FindPage
View Source:
StopGrind
<code brush="php"> #!/usr/bin/env php <?php $log = '/var/log/auth.log'; $ignore_hosts = Array( "yiff.myftp.org" ); $ignore_hosts_cache = Array(); // ip => Array('ip' => <ip>, 'name' => <name>, 'expires' => <time>) $ignore_hosts_cache_timeout = 60; $bad_hosts = Array(); // ip => Array('expires' => <time>, 'evidence' => Array(<evidence>)) $bad_hosts_timeout = 60; $bad_hosts_limit = 10; openlog('StopGrind', LOG_PID|LOG_PERROR, LOG_AUTHPRIV); function logit() { //printf("%s: ", strftime("%Y-%m-%d:%H:%M:%S")); $args = func_get_args(); $line = call_user_func_array('sprintf', $args); syslog(LOG_NOTICE, $line); //printf("\n"); //printf("%s: %s\n", strftime("%Y-%m-%d:%H:%M:%S"), $line); } function loadState() { logit("fixme:STUB:loadState()"); } function saveState($state) { logit("fixme:STUB:saveState()"); } function authorizedHost($ip) { global $ignore_hosts, $ignore_hosts_cache, $ignore_hosts_cache_timeout; // Expire cache entries $now = time(); foreach ($ignore_hosts_cache as $key => $ignore_host) if ($ignore_host['expires'] < $now) unset($ignore_hosts_cache[$key]); // Now look up a cached entry if (isset($ignore_hosts_cache[$ip])) return TRUE; // Now look up the ignore_hosts one by one until we get a match foreach ($ignore_hosts as $host) { $record = dns_get_record($host, DNS_ANY); foreach($record as $entry) { if ($entry['ip']) { $ignore_hosts_cache[] = Array( 'ip' => $entry['ip'], 'name' => $entry['host'], 'expires' => time() + $entry['ttl'] ); if ($entry['ip'] == $ip) return TRUE; } } } return FALSE; } function banBadHost($ip) { // Magical Gnomes global $bad_hosts; logit("bad host banned: %s", $ip); $cmd = sprintf("/root/siteban/autoban %s", escapeshellarg($ip)); //exec($cmd); unset($bad_hosts[$ip]); } function badHost($ip, $line) { global $bad_hosts, $bad_hosts_timeout, $bad_hosts_limit; // Expire foreach($bad_hosts as $key => $value) if ($value['expires'] < time()) unset($bad_hosts[$key]); // Check if (!is_array($bad_hosts[$ip])) $bad_hosts[$ip] = Array('evidence' => Array()); $bad_hosts[$ip]['expires'] = time() + $bad_hosts_timeout; $bad_hosts[$ip]['evidence'][] = $line; if (count($bad_hosts[$ip]['evidence']) > $bad_hosts_limit) banBadHost($ip); } function matchLine($pattern, $key, $line) { global $trig_vars; $regs = Array(); if ($res = preg_match($pattern, $line, $regs)) { $out = Array(); foreach($trig_vars[$key] as $index => $name) { if ($name) $out[$name] = $regs[$index]; } if (!authorizedHost($out['ip'])) { badHost($out['ip'], $line); } } } function tailLog($log) { global $source; if (is_resource($source)) pclose($source); $cmd = sprintf("tail -fn 1024 %s", escapeshellarg($log)); //logit("%s", $cmd); $source = popen($cmd, "r"); // Ignore the first line, in case it's a newsyslog message. fgets($source, 4096); return $source; } function handle($line) { global $trig_pats; $line = trim($line); array_walk($trig_pats, "matchLine", $line); } $trig_pats = Array( "/Failed ([^ ]+) for( invalid user){0,1} ([^ ]+) from ([^ ]+) port ([^ ]+)/", "/Invalid user ([^ ]+) from ([^ ]+)/", ); $trig_vars = Array( Array( "", "method", "", "username", "ip", "port" ), Array( "", "username", "ip" ) ); logit("Starting scanner"); $state = loadState(); $lines = 0; $running = TRUE; $buf = ""; while ($running) { $read = Array(STDIN); $write = NULL; $except = NULL; $timeout = 60; if ($res = stream_select($read, $write, $except, $timeout)) { // Handle incoming data if (0 == strlen($tmp = fread(STDIN, 4096))) { // EOF logit("No more input. Night night."); $running = FALSE; } else { $buf.= $tmp; while (FALSE !== ($pt = strpos($buf, "\n"))) { $lines++; $line = substr($buf, 0, $pt); $buf = substr($buf, $pt + 1, strlen($buf)); handle($line); } } } else { // Timeout or interrupt. Die. logit("Timeout. Night night."); $running = FALSE; } } logit("Processed %u lines", $lines); saveState($state); return 0; tailLog($log); while ($line = fgets($source, 16384)) { $line = trim($line); // Check for newsyslog message if (preg_match('/newsyslog[^:]+: logfile turned over/', $line)) { //logit($line); logit("Reloading logfile\n"); pclose($source); die(); tailLog($log); } array_walk($trig_pats, "matchLine", $line); } pclose($source); ?> </code>