projects
/
clearscm.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (from parent 1:
fb0ec10
)
Cleaned up bice.pl
author
Andrew DeFaria
<Andrew@DeFaria.com>
Fri, 15 Dec 2017 19:38:39 +0000
(11:38 -0800)
committer
Andrew DeFaria
<Andrew@DeFaria.com>
Fri, 15 Dec 2017 19:38:39 +0000
(11:38 -0800)
bin/bice.pl
patch
|
blob
|
history
diff --git
a/bin/bice.pl
b/bin/bice.pl
index
4f3073a
..
0e1ad6d
100755
(executable)
--- a/
bin/bice.pl
+++ b/
bin/bice.pl
@@
-67,7
+67,7
@@
my $security_logfile = '/var/log/auth.log';
my $domain = 'DeFaria.com';
my $contact = 'Andrew@DeFaria.com';
my $location = 'Santa Clara, California, USA';
my $domain = 'DeFaria.com';
my $contact = 'Andrew@DeFaria.com';
my $location = 'Santa Clara, California, USA';
-my $UTC
= 'UTC-8';
+my $UTC = 'UTC-8';
my $mailhost = $domain;
# End customize these variables
my $mailhost = $domain;
# End customize these variables
@@
-90,10
+90,10
@@
sub AddToIPTables (@) {
my $result = open my $ipfile, '<', $ipfilename;
my (%ips, @oldips);
my $result = open my $ipfile, '<', $ipfilename;
my (%ips, @oldips);
-
+
if ($result) {
@oldips = <$ipfile>;
if ($result) {
@oldips = <$ipfile>;
-
+
close $ipfile if $ipfile;
chomp @oldips;
close $ipfile if $ipfile;
chomp @oldips;
@@
-101,24
+101,24
@@
sub AddToIPTables (@) {
map { $ips{$_} = 1 } @oldips;
map { $ips{$_} = 1 } <@ips>;
map { $ips{$_} = 1 } @oldips;
map { $ips{$_} = 1 } <@ips>;
-
+
open $ipfile, '>', "$ipfilename"
or error "Unable to open $ipfilename - $!", 1;
open $ipfile, '>', "$ipfilename"
or error "Unable to open $ipfilename - $!", 1;
-
+
foreach (sort keys %ips) {
print $ipfile "$_\n";
} # foreach
foreach (sort keys %ips) {
print $ipfile "$_\n";
} # foreach
-
+
close $ipfile;
# Recreate the BICE chain
`/sbin/iptables -F BICE`;
`/sbin/iptables -X BICE`;
`/sbin/iptables -N BICE`;
close $ipfile;
# Recreate the BICE chain
`/sbin/iptables -F BICE`;
`/sbin/iptables -X BICE`;
`/sbin/iptables -N BICE`;
-
+
# Add all new @ips to iptables
`/sbin/iptables -A BICE -s $_ -p tcp -j DROP` foreach (sort keys %ips);
# Add all new @ips to iptables
`/sbin/iptables -A BICE -s $_ -p tcp -j DROP` foreach (sort keys %ips);
-
+
return;
} # AddToIPTables
return;
} # AddToIPTables
@@
-149,9
+149,9
@@
sub GetEmailAddresses ($) {
foreach (@lines) {
my @fields = split /:/, $_;
foreach (@lines) {
my @fields = split /:/, $_;
-
+
$_ = $fields [@fields - 1];
$_ = $fields [@fields - 1];
-
+
if (/(\S+\@\S[\.\S]+)/) {
$email_addresses{$1} = "";
} # if
if (/(\S+\@\S[\.\S]+)/) {
$email_addresses{$1} = "";
} # if
@@
-176,79
+176,79
@@
sub SendEmail ($$$$$) {
} # if
mail (
} # if
mail (
- from
=> "BICE\@$domain",
- to
=> $to,
- #cc
=> $contact,
- subject
=> $subject,
- mode
=> 'html',
- data
=> $message,
+ from => "BICE\@$domain",
+ to => $to,
+ #cc => $contact,
+ subject => $subject,
+ mode => 'html',
+ data => $message,
);
} # SendEmail
sub processLogfile () {
my %violations;
);
} # SendEmail
sub processLogfile () {
my %violations;
-
+
# Note: Normally you must be root to open up $security_logfile
open my $readlog, '<', $security_logfile
or error "Unable to open $security_logfile - $!", 1;
# Note: Normally you must be root to open up $security_logfile
open my $readlog, '<', $security_logfile
or error "Unable to open $security_logfile - $!", 1;
-
+
flock $readlog, LOCK_EX
or error "Unable to flock $security_logfile", 1;
flock $readlog, LOCK_EX
or error "Unable to flock $security_logfile", 1;
-
+
my @lines;
my @lines;
-
+
while (<$readlog>) {
my $newline = $_;
while (<$readlog>) {
my $newline = $_;
-
+
if (/^(\S+\s+\S+\s+\S+)\s+.*Invalid user (\w+) from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/) {
my %violation = $violations{$3} ? %{$violations{$3}} : %_;
if (/^(\S+\s+\S+\s+\S+)\s+.*Invalid user (\w+) from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/) {
my %violation = $violations{$3} ? %{$violations{$3}} : %_;
-
+
push @{$violation{$2}}, $1;
$violations{$3} = \%violation;
push @{$violation{$2}}, $1;
$violations{$3} = \%violation;
-
+
$newline =~ s/Invalid user/INVALID USER/;
} elsif (/^(\S+\s+\S+\s+\S+)\s+.*authentication failure.*ruser=(\S+).*rhost=(\S+)/) {
my %violation = $violations{$3} ? %{$violations{$3}} : %_;
$newline =~ s/Invalid user/INVALID USER/;
} elsif (/^(\S+\s+\S+\s+\S+)\s+.*authentication failure.*ruser=(\S+).*rhost=(\S+)/) {
my %violation = $violations{$3} ? %{$violations{$3}} : %_;
-
+
push @{$violation{$2}}, $1;
$violations{$3} = \%violation;
push @{$violation{$2}}, $1;
$violations{$3} = \%violation;
