#! /bin/bash ####################################### # This program is Free Software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ####################################### #Copyright 2007-today SISalp www.sisalp.fr #par dominique.chabord@sisalp.org SISalp.org # # MY_VERSION="version 8 may 2024" REVISION="rev. 8 may 2024-0" DATE_TIME=`date +%A_%x-%H-%M-%S` W2bBase="/usr/local/etc/web2ban" CURRENTUSER=`whoami` LogStatus="OK" if [ ! -d /usr/local/etc/ ] ; then mkdir /usr/local/etc/ fi if [ ! -d "$W2bBase" ] ; then mkdir $W2bBase echo "web2ban|$DATE_TIME|MSG|$LINENO|Creation of $W2bBase directory" fi #------------------------------------------------------------------------------ #StartConfig #------------------------------------------------------------------------------ #Adapt following values to your context in /usr/local/etc/web2ban/web2ban.conf # download_source="http://download.sisalp.net/scripts/web2ban" W2bBase="/usr/local/etc/web2ban" W2bConf="$W2bBase/web2ban.conf" W2bAllowed="$W2bBase/web2ban.allowed" W2bMaster="$W2bBase/web2ban.mail" W2bBanned="$W2bBase/web2ban.banned" W2bWelcome="$W2bBase/web2ban.welcome" W2bLog="/tmp/web2ban.log" W2bLoopingFlag="/tmp/web2ban.looping.flag" W2bLoopStopFlag="/tmp/web2ban.loop.stop.flag" W2bVerbose="Quiet" #W2bVerbose : Quiet|Verbose W2bNoise="Silent" #W2bNoise : Noisy|Silent DefNapTime="21" DefInstruction="--script /usr/local/etc/web2ban/web2ban.actions.list" W2bModeConf="$W2bBase/web2ban.mode.conf" W2bMode="disabled" #------------------------------------------------------------------------------ #EndConfig #------------------------------------------------------------------------------ if [ -f $W2bConf ] ; then . $W2bConf else cat $0 | grep -m 1 -B 100 "#EndConfig" | grep -A 100 "#StartConfig" > $W2bConf chmod 700 $W2bConf fi #------------------------------------------------------------------------- MESSAGE () #------------------------------------------------------------------------- { #echo "$LINENO MESSAGE $*" >> $W2bLog # ! = print long in any case # ? = print nothing if Quiet short="$1" shift long="$*" if [ ! -f /tmp/web2ban.line_return ] ; then echo "#" > /tmp/web2ban.line_return fi case "$short" in !) . /tmp/web2ban.line_return echo "web2ban|$HOSTNAME|$DATE_TIME|MSG|$LINENO|$long" >> $W2bLog echo "#" > /tmp/web2ban.line_return ;; *) if [ -z "$long" ] ; then #echo -n "-$LINENO-" >> $W2bLog echo -n "$short" >> $W2bLog echo "echo \"\"" > /tmp/web2ban.line_return else case "$W2bVerbose" in Quiet) case "$short" in '?') #echo -n "-$LINENO-" >> $W2bLog ;; *) #echo -n "-$LINENO-" >> $W2bLog echo -n "$short" >> $W2bLog echo "echo \"\"" > /tmp/web2ban.line_return ;; esac ;; Verbose|*) . /tmp/web2ban.line_return echo "web2ban|$HOSTNAME|$DATE_TIME|MSG|$LINENO|$long" >> $W2bLog echo "#" > /tmp/web2ban.line_return ;; esac fi esac } #------------------------------------------------------------------------------ EXIT () #------------------------------------------------------------------------------ { case "$2" in 0) #MESSAGE $1 --- web2ban $AllParameters exit OK line $1 in ${FUNCNAME[*]} exit 0 ;; *) MESSAGE $1 !!! web2ban $AllParameters exit on bad condition line $1 in ${FUNCNAME[*]} exit 1 ;; esac } #------------------------------------------------------------------------- CHECK_IP () #------------------------------------------------------------------------- { full_ip="$1" case "$full_ip" in *.