my $mailhost = $domain;
# End customize these variables
-my $verbose;
+# Current IPset. This is the name of an IP match set (See
+# https://kirkkosinski.com/2013/11/mass-blocking-evil-ip-addresses-iptables-ip-sets/)
+# Each set can hold up to 65535 entries. We are currently on set 2.
+#
+# TODO: This code should handle the case where the set fills and we need to go
+# to the next set. Something like "ipset list <current set> | wc - " and
+# if it's > than say 60000, start a new set.
+#
+# Also, when a new set comes around we need to do:
+# $ iptables -A FORWARD -m set --mach-set <newset> src -j DROP
+my $currIPSet = 'BICE2';
+
my $update = 1;
my $email = 1;
my $hostname = `hostname`;
$hostname = $1;
} # if
-sub AddToIPTables (@) {
- my (@ips) = @_;
-
- # We shouldn't need to weed out duplicate but ya never know
- my $ipfilename = '/etc/ipblock';
-
- my $result = open my $ipfile, '<', $ipfilename;
-
- my (%ips, @oldips);
+sub AddToIPSet($) {
+ my ($ip) = @_;
- if ($result) {
- @oldips = <$ipfile>;
+ my ($status, @output) = Execute "/sbin/ipset add $currIPSet $ip 2>&1";
- close $ipfile if $ipfile;
+ if ($status) {
+ return if $output[0] =~ /already added/;
- chomp @oldips;
+ error "Unable to add $ip to ipset $currIPSet" . join ("\n", @output), 1;
+ } else {
+ return;
} # if
-
- map { $ips{$_} = 1 } @oldips;
- map { $ips{$_} = 1 } <@ips>;
-
- open $ipfile, '>', "$ipfilename"
- or error "Unable to open $ipfilename - $!", 1;
-
- foreach (sort keys %ips) {
- print $ipfile "$_\n";
- } # foreach
-
- close $ipfile;
-
- # Recreate the BICE chain
- `/sbin/iptables -F BICE`;
- `/sbin/iptables -X BICE`;
- `/sbin/iptables -N BICE`;
-
- # Add all new @ips to iptables
- `/sbin/iptables -A BICE -s $_ -p tcp -j DROP` foreach (sort keys %ips);
-
- return;
-} # AddToIPTables
+} # AddToIPSet
# Use whois(1) to get the email addresses of the responsible parties for an IP
# address. Note that a hash is used to eliminate duplicates.
my %email_addresses;
- foreach (@whois_list) {
+ for (@whois_list) {
my @lines;
if ($_ eq "") {
@lines = grep {/.*\@.*/ } `whois -h $_ $ip`;
} # if
- foreach (@lines) {
+ for (@lines) {
my @fields = split /:/, $_;
$_ = $fields [@fields - 1];
if (/(\S+\@\S[\.\S]+)/) {
$email_addresses{$1} = "";
} # if
- } # foreach
+ } # for
# Break out of loop if we found email addresses
last unless keys %email_addresses;
- } # foreach
+ } # for
return keys %email_addresses;
} # GetEmailAddresses
# Send email to the responsible parties.
-sub SendEmail ($$$$$) {
- my ($to, $subject, $message, $ip, $violations) = @_;
+sub SendEmail ($$$$$$) {
+ my ($to, $subject, $message, $ip, $attempts, $violationNbr) = @_;
if ($email) {
- verbose "Reporting $ip ($violations violations) to $to";
+ verbose "$violationNbr: Reporting $ip ($attempts violations) to $to";
} else {
- verbose "Would have reported $ip ($violations violations) to $to";
+ verbose "$violationNbr: Would have reported $ip ($attempts violations) to $to";
return;
} # if
flock $writelog, LOCK_EX
or error "Unable to flock $security_logfile", 1;
- print $writelog $_ foreach @lines;
+ print $writelog $_ for @lines;
flock $writelog, LOCK_UN
or error "Unable to unlock $security_logfile", 1;
verbose "$nbrViolations sites attempting to violate our perimeter";
} # if
- foreach (sort keys %violations) {
- my $ip = $_;
+ my $violations;
+ for my $ip (sort keys %violations) {
my $attempts;
- $attempts += @{$violations{$ip}{$_}} foreach (keys %{$violations{$ip}});
+ $violations++;
+ $attempts += @{$violations{$ip}{$_}} for (keys %{$violations{$ip}});
- my @emails = GetEmailAddresses $ip;