-
+
$newline =~ s/authentication failure/AUTHENTICATION FAILURE/;
} elsif (/^(\S+\s+\S+\s+\S+)\s+.*Failed password for (\w+) from (\d{1,3}\.\d{1,3}\.d{1,3}\.d{1,3})/) {
my %violation = $violations{$3} ? %{$violations{$3}} : %_;
$newline =~ s/authentication failure/AUTHENTICATION FAILURE/;
} elsif (/^(\S+\s+\S+\s+\S+)\s+.*Failed password for (\w+) from (\d{1,3}\.\d{1,3}\.d{1,3}\.d{1,3})/) {
my %violation = $violations{$3} ? %{$violations{$3}} : %_;
-
+
push @{$violation{$2}}, $1;
$violations{$3} = \%violation;
push @{$violation{$2}}, $1;
$violations{$3} = \%violation;
-
+
$newline =~ s/Failed password/FAILED PASSWORD/;
} # if
push @lines, $newline;
} # while
$newline =~ s/Failed password/FAILED PASSWORD/;
} # if
push @lines, $newline;
} # while
-
+
return %violations unless $update;
return %violations unless $update;
-
+
flock $readlog, LOCK_UN
or error "Unable to unlock $security_logfile", 1;
flock $readlog, LOCK_UN
or error "Unable to unlock $security_logfile", 1;
-
+
close $readlog;
close $readlog;
-
+
open my $writelog, '>', $security_logfile
or error "Unable to open $security_logfile for writing - $!", 1;
open my $writelog, '>', $security_logfile
or error "Unable to open $security_logfile for writing - $!", 1;
-
+
flock $writelog, LOCK_EX
or error "Unable to flock $security_logfile", 1;
flock $writelog, LOCK_EX
or error "Unable to flock $security_logfile", 1;
-
+
print $writelog $_ foreach @lines;
print $writelog $_ foreach @lines;
-
+
flock $writelog, LOCK_UN
or error "Unable to unlock $security_logfile", 1;
close $writelog;
flock $writelog, LOCK_UN
or error "Unable to unlock $security_logfile", 1;
close $writelog;
-
+
return %violations;
} # processLogfile
return %violations;
} # processLogfile
@@
-257,7
+257,7
@@
sub ReportBreakins () {
my %violations = processLogfile;
my $nbrViolations = keys %violations;
my %violations = processLogfile;
my $nbrViolations = keys %violations;
-
+
if ($nbrViolations == 0) {
verbose 'No violations found';
} elsif ($nbrViolations == 1) {
if ($nbrViolations == 0) {
verbose 'No violations found';
} elsif ($nbrViolations == 1) {
@@
-265,14
+265,14
@@
sub ReportBreakins () {
} else {
verbose "$nbrViolations sites attempting to violate our perimeter";
} # if
} else {
verbose "$nbrViolations sites attempting to violate our perimeter";
} # if
-
+
foreach (sort keys %violations) {
my $ip = $_;
my $attempts;
foreach (sort keys %violations) {
my $ip = $_;
my $attempts;
-
+
$attempts += @{$violations{$ip}{$_}} foreach (keys %{$violations{$ip}});
$attempts += @{$violations{$ip}{$_}} foreach (keys %{$violations{$ip}});
-
+
my @emails = GetEmailAddresses $ip;
unless (@emails) {
my @emails = GetEmailAddresses $ip;
unless (@emails) {
@@
-280,7
+280,7
@@
sub ReportBreakins () {
. "attempts from IP $ip ($attempts breakin attempts)";
next;
} # unless
. "attempts from IP $ip ($attempts breakin attempts)";
next;
} # unless
-
+
my $to = join ',', @emails;
my $subject = "Illegal attempts to break into $domain from your domain";
my $message = <<"END";
my $to = join ',', @emails;
my $subject = "Illegal attempts to break into $domain from your domain";
my $message = <<"END";
@@
-311,20
+311,20
@@
END
# Report users
foreach my $user (sort keys %{$violations{$ip}}) {
if (@{$violations{$ip}{$user}} == 1) {
# Report users
foreach my $user (sort keys %{$violations{$ip}}) {
if (@{$violations{$ip}{$user}} == 1) {
-
$message .= "<li>The user <b>$user</b> attempted access on $violations{$ip}{$user}[0]</li>";
+ $message .= "<li>The user <b>$user</b> attempted access on $violations{$ip}{$user}[0]</li>";
} else {
$message .= "<li>The user <b>$user</b> attemped access on the following date/times:</li>";
$message .= "<ol>";
$message .= "<li>$_</li>" foreach (@{$violations{$ip}{$user}});
$message .= "</ol>";
} else {
$message .= "<li>The user <b>$user</b> attemped access on the following date/times:</li>";
$message .= "<ol>";
$message .= "<li>$_</li>" foreach (@{$violations{$ip}{$user}});
$message .= "</ol>";
-
} # if
+ } # if
} # foreach
$message .= '</ol><p>Your prompt attention to this matter is expected '
. 'and will be appreciated.</p>';
SendEmail $to, $subject, $message, $ip, $attempts;
} # foreach
} # foreach
$message .= '</ol><p>Your prompt attention to this matter is expected '
. 'and will be appreciated.</p>';
SendEmail $to, $subject, $message, $ip, $attempts;
} # foreach
-
+
AddToIPTables keys %violations;
} # ReportBreakins
AddToIPTables keys %violations;
} # ReportBreakins