*.*.*) for ci_indx in 1 2 3 4 ; do ci_field=`echo "$full_ip" | cut -d. -f$ci_indx` case "$ci_field" in [0-9]|[1-9][0-9]|[1-2][0-9][0-9]) if [ $ci_field -gt 255 ] ; then return $LINENO fi ;; *) return $LINENO ;; esac done ;; *) return $LINENO ;; esac return 0 } #------------------------------------------------------------------------- GET_SUSPECTS () #------------------------------------------------------------------------- { if [ -f $W2bWelcome ] ; then separate="\\\|" WelcomeList=`cat $W2bWelcome | xargs |sed s/" "/$separate/g` else WelcomeList="" fi if [ ! -z "$WelcomeList" ] ; then Suspects=`tail -n $NbLines $LogFile | grep -v "$WelcomeList" | grep "$SearchedString"` NbSuspects=`tail -n $NbLines $LogFile | grep -v "$WelcomeList" | grep "$SearchedString" | wc -l` FirstSuspect=`tail -n $NbLines $LogFile | grep -v "$WelcomeList" | grep "$SearchedString" | head -n 1` #welcome_lines=`tail -n $NbLines $LogFile | grep "$WelcomeList" | grep "$SearchedString" | wc -l` #MESSAGE "!" "web2ban `date` WelcomeList $WelcomeList found "$welcome_lines" welcome lines with $SearchedString string in $LogFile, suspects $NbSuspects" else Suspects=`tail -n $NbLines $LogFile | grep "$SearchedString"` NbSuspects=`tail -n $NbLines $LogFile | grep "$SearchedString" | wc -l` FirstSuspect=`tail -n $NbLines $LogFile | grep "$SearchedString" | head -n 1` #MESSAGE "!" "web2ban `date` Welcome stings are not documented" fi } #------------------------------------------------------------------------- LOG_FILLER () #------------------------------------------------------------------------- { lf_file="$1" shift lf_lines="$1" shift lf_found="$1" shift lf_max="$1" shift lf_start_string=`echo "$*" | cut -b1` lf_string=`echo "$*" | cut -b2-` echo "web2ban|$HOSTNAME|$DATE_TIME|MSG|$LINENO| searched string <$lf_start_string><$lf_string> is found $lf_found times, more than or equal $lf_max times in last $lf_lines lines of $lf_file file" >> $lf_file for (( indval = 1 ; indval <= $lf_found ; indval++ )) ; do echo "web2ban log filler $indval/$lf_found" >> $lf_file done } #------------------------------------------------------------------------- LOG_LEGEND () #------------------------------------------------------------------------- { echo " \\: new iteration with option --loop /: paced repetition with option --loop +: check not welcome strings with option --not_welcome ;: Some addresses are suspected with option --not_welcome .: no suspected string over threshold with option --deny :: Some addresses are suspected with option --deny a: Address is authorized with option --ban" } #------------------------------------------------------------------------- MAIL () #------------------------------------------------------------------------- { /usr/local/bin/spool --push mail $* - spooled } #------------------------------------------------------------------------- SEND_MAIL () #------------------------------------------------------------------------- { case "$W2bNoise" in Noisy) if [ -f $W2bMaster ] ; then MailToList=`cat $W2bMaster | xargs` if cat $W2bLog | grep -A 25 "$IpBanned" | grep "ERROR" > /dev/null 2>&1 ; then LogStatus="ERROR" fi for master in $MailToList ; do #cat $W2bLog | grep -A 25 "$IpBanned" | mail -s "[$HOSTNAME-$CURRENTUSER] $LogStatus Web2Ban $IpBanned est dorenavant bannie" $master cat $W2bLog | grep -A 25 "$IpBanned" > /tmp/w2b.extract.