#! /bin/bash ####################################### # This program is Free Software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ####################################### #Copyright SISalp www.sisalp.fr #par dominique.chabord@sisalp.org SISalp.org # # MY_VERSION="version 12 oct 2007" REVISION="rev. 6 may 2009-1" #idees: #option -D pour une execution en demon #option -P pour l'execution du programme WD_PROGRAM #les deux options pouvant etre combinees # rev. 5 avril 2009 : option -*b est code differemment # option -B ajoutee #WEB_SITE_BUILTIN="http://statistiques.sisalp.net/log/apache2" #LOG_PATH_BUILTIN="/home/vservers/var/vproxyweb/home/sisalpwww/www/statistiques/log/apache2" WEB_SITE_BUILTIN="http://localhost/var/log/apache2" LOG_PATH_BUILTIN="/var/log/apache2" WEB_SERVER_BUILTIN="default log file" RECHERCHE_BUILTIN="client denied by server configuration:" SEUIL_BUILTIN="1" PORTEE_BUILTIN="1" NB_TIMES_BUILTIN="3" SLEEP_TIME_BUILTIN="20" GET_LOG="/var/log/apache2" WEB_MASTER="" if [ $# = 0 ] ; then $0 --usage exit 0 fi ECHO () { case "$VERBOSE" in verbose) case "$1" in -*) echo $1 "$2" ;; *) echo "$1" ;; esac ;; esac } VERBOSE="verbose" VERBOSE_OPTION="" case "$1" in --quiet|-q) VERBOSE="quiet" VERBOSE_OPTION="-q" shift echo -n "." ;; esac #echo "WEB-DENY test `date` process : $$ commande : $0 $*" ECHO "WEB-DENY `date` process : $$ commande : $0 $*" OPTION="$1" cd WD_BASE=".web-deny" if [ ! -d "$WD_BASE" ] ; then mkdir $WD_BASE echo "Creation of $WD_BASE directory" fi LOG="/tmp/web-deny-$$.source-log" SUSPECTS="/tmp/web-deny-$$.suspects" BILAN="/tmp/web-deny-$$.bilan" # echo "`date` process : $$ commande : $0 $*" >>/tmp/web-deny.log WD_PATH="$WD_BASE/web-deny.path" WD_WEB="$WD_BASE/web-deny.web" WD_PWD="$WD_BASE/web-deny.pwd" WD_REPEAT="$WD_BASE/web-deny.repeat" WD_ALLOWED="$WD_BASE/web-deny.allowed" WD_MAIL="$WD_BASE/web-deny.mail" WD_PROGRAM="$WD_BASE/web-deny.program" WEB_SERVER="$WEB_SERVER_BUILTIN" WEB_SERVER_FILE="" if [ ! "${2}" = "-" ] ; then WEB_SERVER_FILE=".$2" WEB_SERVER="$2" fi if [ -z "$3" ] || [ "${3}" = "-" ] ; then RECHERCHE="$RECHERCHE_BUILTIN" else RECHERCHE="$3" fi if [ -z "$4" ] ; then SEUIL="$SEUIL_BUILTIN" else SEUIL="$4" fi if [ -z "$5" ] ; then PORTEE="$PORTEE_BUILTIN" else PORTEE="$5" fi if [ -f "$WD_MAIL" ] ; then WEB_MASTER=`cat $WD_MAIL` fi ACTION="research" FORMAT="vhost" TYPE="transfer" LOCATION="local" SUFFIX="" case "$1" in version|--version|-v) echo "Version du fichier $0 : $MY_VERSION $REVISION" exit 0 ;; usage|-u|--usage|-h|?|help|--help) echo "Version du fichier script : $MY_VERSION $REVISION" echo "======================= $*" echo "web-deny -h|-u" echo "web-deny -v" echo "web-deny [-q ]-za|zp|-zs|-zw|-zi|zr default_parameters" echo "web-deny [-q ]-zn name default_parameters" echo "web-deny [-q ]-zl [path_to_log_file|-]" echo "web-deny [-q ]-B address" echo "web-deny [-q ]-[r|o|g][c|m|x][a|e|t][w|p|l] web_server|- criteria threshold [path_to_log_file|name|-]" echo "web-deny [-q ]-i[c|m|x][a|e|t][w|p|l][b] web_server|- criteria threshold nb_lines_to_analyse [path_to_log_file|name|-]" echo "web-deny [-q ]-d[c|m|x][a|e|t][w|p|l][b] web_server|- criteria threshold nb_lines_to_analyse [path_to_log_file|name|- paths_to_deny_files|name|-]" echo "options" echo " h : help" echo " u : usage" echo " v : version" echo " q : quiet" echo " B : iptable rule on address" echo " r : research" echo " o : research in history" echo " g : list selected records" echo " i : filter by iptables, requires super-user priviledge" echo " d : deny by .htaccess" echo " c : log format combined" echo " m : log format common" echo " x : log format vhost" echo " a : log type access" echo " e : log type error, implies format is common, web_server is -" echo " t : log type transfer" echo " w : log located on a web server" echo " p : path to log file" echo " l : standard path to log" echo " b : repeat nb_repeat times every sleep seconds, b must be at last positon" echo " za : adds a host IP_address to allowed hosts" echo " zs : set web master's mail address" echo " zp : create a file with per-default path" echo " zw : create a file with per-default web-site" echo " zi : create a file with ids to web site" echo " zr : create a file with nb_repeat and sleep parameters, nb_repeat=0 means always" echo " zc : prints default options files" echo " zl : prints log files list" echo " options are set in the order : format, then type, then location, defaults are -rcal" echo " parameters" echo " criteria : string to identify records" echo " threshold : if this limit is reached, action is done" echo " nb_lines_to_analyse : required for -i and -d actions, only last nb_lines_to_analyse are checked" echo " [path_to_log_file] : required with p and w options," echo " with p : path to local file /foo/bar or - to use built-in path" echo " with w : path to remote file http://domaine.tld/foo/bar or - to use built-in path" echo " [paths_to_deny_files] : required with -d action, up to three paths to deny files, following .htaccess syntax" echo " Examples:" echo " /usr/local/bin/web-deny -rxtw foo 206 15 -" echo " /usr/local/bin/web-deny -dca - ' 206 ' 10 300 - /var/www/.htaccess /var/www/foo/.htaccess" echo " /usr/local/bin/web-deny -ixtp foo 403 10 300 /var/log/bar" echo " /usr/local/bin/web-deny -ixtw - ' 206 ' 10 300" exit 0 ;; -za) echo " za : adds a host IP_address to allowed hosts" echo "set allowed hosts" echo "$2" >> $WD_ALLOWED echo "check $WD_ALLOWED content :" cat $WD_ALLOWED echo "done" exit 0 ;; -zc) echo "-zc : prints default options files" echo "Hard-coded default values" echo "WEB_SITE_BUILTIN : $WEB_SITE_BUILTIN" echo "LOG_PATH_BUILTIN : $LOG_PATH_BUILTIN" echo "WEB_SERVER_BUILTIN : $WEB_SERVER_BUILTIN" echo "RECHERCHE_BUILTIN : $RECHERCHE_BUILTIN" echo "SEUIL_BUILTIN : $SEUIL_BUILTIN" echo "PORTEE_BUILTIN : $PORTEE_BUILTIN" echo "NB_TIMES_BUILTIN : $NB_TIMES_BUILTIN" echo "SLEEP_TIME_BUILTIN : $SLEEP_TIME_BUILTIN" ls -alh $WD_BASE echo "check $WD_PATH content :" cat $WD_PATH echo "check $WD_WEB content :" cat $WD_WEB echo "check $WD_PWD content :" cat $WD_PWD echo "check $WD_ALLOWED content :" cat $WD_ALLOWED echo "check $WD_REPEAT content :" cat $WD_REPEAT echo "named parameters :" cat $WD_BASE/name_* echo "done" exit 0 ;; -zi) echo " zi : create a file with ids to web site" echo "set credential access to a protected web-site" echo " --user=$2 --password=$3" > $WD_PWD echo "check $WD_PWD content :" cat $WD_PWD echo "done" exit 0 ;; -zl) echo " zl : prints log files list" if [ -f "$WD_PATH" ] ; then