X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=debian%2Fossec-hids%2Fvar%2Fossec%2Factive-response%2Fbin%2Ffirewall-drop.sh;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Factive-response%2Fbin%2Ffirewall-drop.sh;h=0000000000000000000000000000000000000000;hp=5b5cd5309709a88e96773edd6c910c0f8cf60b20;hb=946517cefb8751a43a89bda4220221f065f4e5d1;hpb=3f728675941dc69d4e544d3a880a56240a6e394a diff --git a/debian/ossec-hids/var/ossec/active-response/bin/firewall-drop.sh b/debian/ossec-hids/var/ossec/active-response/bin/firewall-drop.sh deleted file mode 100755 index 5b5cd53..0000000 --- a/debian/ossec-hids/var/ossec/active-response/bin/firewall-drop.sh +++ /dev/null @@ -1,300 +0,0 @@ -#!/bin/sh -# Adds an IP to the iptables drop list (if linux) -# Adds an IP to the ipfilter drop list (if solaris, freebsd or netbsd) -# Adds an IP to the ipsec drop list (if aix) -# Requirements: Linux with iptables, Solaris/FreeBSD/NetBSD with ipfilter or AIX with IPSec -# Expect: srcip -# Author: Ahmet Ozturk (ipfilter and IPSec) -# Author: Daniel B. Cid (iptables) -# Author: cgzones -# Last modified: Oct 04, 2012 - -UNAME=`uname` -ECHO="/bin/echo" -GREP="/bin/grep" -IPTABLES="" -IP4TABLES="/sbin/iptables" -IP6TABLES="/sbin/ip6tables" -IPFILTER="/sbin/ipf" -if [ "X$UNAME" = "XSunOS" ]; then - IPFILTER="/usr/sbin/ipf" -fi -GENFILT="/usr/sbin/genfilt" -LSFILT="/usr/sbin/lsfilt" -MKFILT="/usr/sbin/mkfilt" -RMFILT="/usr/sbin/rmfilt" -ARG1="" -ARG2="" -RULEID="" -ACTION=$1 -USER=$2 -IP=$3 -PWD=`pwd` -LOCK="${PWD}/fw-drop" -LOCK_PID="${PWD}/fw-drop/pid" -IPV4F="/proc/sys/net/ipv4/ip_forward" -IPV6F="/proc/sys/net/ipv6/conf/all/forwarding" - -LOCAL=`dirname $0`; -cd $LOCAL -cd ../ -filename=$(basename "$0") - -LOG_FILE="${PWD}/../logs/active-responses.log" - -echo "`date` $0 $1 $2 $3 $4 $5" >> ${LOG_FILE} - - -# Checking for an IP -if [ "x${IP}" = "x" ]; then - echo "$0: " - exit 1; -fi - -case "${IP}" in - *:* ) IPTABLES=$IP6TABLES;; - *.* ) IPTABLES=$IP4TABLES;; - * ) echo "`date` Unable to run active response (invalid IP: '${IP}')." >> ${LOG_FILE} && exit 1;; -esac - -# This number should be more than enough (even if a hundred -# instances of this script is ran together). If you have -# a really loaded env, you can increase it to 75 or 100. -MAX_ITERATION="50" - -# Lock function -lock() -{ - i=0; - # Providing a lock. - while [ 1 ]; do - mkdir ${LOCK} > /dev/null 2>&1 - MSL=$? - if [ "${MSL}" = "0" ]; then - # Lock acquired (setting the pid) - echo "$$" > ${LOCK_PID} - return; - fi - - # Getting currently/saved PID locking the file - C_PID=`cat ${LOCK_PID} 2>/dev/null` - if [ "x" = "x${S_PID}" ]; then - S_PID=${C_PID} - fi - - # Breaking out of the loop after X attempts - if [ "x${C_PID}" = "x${S_PID}" ]; then - i=`expr $i + 1`; - fi - - sleep $i; - - i=`expr $i + 1`; - - # So i increments 2 by 2 if the pid does not change. - # If the pid keeps changing, we will increments one - # by one and fail after MAX_ITERACTION - - if [ "$i" = "${MAX_ITERATION}" ]; then - kill="false" - for pid in `pgrep -f "${filename}"`; do - if [ "x${pid}" = "x${C_PID}" ]; then - # Unlocking and exiting - kill -9 ${C_PID} - echo "`date` Killed process ${C_PID} holding lock." >> ${LOG_FILE} - kill="true" - unlock; - i=0; - S_PID=""; - break; - fi - done - - if [ "x${kill}" = "xfalse" ]; then - echo "`date` Unable kill process ${C_PID} holding lock." >> ${LOG_FILE} - # Unlocking and exiting - unlock; - exit 1; - fi - fi - done -} - -# Unlock function -unlock() -{ - rm -rf ${LOCK} -} - - - -# Blocking IP -if [ "x${ACTION}" != "xadd" -a "x${ACTION}" != "xdelete" ]; then - echo "$0: invalid action: ${ACTION}" - exit 1; -fi - - - -# We should run on linux -if [ "X${UNAME}" = "XLinux" ]; then - if [ "x${ACTION}" = "xadd" ]; then - ARG1="-I INPUT -s ${IP} -j DROP" - ARG2="-I FORWARD -s ${IP} -j DROP" - else - ARG1="-D INPUT -s ${IP} -j DROP" - ARG2="-D FORWARD -s ${IP} -j DROP" - fi - - # Checking if iptables is present - if [ ! -x ${IPTABLES} ]; then - IPTABLES="/usr"${IPTABLES} - if [ ! -x ${IPTABLES} ]; then - echo "$0: can not find iptables" - exit 0; - fi - fi - - # Executing and exiting - COUNT=0; - lock; - while [ 1 ]; do - ${IPTABLES} ${ARG1} - RES=$? - if [ $RES = 0 ]; then - break; - else - COUNT=`expr $COUNT + 1`; - echo "`date` Unable to run (iptables returning != $RES): $COUNT - $0 $1 $2 $3 $4 $5" >> ${LOG_FILE} - sleep $COUNT; - - if [ $COUNT -gt 4 ]; then - break; - fi - fi - done - - COUNT=0; - while [ 1 ]; do - # - # Looking for IPV4 and IPV6 FORWARD - # - if [ -e "$IPV4F" ] - then - IPV4KEY="$(cat "$IPV4F")" - else - IPV4KEY="0" - fi - if [ -e "$IPV6F" ] - then - IPV6KEY="$(cat "$IPV6F")" - else - IPV6KEY="0" - fi - - if [ "$IPV4KEY" = "0" ] && [ "$IPV6KEY" = "0" ] - then - break - fi - - ${IPTABLES} ${ARG2} - RES=$? - if [ $RES = 0 ]; then - break; - else - COUNT=`expr $COUNT + 1`; - echo "`date` Unable to run (iptables returning != $RES): $COUNT - $0 $1 $2 $3 $4 $5" >> ${LOG_FILE} - sleep $COUNT; - - if [ $COUNT -gt 4 ]; then - break; - fi - fi - done - unlock; - - exit 0; - -# FreeBSD, SunOS or NetBSD with ipfilter -elif [ "X${UNAME}" = "XFreeBSD" -o "X${UNAME}" = "XSunOS" -o "X${UNAME}" = "XNetBSD" ]; then - - # Checking if ipfilter is present - ls ${IPFILTER} >> /dev/null 2>&1 - if [ $? != 0 ]; then - exit 0; - fi - - # Checking if echo is present - ls ${ECHO} >> /dev/null 2>&1 - if [ $? != 0 ]; then - exit 0; - fi - - if [ "x${ACTION}" = "xadd" ]; then - ARG1="\"@1 block out quick from any to ${IP}\"" - ARG2="\"@1 block in quick from ${IP} to any\"" - IPFARG="${IPFILTER} -f -" - else - ARG1="\"@1 block out quick from any to ${IP}\"" - ARG2="\"@1 block in quick from ${IP} to any\"" - IPFARG="${IPFILTER} -rf -" - fi - - # Executing it - eval ${ECHO} ${ARG1}| ${IPFARG} - eval ${ECHO} ${ARG2}| ${IPFARG} - - exit 0; - -# AIX with ipsec -elif [ "X${UNAME}" = "XAIX" ]; then - - # Checking if genfilt is present - ls ${GENFILT} >> /dev/null 2>&1 - if [ $? != 0 ]; then - exit 0; - fi - - # Checking if lsfilt is present - ls ${LSFILT} >> /dev/null 2>&1 - if [ $? != 0 ]; then - exit 0; - fi - # Checking if mkfilt is present - ls ${MKFILT} >> /dev/null 2>&1 - if [ $? != 0 ]; then - exit 0; - fi - - # Checking if rmfilt is present - ls ${RMFILT} >> /dev/null 2>&1 - if [ $? != 0 ]; then - exit 0; - fi - - if [ "x${ACTION}" = "xadd" ]; then - ARG1=" -v 4 -a D -s ${IP} -m 255.255.255.255 -d 0.0.0.0 -M 0.0.0.0 -w B -D \"Access Denied by OSSEC-HIDS\"" - #Add filter to rule table - eval ${GENFILT} ${ARG1} - - #Deactivate and activate the filter rules. - eval ${MKFILT} -v 4 -d - eval ${MKFILT} -v 4 -u - else - # removing a specific rule is not so easy :( - eval ${LSFILT} -v 4 -O | ${GREP} ${IP} | - while read -r LINE - do - RULEID=`${ECHO} ${LINE} | cut -f 1 -d "|"` - let RULEID=${RULEID}+1 - ARG1=" -v 4 -n ${RULEID}" - eval ${RMFILT} ${ARG1} - done - #Deactivate and activate the filter rules. - eval ${MKFILT} -v 4 -d - eval ${MKFILT} -v 4 -u - fi - -else - exit 0; -fi