From cc00dc647b637e392b4fd20907caf5b22f7a8960 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Rapha=C3=ABl=20Gertz?= Date: Fri, 24 Mar 2017 21:38:12 +0100 Subject: [PATCH 1/1] Add local tools --- blacklist | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ git-new | 35 +++++++++++++++++++++++++++ 2 files changed, 106 insertions(+) create mode 100755 blacklist create mode 100755 git-new diff --git a/blacklist b/blacklist new file mode 100755 index 0000000..a31beee --- /dev/null +++ b/blacklist @@ -0,0 +1,71 @@ +#! /usr/bin/perl + +use strict; +use warnings; + +use IPC::System::Simple qw(capturex); +use Data::Validate::IP; + +my %ip4s = (); +my %ip6s = (); +my @blrule4s = (); +my @blrule6s = (); +my $whitelist = qr/^(?:127.|85.68.182.45|195.25.233.49|94.23.226.160|::1|2001:41d0:2:65a0:)/; +my @userlist = ('rapsys'); + +# Extract sshd.service scan +map { + if (/Failed password for (?:invalid user )?(.+) from (.+) port [0-9]+ ssh2/ && grep($_ ne $1, @userlist) && $2 !~ /$whitelist/) { + if (Data::Validate::IP::is_ipv4($2)) { + $ip4s{$2}=1; + } elsif (Data::Validate::IP::is_ipv6($2)) { + $ip6s{$2}=1; + } + } +} capturex('journalctl', '-u', 'sshd.service'); + +# Extract kernel port scan +map { + if (/Shorewall:net-fw:DROP:.* SRC=([^\s]+) DST=.*/ && $1 !~ /$whitelist/) { + if (Data::Validate::IP::is_ipv4($1)) { + $ip4s{$1}=1; + } elsif (Data::Validate::IP::is_ipv6($1)) { + $ip6s{$1}=1; + } + } +} capturex('journalctl', '-k'); + +# Open blrule4s file for reading +open (my $fh, '<', '/etc/shorewall/blrules') or die "Can't open < /etc/shorewall/blrules: $!"; + +# Populate with comments +@blrule4s = map { chomp($_); if (/^#/) { $_; } else { (); } } <$fh>; + +# Prepend header +push @blrule4s, "WHITELIST\tnet:85.68.182.45\tall"; +push @blrule4s, "WHITELIST\tnet:94.23.226.160\tall"; +push @blrule4s, "WHITELIST\tnet:195.25.233.49\tall"; + +# Build blacklist +map { push @blrule4s, "DROP\t\tnet:".$_.(length lt 12?"\t":'')."\tfw"; } sort keys %ip4s; + +# Close blrule4s file +close $fh or die "Can't close fh: $!"; + +# Open blrule4s file for writing +open ($fh, '>', '/etc/shorewall/blrules') or die "Can't open > /etc/shorewall/blrules: $!"; + +# Inject content of blacklist +map { print $fh $_."\n"; } @blrule4s; + +# Close blrule4s file +close $fh or die "Can't close fh: $!"; + +# Print ipv6 to update hash +#XXX; right now it don't seems scanned at all... +for (sort keys %ip6s) { + print $_."\n"; +} + +# Restart shorewall service +capturex('systemctl', 'restart', 'shorewall.service'); diff --git a/git-new b/git-new new file mode 100755 index 0000000..7aa12a3 --- /dev/null +++ b/git-new @@ -0,0 +1,35 @@ +#! /bin/sh + +# Set git root +GITROOT='/var/www/git' + +# make sure we have repository to create +if [ $# -le 0 ]; then + echo "Usage: $0 repository" + exit 1 +fi + +# Switch to directory +cd $GITROOT + +# Handle args +for repo in $@; do + if [ -d "$GITROOT/$repo" ]; then + echo "Warning: $GITROOT/$repo already exists" + else + # Create directory + mkdir "$GITROOT/$repo" + # Switch to directory + pushd "$GITROOT/$repo" > /dev/null + # Init bare repository + git --bare init --shared . > /dev/null + # Make it work + git update-server-info + # Allow push + git config http.receivepack true + # Fix ownership + chown -R apache. . + # Return in old dir + popd > /dev/null + fi +done -- 2.41.1