X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=active-response%2Fhost-deny.sh;h=0893125bd52e24d75de84f70270bff8fd8c57f34;hp=d29aa69fecb3cbf20b36e7987081097b8c60236d;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b diff --git a/active-response/host-deny.sh b/active-response/host-deny.sh index d29aa69..0893125 100755 --- a/active-response/host-deny.sh +++ b/active-response/host-deny.sh @@ -33,7 +33,7 @@ lock() mkdir ${LOCK} > /dev/null 2>&1 MSL=$? if [ "${MSL}" = "0" ]; then - # Lock aquired (setting the pid) + # Lock acquired (setting the pid) echo "$$" > ${LOCK_PID} return; fi @@ -42,30 +42,27 @@ lock() C_PID=`cat ${LOCK_PID} 2>/dev/null` if [ "x" = "x${S_PID}" ]; then S_PID=${C_PID} - fi + fi # Breaking out of the loop after X attempts if [ "x${C_PID}" = "x${S_PID}" ]; then i=`expr $i + 1`; fi - - # Sleep 1 after 10/25 interactions - if [ "$i" = "10" -o "$i" = "25" ]; then - sleep 1; - fi - + + sleep $i; + i=`expr $i + 1`; - + # So i increments 2 by 2 if the pid does not change. # If the pid keeps changing, we will increments one # by one and fail after MAX_ITERACTION if [ "$i" = "${MAX_ITERATION}" ]; then echo "`date` Unable to execute. Locked: $0" \ >> ${PWD}/ossec-hids-responses.log - + # Unlocking and exiting unlock; - exit 1; + exit 1; fi done } @@ -73,7 +70,7 @@ lock() # Unlock function unlock() { - rm -rf ${LOCK} + rm -rf ${LOCK} } @@ -83,13 +80,13 @@ echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log # IP Address must be provided if [ "x${IP}" = "x" ]; then - echo "$0: Missing argument (ip)" - exit 1; + echo "$0: Missing argument (ip)" + exit 1; fi -# Checking for invalid entries (lacking ".", etc) -echo "${IP}" | grep "\." > /dev/null 2>&1 +# Checking for invalid entries (lacking "." or ":", etc) +echo "${IP}" | egrep "\.|\:" > /dev/null 2>&1 if [ ! $? = 0 ]; then echo "`date` Invalid ip/hostname entry: ${IP}" >> ${PWD}/../logs/active-responses.log exit 1; @@ -98,39 +95,53 @@ fi # Adding the ip to hosts.deny if [ "x${ACTION}" = "xadd" ]; then - lock; - if [ "X$UNAME" = "XFreeBSD" ]; then - echo "ALL : ${IP} : deny" >> /etc/hosts.allow - else - echo "ALL:${IP}" >> /etc/hosts.deny - fi - unlock; - exit 0; - - -# Deleting from hosts.deny -elif [ "x${ACTION}" = "xdelete" ]; then - lock; - TMP_FILE = `mktemp /var/ossec/ossec-hosts.XXXXXXXXXX` - if [ "X${TMP_FILE}" = "X" ]; then - # Cheap fake tmpfile, but should be harder then no random data - TMP_FILE = "/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1 `" - fi - if [ "X$UNAME" = "XFreeBSD" ]; then - cat /etc/hosts.allow | grep -v "ALL : ${IP} : deny$"> ${TMP_FILE} - mv ${TMP_FILE} /etc/hosts.allow - else - cat /etc/hosts.deny | grep -v "ALL:${IP}$"> ${TMP_FILE} - cat ${TMP_FILE} > /etc/hosts.deny - rm ${TMP_FILE} - fi - unlock; - exit 0; - - -# Invalid action + # Looking for duplication + IPKEY=$(grep -w "${IP}" /etc/hosts.deny) + if [ ! -z "$IPKEY" ]; then + echo "IP ${IP} already exists on host.deny..." >> ${PWD}/../logs/active-responses.log + exit 1 + fi + lock; + echo "${IP}" | grep "\:" > /dev/null 2>&1 + if [ $? = 0 ]; then + IP="[${IP}]" + fi + if [ "X$UNAME" = "XFreeBSD" ]; then + echo "ALL : ${IP} : deny" >> /etc/hosts.allow + else + echo "ALL:${IP}" >> /etc/hosts.deny + fi + unlock; + exit 0; + + +# Deleting from hosts.deny +elif [ "x${ACTION}" = "xdelete" ]; then + lock; + TMP_FILE=`mktemp ${PWD}/ossec-hosts.XXXXXXXXXX` + if [ "X${TMP_FILE}" = "X" ]; then + # Cheap fake tmpfile, but should be harder then no random data + TMP_FILE="${PWD}/ossec-hosts.`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1 `" + fi + echo "${IP}" | grep "\:" > /dev/null 2>&1 + if [ $? = 0 ]; then + IP="\[${IP}\]" + fi + if [ "X$UNAME" = "XFreeBSD" ]; then + cat /etc/hosts.allow | grep -v "ALL : ${IP} : deny$"> ${TMP_FILE} + mv ${TMP_FILE} /etc/hosts.allow + else + cat /etc/hosts.deny | grep -v "ALL:${IP}$"> ${TMP_FILE} + cat ${TMP_FILE} > /etc/hosts.deny + rm ${TMP_FILE} + fi + unlock; + exit 0; + + +# Invalid action else - echo "$0: invalid action: ${ACTION}" -fi + echo "$0: invalid action: ${ACTION}" +fi exit 1;