From: Andrew DeFaria Date: Fri, 15 Dec 2017 19:38:39 +0000 (-0800) Subject: Cleaned up bice.pl X-Git-Url: https://defaria.com/gitweb/?a=commitdiff_plain;h=7741c29ab943bbd7972f74f17d357bf0cdb19f7b;p=clearscm.git Cleaned up bice.pl --- diff --git a/bin/bice.pl b/bin/bice.pl index 4f3073a..0e1ad6d 100755 --- a/bin/bice.pl +++ b/bin/bice.pl @@ -67,7 +67,7 @@ my $security_logfile = '/var/log/auth.log'; my $domain = 'DeFaria.com'; my $contact = 'Andrew@DeFaria.com'; my $location = 'Santa Clara, California, USA'; -my $UTC = 'UTC-8'; +my $UTC = 'UTC-8'; my $mailhost = $domain; # End customize these variables @@ -90,10 +90,10 @@ sub AddToIPTables (@) { my $result = open my $ipfile, '<', $ipfilename; my (%ips, @oldips); - + if ($result) { @oldips = <$ipfile>; - + close $ipfile if $ipfile; chomp @oldips; @@ -101,24 +101,24 @@ sub AddToIPTables (@) { map { $ips{$_} = 1 } @oldips; map { $ips{$_} = 1 } <@ips>; - + open $ipfile, '>', "$ipfilename" or error "Unable to open $ipfilename - $!", 1; - + foreach (sort keys %ips) { print $ipfile "$_\n"; } # foreach - + close $ipfile; # Recreate the BICE chain `/sbin/iptables -F BICE`; `/sbin/iptables -X BICE`; `/sbin/iptables -N BICE`; - + # Add all new @ips to iptables `/sbin/iptables -A BICE -s $_ -p tcp -j DROP` foreach (sort keys %ips); - + return; } # AddToIPTables @@ -149,9 +149,9 @@ sub GetEmailAddresses ($) { foreach (@lines) { my @fields = split /:/, $_; - + $_ = $fields [@fields - 1]; - + if (/(\S+\@\S[\.\S]+)/) { $email_addresses{$1} = ""; } # if @@ -176,79 +176,79 @@ sub SendEmail ($$$$$) { } # if mail ( - from => "BICE\@$domain", - to => $to, - #cc => $contact, - subject => $subject, - mode => 'html', - data => $message, + from => "BICE\@$domain", + to => $to, + #cc => $contact, + subject => $subject, + mode => 'html', + data => $message, ); } # SendEmail sub processLogfile () { my %violations; - + # Note: Normally you must be root to open up $security_logfile open my $readlog, '<', $security_logfile or error "Unable to open $security_logfile - $!", 1; - + flock $readlog, LOCK_EX or error "Unable to flock $security_logfile", 1; - + my @lines; - + while (<$readlog>) { my $newline = $_; - + if (/^(\S+\s+\S+\s+\S+)\s+.*Invalid user (\w+) from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/) { my %violation = $violations{$3} ? %{$violations{$3}} : %_; - + push @{$violation{$2}}, $1; $violations{$3} = \%violation; - + $newline =~ s/Invalid user/INVALID USER/; } elsif (/^(\S+\s+\S+\s+\S+)\s+.*authentication failure.*ruser=(\S+).*rhost=(\S+)/) { my %violation = $violations{$3} ? %{$violations{$3}} : %_; - + push @{$violation{$2}}, $1; $violations{$3} = \%violation; - + $newline =~ s/authentication failure/AUTHENTICATION FAILURE/; } elsif (/^(\S+\s+\S+\s+\S+)\s+.*Failed password for (\w+) from (\d{1,3}\.\d{1,3}\.d{1,3}\.d{1,3})/) { my %violation = $violations{$3} ? %{$violations{$3}} : %_; - + push @{$violation{$2}}, $1; $violations{$3} = \%violation; - + $newline =~ s/Failed password/FAILED PASSWORD/; } # if push @lines, $newline; } # while - + return %violations unless $update; - + flock $readlog, LOCK_UN or error "Unable to unlock $security_logfile", 1; - + close $readlog; - + open my $writelog, '>', $security_logfile or error "Unable to open $security_logfile for writing - $!", 1; - + flock $writelog, LOCK_EX or error "Unable to flock $security_logfile", 1; - + print $writelog $_ foreach @lines; - + flock $writelog, LOCK_UN or error "Unable to unlock $security_logfile", 1; close $writelog; - + return %violations; } # processLogfile @@ -257,7 +257,7 @@ sub ReportBreakins () { my %violations = processLogfile; my $nbrViolations = keys %violations; - + if ($nbrViolations == 0) { verbose 'No violations found'; } elsif ($nbrViolations == 1) { @@ -265,14 +265,14 @@ sub ReportBreakins () { } else { verbose "$nbrViolations sites attempting to violate our perimeter"; } # if - + foreach (sort keys %violations) { my $ip = $_; my $attempts; - + $attempts += @{$violations{$ip}{$_}} foreach (keys %{$violations{$ip}}); - + my @emails = GetEmailAddresses $ip; unless (@emails) { @@ -280,7 +280,7 @@ sub ReportBreakins () { . "attempts from IP $ip ($attempts breakin attempts)"; next; } # unless - + my $to = join ',', @emails; my $subject = "Illegal attempts to break into $domain from your domain"; my $message = <<"END"; @@ -311,20 +311,20 @@ END # Report users foreach my $user (sort keys %{$violations{$ip}}) { if (@{$violations{$ip}{$user}} == 1) { - $message .= "
  • The user $user attempted access on $violations{$ip}{$user}[0]
    • "; + $message .= "
  • The user $user attempted access on $violations{$ip}{$user}[0]
    • "; } else { $message .= "
  • The user $user attemped access on the following date/times:
    • "; $message .= "
      "; $message .= "
    1. $_
      2. " foreach (@{$violations{$ip}{$user}}); $message .= "
    "; - } # if + } # if } # foreach $message .= '

    Your prompt attention to this matter is expected ' . 'and will be appreciated.

    '; SendEmail $to, $subject, $message, $ip, $attempts; } # foreach - + AddToIPTables keys %violations; } # ReportBreakins