Mercurial > hg > maltfilter
annotate maltfilter @ 0:fec14263801d
Initial import of maltfilter development version.
| author | Matti Hamalainen <ccr@tnsp.org> |
|---|---|
| date | Thu, 13 Aug 2009 15:15:18 +0300 |
| parents | |
| children | 3da95f3082d9 |
| rev | line source |
|---|---|
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1 #!/usr/bin/perl -w |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
2 ############################################################################# |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
3 # |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
4 # Malicious Attack Livid Termination Filter daemon (maltfilter) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
5 # Programmed by Matti 'ccr' Hämäläinen <ccr@tnsp.org> |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
6 # (C) Copyright 2009 Tecnic Software productions (TNSP) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
7 # |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
8 ############################################################################# |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
9 use strict; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
10 use Date::Parse; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
11 use Net::IP; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
12 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
13 my $progbanner = |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
14 "Malicious Attack Livid Termination Filter daemon (maltfilter) v0.7\n". |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
15 "Programmed by Matti 'ccr' Hamalainen <ccr\@tnsp.org>\n". |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
16 "(C) Copyright 2009 Tecnic Software productions (TNSP)\n"; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
17 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
18 ############################################################################# |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
19 ### Settings / configuration |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
20 ############################################################################# |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
21 my %settings = ( |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
22 "VERBOSITY" => 4, |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
23 "DRY_RUN" => 1, |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
24 "WEEDPERIOD" => 72, |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
25 "TRESHOLD" => 3, |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
26 "ACTION" => "DROP", |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
27 "LOGFILE" => "/var/log/maltfilter", |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
28 "IPTABLES" => "/sbin/iptables", |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
29 "NOBLOCK_HOSTS" => "127.0.0.1", |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
30 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
31 "CHK_SSHD" => 1, |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
32 "CHK_KNOWN_CGI" => 1, |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
33 "CHK_PHP_XSS" => 1, |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
34 "CHK_PROXY_SCAN" => 1, |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
35 "CHK_GOOD_HOSTS" => "", |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
36 ); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
37 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
38 # Default logfiles to monitor (SCANFILES setting of configuration overrides these) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
39 my @scanfiles_def = ( |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
40 "/var/log/auth.log", |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
41 "/var/log/httpd/error.log", |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
42 "/var/log/httpd/access.log" |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
43 ); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
44 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
45 my @scanfiles = (); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
46 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
47 ############################################################################# |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
48 ### Script code |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
49 ############################################################################# |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
50 my %hitcount = (); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
51 my %iplist = (); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
52 my $pid_file = ""; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
53 my $LOGFILE; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
54 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
55 sub mlog |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
56 { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
57 my $level = shift; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
58 my $msg = shift; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
59 if (defined($LOGFILE)) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
60 print $LOGFILE "[".scalar localtime()."] ".$msg if ($settings{"VERBOSITY"} > $level); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
61 } else { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
62 print $msg if ($settings{"VERBOSITY"} > $level); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
63 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
64 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
65 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
66 sub check_hosts($$) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
67 { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
68 my $host = $_[1]; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
69 my $ip = new Net::IP($host); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
70 foreach my $test (split(/\s*\|\s*/, $_[0])) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
71 my $test_ip = new Net::IP($test); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
72 if ($host eq $test) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
73 return 1; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
74 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
75 if (defined($ip) && defined($test_ip)) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
76 if ($ip->binip() eq $test_ip->binip()) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
77 return 1; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
78 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
79 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
80 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
81 return 0; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
82 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
83 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
84 ### Execute iptables |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
85 sub exec_iptables(@) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
86 { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
87 my @args = ($settings{"IPTABLES"}, @_); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
88 if ($settings{"DRY_RUN"}) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
89 log(3, ":: ".join(" ", @args)."\n"); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
90 } else { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
91 system(@args) == 0 or print join(" ", @args)." failed: $?\n"; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
92 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
93 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
94 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
95 ### Get current Netfilter INPUT table entries we manage |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
96 sub update_iplist($) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
97 { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
98 open(STATUS, $settings{"IPTABLES"}." -v -n -L INPUT |") or |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
99 die("Could not execute ".$settings{"IPTABLES"}."\n"); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
