Add contrib files for RHEL 5.3
authorWincent Colaiuta <win@wincent.com>
Tue, 23 Jun 2009 20:02:01 +0000 (22:02 +0200)
committerWincent Colaiuta <win@wincent.com>
Tue, 23 Jun 2009 20:02:01 +0000 (22:02 +0200)
For the time being these are just copies of the other RHEL-ES3 files
alrady in the repository.

Signed-off-by: Wincent Colaiuta <win@wincent.com>
contrib/RHEL-5.3/etc/logwatch/conf/services/bansshee.conf [new file with mode: 0644]
contrib/RHEL-5.3/etc/logwatch/scripts/services/bansshee [new file with mode: 0755]
contrib/RHEL-5.3/etc/rc.d/init.d/bansshee [new file with mode: 0755]

diff --git a/contrib/RHEL-5.3/etc/logwatch/conf/services/bansshee.conf b/contrib/RHEL-5.3/etc/logwatch/conf/services/bansshee.conf
new file mode 100644 (file)
index 0000000..a77c534
--- /dev/null
@@ -0,0 +1,8 @@
+Title = "Bansshee (secure-log)"
+
+# Logfile group
+LogFile = secure
+
+# only give lines pertaining to the bansshee service
+*OnlyService = bansshee
+*RemoveHeaders
diff --git a/contrib/RHEL-5.3/etc/logwatch/scripts/services/bansshee b/contrib/RHEL-5.3/etc/logwatch/scripts/services/bansshee
new file mode 100755 (executable)
index 0000000..43b0de8
--- /dev/null
@@ -0,0 +1,137 @@
+#!/usr/bin/perl
+
+use Socket;
+
+#
+# Storage
+#
+
+my %addresses;
+
+#
+# Functions
+#
+
+sub LookupIP($)
+{
+  my $ip = shift;
+  $name = $addresses{$ip};
+  return "$name [$ip]" if defined $name;
+  ($a1, $a2, $a3, $a4) = split /\./, $ip;
+  $name = gethostbyaddr(inet_aton($ip), AF_INET);
+  if ($name)
+  {
+    $addresses{$ip} = $name;
+    return "$name [$ip]";
+  }
+  else
+  {
+    return $ip;
+  }
+}
+
+sub SortIPAddresses
+{
+  ($a1, $a2, $a3, $a4) = split /\./, $a;
+  ($b1, $b2, $b3, $b4) = split /\./, $b;
+  ($a1 <=> $b1) || ($a2 <=> $b2) || ($a3 <=> $b3) || ($a4 <=> $b4);
+}
+
+#
+# Main
+#
+
+$detail = $ENV{'LOGWATCH_DETAIL_LEVEL'};
+
+while (defined($line = <STDIN>))
+{
+  chomp($line);
+
+  if ($line =~ /Performing periodic check of blocked IPs list\./)
+  {
+    $periodicChecks++;
+  }
+  elsif ($line =~ /Bansshee startup\./)
+  {
+    $startups++;
+  }
+  elsif ($line =~ /Failed password attempt for user/)
+  {
+    $failedPasswords++;
+  }
+  elsif ($line =~ /Attempted connection with illegal user/)
+  {
+    $illegalUsers++;
+  }
+  elsif ($line =~ /Adding IP (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) to blocklist\./)
+  {
+    $additions{$1} += 1;
+  }
+  elsif ($line =~ /Removing IP (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) from blocklist\./)
+  {
+    $removals{$1} += 1;
+  }
+  elsif (($line =~ /Reading config file/) ||
+         ($line =~ /Daemonizing\./) ||
+         ($line =~ /Creating new BANSSHEE iptables chain\./) ||
+         ($line =~ /Appending JUMP rule \(redirects all SSH traffic to BANSSHEE chain\)\./) ||
+         ($line =~ /Tailing log:/) ||
+         ($line =~ /Removing JUMP rule from INPUT chain\./) ||
+         ($line =~ /Flushing BANSSHEE iptables chain\./) ||
+         ($line =~ /Deleting BANSSHEE iptables chain\./))
+  {
+    # ignore
+  }
+  else
+  {
+    push @unmatchedEntries, "$line\n";
+  }
+}
+
+if (($startups > 0) && ($detail >= 5))
+{
+  print "\nStart-ups: $startups time(s).\n";
+}
+
+if (($periodicChecks > 0) && ($detail >= 10))
+{
+  print "\nPeriodic checks: $periodicChecks time(s).\n";
+}
+
+if ($failedPasswords > 0)
+{
+  print "\nFailed password attempts: $failedPasswords time(s).\n";
+}
+
+if ($illegalUsers > 0)
+{
+  print "\nIllegal user attempts: $illegalUsers time(s).\n";
+}
+
+if (keys %additions)
+{
+  print "\nIPs added to blocklist:\n";
+  foreach $ip (sort { SortIPAddresses } keys %additions)
+  {
+    $host = LookupIP($ip);
+    print "    $host : $additions{$ip} time(s).\n";
+  }
+}
+
+if (keys %removalss)
+{
+  print "\nIPs removed from blocklist:\n";
+  foreach $ip (sort { SortIPAddresses } keys %additions)
+  {
+    $host = LookupIP($ip);
+    print "    $host : $additions{$ip} time(s).\n";
+  }
+}
+
+if ($#unmatchedEntries > 0)
+{
+  print "\n**Unmatched Entries**\n";
+  print @unmatchedEntries;
+}
+
+exit(0);
diff --git a/contrib/RHEL-5.3/etc/rc.d/init.d/bansshee b/contrib/RHEL-5.3/etc/rc.d/init.d/bansshee
new file mode 100755 (executable)
index 0000000..4b3ed4a
--- /dev/null
@@ -0,0 +1,64 @@
+#! /bin/bash
+#
+# banshee       This script starts and stops the bansshee anti-SSH-dictionary-attack daemon
+#
+# chkconfig:    - 50 50
+# description:  bansshee monitors log files to detect SSH dictionary attacks and uses the iptables firewall to block attackers.
+
+# Source function library.
+. /etc/init.d/functions
+
+RETVAL=0
+
+start()
+{
+  echo -n $"Starting banshee: "
+  daemon /usr/local/sbin/bansshee
+  RETVAL=$?
+  echo
+  [ $RETVAL -eq 0 ] && /bin/touch /var/lock/subsys/bansshee
+  return $RETVAL
+}
+
+stop()
+{
+  echo -n $"Stopping banshee: "
+  killproc bansshee
+  RETVAL=$?
+  echo
+  [ $RETVAL -eq 0 ] && /bin/rm -f /var/lock/subsys/bansshee
+  return $RETVAL
+}
+
+restart()
+{
+  stop
+  start
+}
+
+case "$1" in
+  start)
+    start
+    ;;
+  stop)
+    stop
+    ;;
+  restart)
+    restart
+    ;;
+  reload)
+    restart
+    ;;
+  status)
+    status bansshee
+    ;;
+  condrestart)
+    [ -f /var/lock/subsys/bansshee ] && restart
+    ;;
+  *)
+    echo $"Usage: $0 {start|stop|status|reload|restart|condrestart}"
+    exit 1
+esac
+
+exit $?
+