   fi
  225 fi