100 while (<STATUS>) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
101 chomp; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
102 if (/^\s*(\d+)\s+\d+\s+$settings{"ACTION"}\s+all\s+--\s+\*\s+\*\s+(\d+\.\d+\.\d+\.\d+)\s+0\.0\.0\.0\/0\s*$/) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
103 if (!defined($iplist{$2})) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
104 $hitcount{$2} = $settings{"TRESHOLD"}; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
105 $iplist{$2} = $_[0]; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
106 if ($_[0] >= 0) { mlog(2, "* $2 appeared in iptables, adding.\n"); } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
107 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
108 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
109 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
110 close(STATUS); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
111 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
112 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
113 ### Weed out old entries |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
114 sub check_time($) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
115 { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
116 return ($_[0] >= time() - ($settings{"WEEDPERIOD"} * 60 * 60)); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
117 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
118 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
119 sub weed_do($) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
120 { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
121 if (defined($iplist{$_[0]})) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
122 mlog(2, "* Weeding $_[0] ($iplist{$_[0]})\n"); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
123 exec_iptables("-D", "INPUT", "-s", $_[0], "-d", "0.0.0.0/0", "-j", $settings{"ACTION"}); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
124 undef($iplist{$_[0]}); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
125 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
126 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
127 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
128 sub weed_entries() |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
129 { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
130 foreach my $mip (keys %iplist) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
131 if (defined($iplist{$mip})) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
132 if ($iplist{$mip} >= 0) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
133 if (!check_time($iplist{$mip})) { weed_do($mip); } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
134 } else { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
135 weed_do($mip); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
136 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
137 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
138 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
139 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
140 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
141 ### Check if given "try count" exceeds treshold and if entry |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
142 ### is NOT in Netfilter already, then add it if so. |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
143 sub check_add_entry($$$$) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
144 { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
145 my $mip = $_[0]; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
146 my $mdate = str2time($_[1]); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
147 my $mreason = $_[2]; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
148 my $mcond = $_[3]; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
149 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
150 my $cnt = $hitcount{$mip}++; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
151 if ($cnt >= $settings{"TRESHOLD"} && check_time($mdate)) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
152 my $pat; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
153 if (!$mcond) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
154 mlog(2, "* Ignoring $mip: $mreason\n"); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
155 return; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
156 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
157 if (!defined($iplist{$mip})) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
158 if (!check_hosts($settings{"NOBLOCK_HOSTS"}, $mip)) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
159 # Add entry that has >= treshold hits and is not added yet |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
160 mlog(1, "* Adding $mip ($mdate): $mreason\n"); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
161 exec_iptables("-I", "INPUT", "1", "-s", $mip, "-j", $settings{"ACTION"}); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
162 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
163 $iplist{$mip} = $mdate; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
164 } else { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
165 # Over treshold, but is added, check if we can update the timedate |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
166 if ($iplist{$mip} >= 0) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
167 if ($mdate > $iplist{$mip}) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
168 $iplist{$mip} = $mdate; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
169 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
170 } else { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
171 # Empty date, set it now. |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
172 $iplist{$mip} = $mdate; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
173 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
174 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
175 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
176 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
177 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
178 ### Check given logfile line for matches |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
179 sub check_log_line($) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
180 { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
181 # (1) SSH login scan attempts |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
182 if (/^(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+\S+\s+sshd\S*?: Failed password for invalid user \S+ from (\d+\.\d+\.\d+\.\d+)/) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
183 check_add_entry($2, $1, "SSHD", $settings{"CHK_SSHD"}); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
184 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
185 # (2) Common/known exploitable CGI/PHP software scans (like phpMyAdmin) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
186 # NOTICE! This matches ERRORLOG, thus it only works if you DO NOT have |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
187 # any or some of these installed. Preferably none, or use uncommon |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
188 # paths and prefixes. |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
189 elsif (/^\[(.+?)\]\s+\[error\]\s+\[client\s+(\d+\.\d+\.\d+\.\d+)\]\s+(.+)$/) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
190 my $mdate = $1; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
191 my $mip = $2; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
192 my $merr = $3; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
193 if ($merr =~ /^File does not exist: (.+)$/) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
194 my $tmp = $1; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
195 if ($tmp =~ /\/mss2|\/pma|admin|sql|\/roundcube|\/webmail|\/bin|\/mail|xampp|zen|mailto:|appserv|cube|round|_vti_bin|wiki/i) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
196 check_add_entry($mip, $mdate, "CGI: $tmp", $settings{"CHK_KNOWN_CGI"}); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
197 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
198 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
199 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