+ my @emails = GetEmailAddresses $ip;
unless (@emails) {
verbose 'Unable to find any responsible parties for detected breakin '
<ol>
END
# Report users
- foreach my $user (sort keys %{$violations{$ip}}) {
+ for my $user (sort keys %{$violations{$ip}}) {
if (@{$violations{$ip}{$user}} == 1) {
$message .= "<li>The user <b>$user</b> attempted access on $violations{$ip}{$user}[0]</li>";
} else {
$message .= "<li>The user <b>$user</b> attemped access on the following date/times:</li>";
$message .= "<ol>";
- $message .= "<li>$_</li>" foreach (@{$violations{$ip}{$user}});
+ $message .= "<li>$_</li>" for (@{$violations{$ip}{$user}});
$message .= "</ol>";
} # if
- } # foreach
+ } # for
$message .= '</ol><p>Your prompt attention to this matter is expected '
. 'and will be appreciated.</p>';
- SendEmail $to, $subject, $message, $ip, $attempts;
- } # foreach
+ SendEmail $to, $subject, $message, $ip, $attempts, $violations;
+ AddToIPSet $ip;
+ } # for
- AddToIPTables keys %violations;
+ return;
} # ReportBreakins
## Main
-
-# Get options
GetOptions (
'verbose', sub { set_verbose },
'debug', sub { set_debug },
'file=s', \$security_logfile,
) || Usage;
-Usage 'Must specify filename'
- unless $security_logfile;
+Usage 'Must specify filename' unless $security_logfile;
ReportBreakins;
$me =~ s/\.pl$//;
} # BEGIN
-sub new (;%){
+sub new(;%) {
my ($class, %parms) = @_;
=pod
my $append = $parms{append} ? '>>' : '>';
my $logfile;
- if (defined $parms{extension}) {
+ if ($parms{extension}) {
$name .= ".$parms{extension}" unless $parms{extension} eq '';
} else {
$name .= '.log';
or error "Unable to open logfile $path/$name - $!", 1;
# Set unbuffered output
- $logfile->autoflush ();
+ $logfile->autoflush();
set_verbose if $ENV{VERBOSE};
set_debug if $ENV{DEBUG};
}, $class; # bless
} # new
-sub append ($) {
+sub append($) {
my ($self, $filename) = @_;
=pod
return;
} # append
-sub name () {
+sub name() {
my ($self) = @_;
=pod
return $self->{name};
} # name
-sub fullname () {
+sub fullname() {
my ($self) = @_;
=pod
return "$self->{path}/$self->{name}";
} # fullname
-sub msg ($;$) {
+sub msg($;$) {
my ($self, $msg, $nolinefeed) = @_;
=pod
return;
} # msg
-sub disp ($;$) {
+sub disp($;$) {
my ($self, $msg, $nolinefeed) = @_;
=pod
return;
} # disp
-sub incrementErr (;$) {
+sub incrementErr(;$) {
my ($self, $increment) = @_;
=pod
return;
} # incrementErr
-sub err ($;$) {
+sub err($;$) {
my ($self, $msg, $errno) = @_;
=pod
return;
} # err
-sub maillog (%) {
+sub maillog(%) {
my ($self, %parms) = @_;
=pod
my $footing = $parms{footing};
my $mode = $parms{mode};
- $mode = "plain"
- unless $mode;
+ $mode = "plain" unless $mode;
my $log_filename = "$self->{path}/$self->{name}";
. $footing;
} # if
- mail (
+ mail(
from => $from,
to => $to,
cc => $cc,
return;
} # maillog
-sub log {
+sub log($;$) {
my ($self, $msg, $nolinefeed) = @_;
=pod
return;
} # log
-sub logcmd ($) {
+sub logcmd($) {
my ($self, $cmd) = @_;
=pod
return ($?, @output);
} # logcmd
-sub loglines () {
+sub loglines() {
my ($self) = @_;
=pod
return ReadFile "$self->{path}/$self->{name}";
} # loglines
-sub warn ($;$) {
+sub warn($;$) {
my ($self, $msg, $warnno) = @_;
=pod
return;
} # warn
-sub errors () {
+sub errors() {
my ($self) = @_;
=pod
return $self->{errors};
} # errors
-sub warnings () {
+sub dbug($) {
+ my ($self, $msg) = @_;
+
+ $self->log("DEBUG: $msg") unless get_debug;
+
+ return;
+} # dbug
+
+sub warnings() {
my ($self) = @_;
=pod
return $self->{warnings};
} # warnings
-sub DESTROY () {
+sub DESTROY() {
my ($self) = @_;
close ($self->{handle});
projects / clearscm.git / commitdiff