$$.text MAIL content:/tmp/w2b.extract.$$.text to:$master subject:"[$HOSTNAME-$CURRENTUSER] $LogStatus Web2Ban $IpBanned est dorenavant bannie" rm -f /tmp/w2b.extract.$$.text done fi ;; esac } #------------------------------------------------------------------------- if [ $# = 0 ] ; then $0 --help exit 0 fi #MESSAGE "!" "web2ban `date` process : $$ commande : $0 $*" COMMAND="$1" shift case "$COMMAND" in --disable|disable|-D) echo "please stop looping" > $W2bLoopStopFlag echo "disabled" > $W2bModeConf EXIT $LINENO 0 ;; --enable|enable|-E) rm -f $W2bLoopStopFlag echo "enabled" > $W2bModeConf EXIT $LINENO 0 ;; esac if [ -f $W2bModeConf ] ; then W2bMode=`cat $W2bModeConf` fi case "$W2bMode" in disabled) echo "$0 is disabled, consider web2ban --enable" EXIT $LINENO 0 ;; esac case "$COMMAND" in --version|version|-v) echo "Version du fichier $0 : $MY_VERSION $REVISION" ;; --update|update|-u) case "$CURRENTUSER" in root) $0 --version cd /usr/local/bin mv $0 $0.old if wget -q $download_source ; then chmod 755 $0 diff $0.old $0 rm $0.old $0 --version else echo "web2ban|$HOSTNAME|$DATE_TIME|MSG|$LINENO|cannot download new version of $0 from $download_source" rm $0 mv $0.old $0 fi exit 0 ;; *) echo "web2ban|$HOSTNAME|$HOSTNAME|$DATE_TIME|MSG|$LINENO|You must get administration priviledges root to succeed, please consider sudo" exit 1 ;; esac ;; --help|help|-h|?) echo "Version of Web2Ban script : $MY_VERSION $REVISION" echo "======================= $*" echo "" echo "web2ban requires root rights" echo "" echo "web2ban -h|?|help|--help" echo "web2ban -v|version|--version" echo "web2ban -u|update|--update" echo "" echo "web2ban -B|background|--background nap_time web2ban_command_and_arguments" echo "web2ban -D|disable|--disable" echo "web2ban -E|enable|--enable" echo "web2ban -L|loop|--loop nap_time web2ban_command_and_arguments # repeat every nap_time seconds" echo "web2ban -S|loop_stop|--loop_stop" echo "web2ban -T|loop_status|--loop_status" echo "" echo "web2ban -a|allow|--allow [-reset|list_of_ip_addresses]" echo "web2ban -b|ban|--ban [list_of_ip_addresses [ : comment]]" echo "web2ban -c|config|--config" echo "web2ban -ce|config_edit|--config_edit" echo "web2ban -cr|config_reset|--config_reset" echo "web2ban -d|deny|--deny threshold nb_lines_to_analyse /path_to_log_file vhost|combined|common searched_string" echo "web2ban -fe|forget|--forget" echo "web2ban -fi|forgive|--forgive|--unban|unban list_of_ip_addresses" echo "web2ban -li|live|--live" echo "web2ban -lo|log|--log" echo "web2ban -m|mail|--mail [-reset|-test|list_of_mail_addresses] # set web master's mail address" echo "web2ban -n|not_welcome|--not_welcome threshold nb_lines_to_analyse /path_to_log_file vhost|combined|common /path_to_file_of_searched_strings" echo "web2ban -rem|remember|--remember" echo "web2ban -r|report|--report #send log file to mail_address" echo "web2ban -s|script|--script /path_to_script_file" echo "web2ban -w|watch|--watch threshold nb_lines_to_analyse /path_to_log_file vhost|combined|common searched_string" echo "web2ban -wh|whois|--whois list_of_ip_addresses" echo "" echo "Example:" echo "web2ban --loop 10 60 --script /root/script_file" echo "Example of content of /root/script_file:" echo "web2ban --deny 100 300 /var/lib/vz/private/110/var/log/apache2/transfer.download.log combined \" 206 \"" echo "" echo " Configuration file is $W2bConf" echo "Log file is $W2bLog" echo "=======================" ;; --allow|allow|-a) #echo " adds a host IP_address to allowed" ListOfIps="$*" if [ -z "$ListOfIps" ] ; then if [ -f $W2bAllowed ] ; then echo "Allowed ips:" cat $W2bAllowed else echo "No allowed ip" fi else case "$ListOfIps" in -reset) rm -f $W2bAllowed ;; *) for IpAllowed in $ListOfIps ; do if CHECK_IP $IpAllowed ; then if [ -f "$W2bAllowed" ] && cat $W2bAllowed | grep -q "^$IpAllowed" ; then echo "L'adresse $IpAllowed est deja autorisee" else echo "$IpAllowed" >> $W2bAllowed fi IptablesTables=`iptables-save | grep "$IpAllowed" | cut -d" " -f2 | xargs` for table in $IptablesTables ; do Rule=`iptables -L $table --line-numbers --numeric | grep "$IpAllowed" | cut -d" " -f1` iptables -D $table $Rule echo "Address $IpAllowed is no longer controlled by netfilter in $table table" done else echo "$IpAllowed is not a valid ip" fi done ;; esac fi ;; #------------------------------------------------------------------------------ --background|background|-B) #------------------------------------------------------------------------------ echo "$LINENO --backgroung Process activation" Nap="$1" shift Instruction="$*" runningprocesses=`ps axo cmd` if echo "$runningprocesses" | grep 'web2ban' | grep -q 'loop' ; then MESSAGE "$LINENO --backgroung Process loop is running, consider --loop_stop for a graceful stop" echo "Process loop is running, consider --loop_stop for a graceful stop" EXIT $LINENO 0 else if [ ! -f $W2bLoopingFlag ] ; then echo "web2ban background task started at `date`" > $W2bLoopingFlag fi if [ -z "$Nap" ] ; then Nap="$DefNapTime" fi if [ -z "$DefInstruction" ] ; then Instruction="$DefInstruction" fi nohup $0 --loop $Nap $Instruction >> $W2bLog 2>&1 & MESSAGE "B" "Loop is started --loop, use $0 --loop_stop for a graceful stop" echo "Loop is started --loop, use $0 --loop_stop for a graceful stop" fi ;; #------------------------------------------------------------------------------ --ban|ban|-b) ListOfIps=`echo "$*" | cut -d: -f1` case "$*" in *:*) BanComment=`echo "$*" | cut -d: -f2-` ;; *) BanComment="" ;; esac if [ -z "$ListOfIps" ] ; then if [ -f $W2bBanned ] ; then echo "Banned ips:" cat $W2bBanned else echo "No banned ip" fi else for IpBanned in $ListOfIps ; do if CHECK_IP $IpBanned ; then if [ -f "$W2bAllowed" ] && cat $W2bAllowed | grep -q "^$IpBanned" ; then MESSAGE "a" "L'adresse $IpBanned est autorisee" else if /sbin/iptables-save | grep -q "$IpBanned" ; then MESSAGE "?" "L'adresse $IpBanned est deja reglementee par iptables" else /sbin/iptables -t filter -A INPUT -s $IpBanned -j DROP /sbin/iptables -t filter -A FORWARD -s $IpBanned -j DROP MESSAGE "!" "L'adresse $IpBanned est dorenavant bannie par iptables $BanComment" echo "$IpBanned $DATE_TIME $BanComment" >> $W2bBanned SEND_MAIL fi fi else echo "web2ban|$HOSTNAME|$DATE_TIME|MSG|$LINENO|provide only valid ip_addresses to ban, is $IpBanned" fi done fi ;; --config|config|-c) cat $W2bConf ;; --config_edit|config_edit|-ce) case "$CURRENTUSER" in root) nano $W2bConf ;; *) echo "web2ban|$HOSTNAME|$DATE_TIME|MSG|$LINENO|You must get