200 # Match Apache common logging format GET requests here |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
201 elsif (/(\d+\.\d+\.\d+\.\d+)\s+-\s+-\s+\[(.+?)\]\s+\"GET (\S*?) HTTP\//) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
202 my $mdate = $2; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
203 my $mip = $1; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
204 my $merr = $3; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
205 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
206 # (3) Simple match for generic PHP XSS vulnerability scans |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
207 # NOTICE! If your site genuinely uses (checked) PHP parameters with |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
208 # URIs, you should set CHK_GOOD_HOSTS to match your hostname(s)/IP(s) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
209 # used in the URIs. |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
210 if ($merr =~ /\.php\?\S*?=http:\/\/([^\/]+)/) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
211 if (!check_hosts($settings{"CHK_GOOD_HOSTS"}, $1)) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
212 check_add_entry($mip, $mdate, "PHP XSS: $merr", $settings{"CHK_PHP_XSS"}); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
213 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
214 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
215 # (4) Try to match proxy scanning attempts |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
216 elsif ($merr =~ /^http:\/\/([^\/]+)/) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
217 if (!check_hosts($settings{"CHK_GOOD_HOSTS"}, $1)) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
218 check_add_entry($mip, $mdate, "Proxy scan: $merr", $settings{"CHK_PROXY_SCAN"}); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
219 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
220 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
221 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
222 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
223 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
224 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
225 ### |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
226 ### Utility functions |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
227 ### |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
228 my %logfile = (); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
229 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
230 sub malt_init { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
231 foreach my $logname (@scanfiles) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
232 local *INFILE; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
233 mlog(0, "- Parsing ".$logname." ...\n"); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
234 open(INFILE, "<", $logname) or die("Could not open '".$logname."'!\n"); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
235 $logfile{$logname} = *INFILE; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
236 while (<INFILE>) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
237 chomp; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
238 check_log_line($_); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
239 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
240 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
241 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
242 mlog(0, "- Weeding out old entries.\n"); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
243 weed_entries(); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
244 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
245 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
246 sub malt_cleanup { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
247 mlog(0, "- Closing open filehandles.\n"); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
248 foreach my $logname (keys %logfile) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
249 close($logfile{$logname}); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
250 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
251 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
252 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
253 sub malt_scan { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
254 ### Keep on reading |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
255 mlog(1, "- Entering main scanning loop.\n"); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
256 my $counter = 0; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
257 while (1) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
258 my %logpos = (); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
259 foreach my $logname (keys %logfile) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
260 for ($logpos{$logname} = tell($logfile{$logname}); $_ = <$logfile{$logname}>; $logpos{$logname} = tell($logfile{$logname})) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
261 chomp; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
262 check_log_line($_); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
263 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
264 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
265 sleep(5); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
266 if ($counter++ >= 5) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
267 # Every once in a while, update known IP list from iptables |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
268 # (in case entries have appeared there from "outside") |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
269 # and perform weeding of old entries. |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
270 $counter = 0; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
271 update_iplist(time()); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
272 weed_entries(); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
273 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
274 foreach my $logname (keys %logfile) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
275 seek($logfile{$logname}, $logpos{$logname}, 0); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
276 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
277 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
278 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
279 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
280 sub malt_finish { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
281 # Unlink pid-file |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
282 if ($pid_file ne "" && -e $pid_file) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
283 unlink $pid_file; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
284 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
285 # Close logfile |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
286 close($LOGFILE) if (defined($LOGFILE)); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
287 undef($LOGFILE); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
288 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
289 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
290 sub malt_int { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
291 mlog(-1, "\nCaught Interrupt (^C), aborting.\n"); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
292 malt_cleanup(); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
293 malt_finish(); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
294 exit(1); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
295 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
296 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
297 sub malt_term { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
298 mlog(-1, "Receinved TERM, quitting.\n"); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
299 malt_cleanup(); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
300 malt_finish(); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
301 exit(1); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
302 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
303 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
304 sub malt_hup { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