LOG_PATH_BUILTIN=`cat $WD_PATH` fi if [ "${2}" = "-" ] || [ -z "$2" ] ; then LOG_PATH="$LOG_PATH_BUILTIN" else LOG_PATH="$2" fi echo "log files list" ls -alh $LOG_PATH exit 0 ;; -zn) echo "set named default path" echo "$3" > $WD_BASE/name_$2 echo "check $WD_BASE/name_$2 content :" cat $WD_BASE/name_$2 echo "done" exit 0 ;; -zp) echo " zp : create a file with per-default path" echo "set default path for log files /foo/bar" echo "$2" > $WD_PATH echo "check $WD_PATH content :" cat $WD_PATH echo "done" exit 0 ;; -zr) echo " zr : create a file with nb_repeat and sleep parameters" echo "create a file with nb_repeat and sleep parameters" echo "$2 $3" > $WD_REPEAT echo "check $WD_REPEAT content :" cat $WD_REPEAT echo "done" exit 0 ;; -zs) echo "set web master mail address" echo "$2" > $WD_MAIL echo "check $WD_MAIL content :" cat $WD_MAIL echo "done" exit 0 ;; -zw) echo " zw : create a file with per-default web-site" echo "set default path web-site (http://foo)" echo "$2" > $WD_WEB echo "check $WD_WEB content :" cat $WD_WEB echo "done" exit 0 ;; -B) ADDR="$2" if [ -z "$ADDR" ] ; then echo "provide ip_address to blacklist" exit 1 else if [ -f "$WD_ALLOWED" ] && cat $WD_ALLOWED | grep -q "^$ADDR" ; then echo -n "L'adresse $ADDR est autorisee" else if /sbin/iptables-save | grep -q "s $ADDR -j DROP" ; then echo "L'adresse $ADDR est deja blacklistee par iptables" else if /sbin/iptables-save | grep -q "$ADDR" ; then echo "L'adresse $ADDR est reglementee par iptables" else /sbin/iptables -t filter -A INPUT -s $ADDR -j DROP /sbin/iptables -t filter -A FORWARD -s $ADDR -j DROP echo "BLACK : L'adresse $ADDR est dorenavant blacklistee par iptables" fi fi fi fi exit 0 ;; -*b) if [ -f "$WD_REPEAT" ] ; then NB_TIMES_BUILTIN=`cat $WD_REPEAT | cut -f1` SLEEP_TIME_BUILTIN=`cat $WD_REPEAT | cut -f2` fi if echo "$1" | grep -q "b" ; then ACTION="repeat" case "$NB_TIMES_BUILTIN" in 0) NB_TIMES_BUILTIN="999999999" #30 ans ;; esac OPTION=`echo "$1" | cut -d"b" -f1` shift $0 $VERBOSE_OPTION $OPTION "$1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" for (( indice = 2 ; indice <= $NB_TIMES_BUILTIN ; indice++ )) ; do sleep $SLEEP_TIME_BUILTIN $0 $VERBOSE_OPTION $OPTION "$1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" done exit 0 fi ;; -|-[rogid]|-[rogid][cmx]|-[rogid][aet]|-[rogid][wpl]|-[rogid][cmx][aet]|-[rogid][aet][cmx]|-[rogid][cmx][wpl]|-[rogid][aet][wpl]|-[rogid][cmx][aet][wpl]|-[rogid][aet][cmx][wpl]) #actions par defaut -rcal ACTION="research" if [ -f "$WD_PATH" ] ; then LOG_PATH_BUILTIN=`cat $WD_PATH` fi if [ -f "$WD_WEB" ] ; then WEB_SITE_BUILTIN=`cat $WD_WEB` fi if [ "${5}" = "-" ] || [ -z "$5" ] ; then WEB_SITE="$WEB_SITE_BUILTIN" LOG_PATH="$LOG_PATH_BUILTIN" else WEB_SITE="$5" LOG_PATH="$5" fi FORMAT="combined" TYPE="access" LOG_FILE="$TYPE$WEB_SERVER_FILE.log$SUFFIX" #analyse des parametres if echo "$1" | grep -q "r" ; then ACTION="research" if [ "${5}" = "-" ] || [ -z "$5" ] ; then WEB_SITE="$WEB_SITE_BUILTIN" LOG_PATH="$LOG_PATH_BUILTIN" else WEB_SITE="$5" LOG_PATH="$5" fi fi if echo "$1" | grep -q "o" ; then ACTION="research-history" SUFFIX=".1" if [ "${5}" = "-" ] || [ -z "$5" ] ; then WEB_SITE="$WEB_SITE_BUILTIN" LOG_PATH="$LOG_PATH_BUILTIN" else WEB_SITE="$5" LOG_PATH="$5" fi fi if echo "$1" | grep -q "g" ; then ACTION="list" if [ "${5}" = "-" ] || [ -z "$5" ] ; then WEB_SITE="$WEB_SITE_BUILTIN" LOG_PATH="$LOG_PATH_BUILTIN" else WEB_SITE="$5" LOG_PATH="$5" fi fi if echo "$1" | grep -q "i" ; then ACTION="iptables" if [ "${6}" = "-" ] || [ -z "$6" ] ; then WEB_SITE="$WEB_SITE_BUILTIN" LOG_PATH="$LOG_PATH_BUILTIN" else WEB_SITE="$5" LOG_PATH="$5" fi fi if echo "$1" | grep -q "d" ; then ACTION="deny" if [ "${6}" = "-" ] || [ -z "$6" ] ; then WEB_SITE="$WEB_SITE_BUILTIN" LOG_PATH="$LOG_PATH_BUILTIN" else WEB_SITE="$5" LOG_PATH="$5" fi HT_FILE=( - "$7" "$8" "$9") fi if echo "$1" | grep -q "x" ; then FORMAT="vhost" fi if echo "$1" | grep -q "c" ; then FORMAT="combined" fi if echo "$1" | grep -q "m" ; then FORMAT="common" fi if echo "$1" | grep -q "t" ; then TYPE="transfer" LOG_FILE="$TYPE$WEB_SERVER_FILE.log$SUFFIX" fi if echo "$1" | grep -q "a" ; then TYPE="access" LOG_FILE="$TYPE$WEB_SERVER_FILE.log$SUFFIX" fi if echo "$1" | grep -q "e" ; then TYPE="error" FORMAT="common" LOG_FILE="$TYPE.log$SUFFIX" fi # substitute names by paths if [ -f "$WD_BASE/name_$LOG_PATH" ] ; then LOG_PATH=`cat $WD_BASE/name_$LOG_PATH` WEB_SITE="$LOG_PATH" fi if echo "$1" | grep -q "p" ; then GET_LOG="$LOG_PATH/" fi if echo "$1" | grep -q "w" ; then LOCATION="web" LOG_FILE="$TYPE$WEB_SERVER_FILE.log$SUFFIX" IDS=`cat $WD_PWD` # echo " wget -q $WEB_SITE/$TYPE$WEB_SERVER_FILE.log$SUFFIX $IDS -O $LOG" wget -q $WEB_SITE/$TYPE$WEB_SERVER_FILE.log$SUFFIX $IDS -O $LOG else # cas p et l LOCATION="local" cat $GET_LOG$LOG_FILE > $LOG fi ;; *) echo "This combination of options is not supported, order matters" $0 --usage exit 0 ;; esac #wc -l $LOG case "$ACTION" in research|research-history) cat $LOG | grep "$RECHERCHE" > $SUSPECTS # cat -n $SUSPECTS echo "Nb d'enregistrements suspects : `wc -l $SUSPECTS`" ;; list) cat $LOG | grep "$RECHERCHE" > $SUSPECTS echo "Nb d'enregistrements suspects : `wc -l $SUSPECTS`" cat -b $SUSPECTS echo "============================================================" echo "" exit 0 ;; deny) echo "Fichiers mis a jour : ${HT_FILE[*]}" tail -n $PORTEE $LOG | grep "$RECHERCHE" > $SUSPECTS # cat -n $SUSPECTS ECHO "Nb d'enregistrements suspects : `wc -l $SUSPECTS`" if [ -z "$HT_FILE[1]" ] ; then echo "ERREUR : La liste des fichiers deny est vide, il en faut au moins un" $0 --usage exit 1 fi for (( indice = 1 ; indice <= 4; indice++ )) ; do DENYER="${HT_FILE[$indice]}" if [ ! -z "$DENYER" ] && [ ! -f "$DENYER" ] ; then echo "WARNING : Le fichier $DENYER sera eventuellement cree" fi done ;; iptables) tail -n $PORTEE $LOG | grep "$RECHERCHE" > $SUSPECTS # cat -n $SUSPECTS ECHO "Nb d'enregistrements suspects : `wc -l $SUSPECTS`" ;; *) $0 --usage exit 0 ;; esac # echo "Analyse==========================================" echo "`date` - Liste des adresses detectees pour $WEB_SERVER" > $BILAN echo "======================================================" >> $BILAN echo "$0 $*" >> $BILAN echo "======================================================" >> $BILAN case "$FORMAT" in vhost) LISTADDR=`cat $SUSPECTS | cut -d" " -f2 | sort -u` ;; combined) LISTADDR=`cat $SUSPECTS | cut -d" " -f1 | sort -u` ;; common) LISTADDR=`cat $SUSPECTS | cut -d" " -f8 | cut -d"]" -f1 | sort -u` ;; *) echo "ERROR : Format inconnu" ;; esac # echo "Liste des adresses suspectes : $LISTADDR" ECHO -n "Start:" for ADDR in $LISTADDR ; do # echo "adresse : $ADDR" if [ -f "$WD_ALLOWED" ] && cat $WD_ALLOWED | grep -q "^$ADDR" ; then ECHO -n "a" else if [ `cat $SUSPECTS | grep -c "$ADDR.