administration priviledges root to succeed, please consider sudo" exit 1 ;; esac ;; --config_reset|config_reset|-cr) case "$CURRENTUSER" in root) rm $W2bConf ;; *) echo "web2ban|$HOSTNAME|$DATE_TIME|MSG|$LINENO|You must get administration priviledges root to succeed, please consider sudo" exit 1 ;; esac ;; --deny|deny|-d) #echo "web2ban --deny threshold nb_lines_to_analyse path_to_log_file vhost|combined|common searched_string" Threshold="$1" shift NbLines="$1" shift LogFile="$1" shift LogFormat="$1" shift SearchedString="$*" GET_SUSPECTS if [ $NbSuspects -ge $Threshold ] ; then LOG_FILLER $LogFile $NbLines $NbSuspects $Threshold "$SearchedString" case "$LogFormat" in vhost) IpList=`echo "$Suspects" | cut -d" " -f2 | sort -u | xargs` ;; combined) IpList=`echo "$Suspects" | cut -d" " -f1 | sort -u | xargs` ;; common) IpList=`echo "$Suspects" | cut -d" " -f8 | cut -d"]" -f1 | sort -u | xargs` ;; *) echo "web2ban|$HOSTNAME|$DATE_TIME|MSG|$LINENO|ERROR : Format du fichier log inconnu" ;; esac MESSAGE ":" "Liste des adresses suspectes : $IpList" MESSAGE "?" "SearchedString ---$SearchedString--- Nb d'enregistrements suspects $NbSuspects dans les $NbLines lignes de $LogFile" for NastyIp in $IpList ; do if [ -f "$W2bAllowed" ] && cat $W2bAllowed | grep -q "^$NastyIp" ; then echo "L'adresse $NastyIp est autorisee" else NbSuspects=`echo "$Suspects" | grep -c "$NastyIp"` if [ $NbSuspects -ge $Threshold ] ; then #MESSAGE "!" "ban address : $NastyIp for $NbSuspects attempts" $0 --ban $NastyIp : "SearchedString ---$SearchedString--- Nb d'enregistrements suspects $NbSuspects dans les $NbLines lignes de $LogFile, premiere anomalie: $FirstSuspect" else MESSAGE "?" "suspect address : $NastyIp for $NbSuspects attempts" fi fi done else MESSAGE "." "no suspected string over threshold with option --deny" fi ;; --forget|forget|-fe) ListOfIps=`iptables-save | grep "^-A INPUT -s" | grep " -j DROP$" |cut -d's' -f2 | cut -d/ -f1 | xargs` #echo "$ListOfIps" $0 --forgive $ListOfIps if [ -f $W2bBanned ] ; then cat $W2bBanned >> $W2bBanned.old rm -f $W2bBanned fi ;; --forgive|forgive|--unban|unban|-fi) #echo " adds a host IP_address to allowed" ListOfIps="$*" for IpAllowed in $ListOfIps ; do if CHECK_IP $IpAllowed ; then IptablesTables=`iptables-save | grep "$IpAllowed" | cut -d" " -f2 | xargs` for table in $IptablesTables ; do Rule=`iptables -L $table --line-numbers --numeric | grep "$IpAllowed" | cut -d" " -f1` iptables -D $table $Rule echo "Address $IpAllowed is no longer controlled by netfilter in $table table" done else echo "$IpAllowed is not a valid ip" fi done ;; --live|live|-li) LOG_LEGEND tail -f $W2bLog ;; --log|log|-lo) LOG_LEGEND cat $W2bLog ;; #------------------------------------------------------------------------------ --loop|loop|-L) #------------------------------------------------------------------------------ Nap="$1" shift Instruction="$*" if [ -z "$Nap" ] ; then Nap="$DefNapTime" fi if [ -z "$Instruction" ] ; then Instruction="$DefInstruction" fi MESSAGE "\\" "new iteration with option --loop" while [ ! -f $W2bLoopStopFlag ] ; do $0 $Instruction MESSAGE "/" "paced repetition with option --loop" sleep $Nap done rm -f $W2bLoopStopFlag rm -f $W2bLoopingFlag MESSAGE "S" "$LINENO LOOP_STATUS Execution loop is stopped, use $0 --background to restart this