305 mlog(-1, "Received HUP, reinitializing.\n"); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
306 malt_cleanup(); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
307 malt_init(); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
308 mlog(-1, "Reinitialization finished, resuming scanning.\n"); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
309 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
310 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
311 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
312 ### |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
313 ### Main program |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
314 ### |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
315 # Setup signal handlers |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
316 $SIG{'INT'} = 'malt_int'; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
317 $SIG{'TERM'} = 'malt_term'; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
318 $SIG{'HUP'} = 'malt_hup'; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
319 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
320 # Banner |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
321 my $argc = $#ARGV + 1; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
322 if ($argc < 1) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
323 print $progbanner. |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
324 "\nUsage: maltfilter <pid filename> [config filename]\n"; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
325 exit; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
326 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
327 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
328 # Test pid file existence |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
329 $pid_file = shift; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
330 die("'$pid_file' already exists, not starting.\nIf the daemon is NOT running, remove the pid-file and re-start.\n") if (-e $pid_file); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
331 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
332 # Read configuration file |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
333 if (defined(my $config_file = shift)) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
334 my $errors = 0; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
335 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
336 # Let user define his/her own logfiles to scan |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
337 undef(@scanfiles_def); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
338 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
339 open(CONFFILE, "<", $config_file) or die("Could not open configuration '".$config_file."'!\n"); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
340 while (<CONFFILE>) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
341 chomp; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
342 if (/(^\s*#|^\s*$)/) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
343 # Ignore comments and empty lines |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
344 } elsif (/^\s*\"?([a-zA-Z0-9_]+)\"?\s*=>?\s*(\d+),?\s*$/) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
345 my $key = uc($1); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
346 my $value = $2; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
347 if (defined($settings{$key})) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
348 $settings{$key} = $value; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
349 } else { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
350 print STDERR "Unknown setting '$key' = $value\n"; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
351 $errors = 1; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
352 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
353 } elsif (/^\s*\"?([a-zA-Z0-9_]+)\"?\s*=>?\s*\"(.*?)\",?\s*$/) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
354 my $key = uc($1); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
355 my $value = $2; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
356 if ($key eq "SCANFILE") { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
357 push(@scanfiles_def, $value); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
358 } elsif (defined($settings{$key})) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
359 $settings{$key} = $value; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
360 } else { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
361 print STDERR "Unknown setting '$key' = '$value'\n"; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
362 $errors = 1; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
363 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
364 } else { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
365 print STDERR "Syntax error: $_\n"; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
366 $errors = 1; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
367 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
368 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
369 close(CONFFILE); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
370 die("Errors in configuration file '$config_file', bailing out.\n") unless ($errors == 0); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
371 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
372 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
373 # Clean up scanfiles from duplicate entries |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
374 my %saw = (); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
375 @scanfiles = grep(!$saw{$_}++, @scanfiles_def); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
376 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
377 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
378 # Open logfile |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
379 if ($settings{"DRY_RUN"}) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
380 print $progbanner. |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
381 "*********************************************\n". |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
382 "* NOTICE! DRY-RUN MODE ENABLED! No changes *\n". |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
383 "* will actually get committed to netfilter! *\n". |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
384 "*********************************************\n"; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
385 } elsif ($settings{"LOGFILE"} ne "") { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
386 open($LOGFILE, ">>", $settings{"LOGFILE"}) or die("Could not open logfile '".$settings{"LOGFILE"}."' for writing!\n"); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
387 mlog(-1, "Log started\n"); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
388 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
389 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
390 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
391 # Initialize |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
392 update_iplist(-1); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
393 malt_init(); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
394 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
395 # Fork to background, unless dry-running |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
396 if ($settings{"DRY_RUN"}) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
397 malt_scan(); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
398 malt_cleanup(); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
399 } else { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
400 if (my $pid = fork) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
401 open(PIDFILE, ">", $pid_file) or die("Could not open pid file '".$pid_file."' for writing!\n"); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
402 print PIDFILE "$pid\n"; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
403 close(PIDFILE); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
404 } else { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
405 malt_scan(); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
406 malt_cleanup(); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
407 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
408 } |