*$RECHERCHE"` -ge $SEUIL ] ; then CP_LINE=`cat $SUSPECTS | grep -c "$ADDR.*$RECHERCHE"` ECHO -n "X:$CP_LINE:" FIRSTLINE=`cat $SUSPECTS | grep -m 1 "$ADDR.*$RECHERCHE"` if [ "${FORMAT}" = "vhost" ] ; then FILE=`echo "$FIRSTLINE" | cut -d" " -f8` DOMAINE=`echo "$FIRSTLINE" | cut -d" " -f1` START_DATE=`echo "$FIRSTLINE" | cut -d" " -f5` else FILE=`echo "$FIRSTLINE" | cut -d":" -f4` START_DATE=`echo "$FIRSTLINE" | cut -d"]" -f1` DOMAINE="unknown" fi echo "DETECTEE: $ADDR cible : $DOMAINE:$FILE debut : $START_DATE] $CP_LINE requetes" >> $BILAN case "$ACTION" in deny) for (( indice = 1 ; indice <= 3; indice++ )) ; do DENYER="${HT_FILE[$indice]}" if [ ! -z "$DENYER" ] ; then if [ -f $DENYER ] && cat $DENYER | grep -q "^deny from $ADDR" ; then echo "L'adresse $ADDR est deja blacklistee dans $DENYER" >> $BILAN # echo "L'adresse $ADDR est déjà blacklistée dans $DENYER" else if [ -f $DENYER ] && cat $DENYER | grep -q "^#deny from $ADDR" ; then echo "L'adresse $ADDR a ete revalidee manuellement dans $DENYER" >> $BILAN # echo "L'adresse $ADDR a été revalidée manuellement dans $DENYER" else echo "#web-deny : `date +\"%A_%x-%H:%M:%S\"` - $CP_LINE times $RECHERCHE in last $PORTEE log lines, max is $SEUIL : deny from $ADDR" >> $DENYER echo "#DETECTEE: $ADDR cible : $DOMAINE:$FILE debut : $START_DATE] $CP_LINE requetes" >> $DENYER echo "deny from $ADDR" >> $DENYER echo "BLACK : L'adresse $ADDR est dorenavant blacklistee dans $DENYER" >> $BILAN # echo "BLACK : L'adresse $ADDR est dorénavant blacklistée dans $DENYER" echo "Recherche du serveur" >> $BILAN /usr/bin/host $ADDR >> $BILAN echo "Recherche du proprietaire" >> $BILAN /usr/bin/whois $ADDR >> $BILAN fi fi fi done ;; iptables) if /sbin/iptables-save | grep -q "s $ADDR -j DROP" ; then echo "L'adresse $ADDR est deja blacklistee par iptables" >> $BILAN # echo "L'adresse $ADDR est déjà blacklistée par iptables" else if /sbin/iptables-save | grep -q "$ADDR" ; then echo "L'adresse $ADDR est reglementee par iptables" >> $BILAN # echo "L'adresse $ADDR est règlementée par iptables" else /sbin/iptables -t filter -A INPUT -s $ADDR -j DROP /sbin/iptables -t filter -A FORWARD -s $ADDR -j DROP echo "BLACK : L'adresse $ADDR est dorenavant blacklistee par iptables" >> $BILAN # echo "BLACK : L'adresse $ADDR est dorénavant blacklistée par iptables" echo "Recherche du serveur" >> $BILAN /usr/bin/host $ADDR >> $BILAN echo "Recherche du proprietaire" >> $BILAN /usr/bin/whois $ADDR >> $BILAN fi fi ;; *) ;; esac else ECHO -n "." fi fi done ECHO ":End" echo "Efficacite du filtrage en place" >> $BILAN /sbin/iptables -t filter -L -nvx >> $BILAN echo "Fin de liste --------------------------------" >> $BILAN echo "Statistiques : http://statistiques.sisalp.net" >> $BILAN if [ ! -z "$WEB_MASTER" ] && cat $BILAN | grep -q "^BLACK :" ; then cat $BILAN | mail -s "[`whoami`-`hostname`]WEB-DENY adresses blacklistees" $WEB_MASTER echo "" echo "`date` | Alerte envoyee par mail à $WEB_MASTER" case "$VERBOSE" in verbose) cat $BILAN ;; esac fi rm -f $LOG rm -f $BILAN rm -f $SUSPECTS exit 0