loop" ;; #------------------------------------------------------------------------------ --loop_stop|loop_stop|-S) #------------------------------------------------------------------------------ WORKINGPROCESS=`/bin/ps axo pid,cmd | grep "$0"` if echo "$WORKINGPROCESS" | grep "web2ban"| grep "loop" 2>/dev/null ; then echo "Process loop is invited to stop" echo "please stop looping" > $W2bLoopStopFlag else echo "Process loop is already stopped" rm -f $W2bLoopStopFlag fi ;; #------------------------------------------------------------------------------ --loop_status|loop_status|-T) #------------------------------------------------------------------------------ WORKINGPROCESS=`/bin/ps axo pid,cmd | grep "$0"` #echo "$WORKINGPROCESS" if echo "$WORKINGPROCESS" | grep -q "loop" 2>/dev/null ; then echo "Process loop is looping" else echo "Process loop is not looping" fi if [ -f $W2bLoopingFlag ] ; then cat $W2bLoopingFlag fi if [ -f $W2bLoopStopFlag ] ; then echo "Process loop is invited to stop" fi ;; #------------------------------------------------------------------------------ --mail|mail|-m) ListOfMails="$*" if [ -z "$ListOfMails" ] ; then if [ -f $W2bMaster ] ; then echo "Web masters mails:" cat $W2bMaster else echo "No known web master mail" fi else case "$ListOfMails" in -reset) rm -f $W2bMaster ;; -test) if [ -f $W2bMaster ] ; then MailToList=`cat $W2bMaster | xargs` for master in $MailToList ; do echo "web2ban|$HOSTNAME|$DATE_TIME|MSG|$LINENO|BAN : L'adresse mail $master est testée" > /tmp/w2b.mail.$$.text MAIL content:/tmp/w2b.mail.$$.text to:$master subject:"[$HOSTNAME-$CURRENTUSER] $LogStatus Web2Ban test $master mail address" done else echo "No known web master mail" fi ;; *) for WebMaster in $ListOfMails ; do case "$WebMaster" in *@*) if [ -f "$W2bMaster" ] && cat $W2bMaster | grep -q "^$WebMaster" ; then echo "L'adresse mail $WebMaster est deja connue" else echo "$WebMaster" >> $W2bMaster fi ;; *) echo "$WebMaster is not a valid mail address" ;; esac done ;; esac fi ;; --not_welcome|not_welcome|-n) Threshold="$1" shift NbLines="$1" shift LogFile="$1" shift LogFormat="$1" shift StringsFiles="$*" StringsList="" MESSAGE "+" "check not welcome strings with option --not_welcome" for File in $StringsFiles ; do if [ -f $File ] ; then StringsList="$StringsList `cat $File`" fi done if [ ! -z "$StringsList" ] ; then StringsList=`echo "$StringsList" | xargs` separate="\\\|" SearchedString=`echo "$StringsList" | sed s/" "/$separate/g` GET_SUSPECTS #echo "SearchedString $SearchedString NbSuspects $NbSuspects" if [ $NbSuspects -ge $Threshold ] ; then for nastystring in $StringsList ; do NastyLines=`echo "$Suspects" | grep "$nastystring"` NbNasty=`echo "$Suspects" | grep -c "$nastystring"` #echo "nastystring $nastystring $NastyLines" #echo "nastystring $nastystring score is $NbNasty" if [ $NbNasty -ge $Threshold ] ; then LOG_FILLER $LogFile $NbLines $NbNasty $Threshold "$nastystring" case "$LogFormat" in vhost) IpList=`echo "$NastyLines" | cut -d" " -f2 | sort -u | xargs` ;; combined) IpList=`echo "$NastyLines" | cut -d" " -f1 | sort -u | xargs` ;; common) IpList=`echo "$NastyLines" | cut -d" " -f8 | cut -d"]" -f1 | sort -u | xargs` ;; *) echo "web2ban|$HOSTNAME|$DATE_TIME|MSG|$LINENO|ERROR : Format du fichier log inconnu" ;; esac MESSAGE ";" "Liste des adresses suspectes : $IpList for $nastystring" MESSAGE "?" "String ---$nastystring--- Nb d'enregistrements suspects $NbNasty dans les $NbLines lignes de $LogFile" for NastyIp in $IpList ; do if [ -f "$W2bAllowed" ] && cat $W2bAllowed | grep -q "^$NastyIp" ; then echo "L'adresse $NastyIp est autorisee" else $0 --ban $NastyIp : "String ---$nastystring--- Nb d'enregistrements suspects $NbNasty dans les $NbLines lignes de $LogFile, premiere anomalie: $FirstSuspect" fi done #else #MESSAGE "?" "$nastystring $NbNasty did not reach threshold $Threshold." fi done fi fi ;; --remember|remember|-rem) if [ -f $W2bBanned ] ; then ListIps=`cat $W2bBanned | cut -f1 | sort -u | xargs` $0 --ban $ListIps : "Banned again from $W2bBanned list" else echo "No banned ip" fi ;; --report|report|-r) if [ -f $W2bMaster ] ; then MailToList=`cat $W2bMaster | xargs` NbBannedIps=`cat $W2bLog | grep -c "est dorenavant bannie par iptables"` if cat $W2bLog | grep "ERROR" > /dev/null 2>&1 ; then LogStatus="ERROR" fi for master in $MailToList ; do MAIL content:$W2bLog to:$master subject:"[$HOSTNAME-$CURRENTUSER] $LogStatus Web2Ban report ($NbBannedIps)" done MESSAGE "!" "This log file is mailed to webmasters" echo "web2ban|$HOSTNAME|$DATE_TIME|MSG|$LINENO|Start a new log file" > $W2bLog else cat $W2bLog fi ;; --script|script|-s) ActionList="$1" if [ ! -z "$ActionList" ] && [ -f $ActionList ] ; then . $ActionList else echo "web2ban|$HOSTNAME|$DATE_TIME|MSG|$LINENO|ERROR : Action file $ActionList is not found" fi ;; --watch|watch|-w) Threshold="$1" shift NbLines="$1" shift LogFile="$1" shift LogFormat="$1" shift SearchedString="$*" GET_SUSPECTS if [ $NbSuspects -ge $Threshold ] ; then LOG_FILLER $LogFile $NbSuspects $NbLines $Threshold "$SearchedString" echo "web2ban|$HOSTNAME|$DATE_TIME|MSG|$LINENO|Watch ---$SearchedString--- Nb d'enregistrements suspects $NbSuspects dans les $NbLines lignes de $LogFile" echo "web2ban|$HOSTNAME|$DATE_TIME|MSG|$LINENO|SearchedString ---$SearchedString--- Nb d'enregistrements suspects $NbSuspects dans les $NbLines lignes de $LogFile" > /tmp/web2ban.watch.$$.report case "$LogFormat" in vhost) IpList=`echo "$Suspects" | cut -d" " -f2 | sort -u | xargs` ;; combined) IpList=`echo "$Suspects" | cut -d" " -f1 | sort -u | xargs` ;; common) IpList=`echo "$Suspects" | cut -d" " -f8 | cut -d"]" -f1 | sort -u | xargs` ;; *) echo "web2ban|$HOSTNAME|$DATE_TIME|MSG|$LINENO|ERROR : Format du fichier log inconnu" >> /tmp/web2ban.watch.$$.report LogStatus="ERROR" ;; esac echo "web2ban|$DATE_TIME|MSG|$LINENO|Liste des adresses suspectes : $IpList" >> /tmp/web2ban.watch.$$.report echo "=======================================" >> /tmp/web2ban.watch.$$.report echo "$Suspects" | head >> /tmp/web2ban.watch.$$.report echo "......................................." >> /tmp/web2ban.watch.$$.report echo "$Suspects" | tail >> /tmp/web2ban.watch.$$.report if [ -f $W2bMaster ] ; then MailToList=`cat $W2bMaster | xargs` for master in $MailToList ; do MAIL content:/tmp/web2ban.watch.$$.report to:$master subject:"[$HOSTNAME-$CURRENTUSER] $LogStatus Web2Ban watch detection" done else cat /tmp/web2ban.watch.$$.report fi rm /tmp/web2ban.watch.$$.report fi ;; --whois|whois|-wh) ListOfIps="$*" for IpBanned in $ListOfIps ; do whois $IpBanned >> $W2bBanned.whois done less $W2bBanned.whois ;; esac exit 0