autodrop 0.1.0 → 1.0.0

data/bin/autodrop

@@ -1,202 +0,0 @@
-#!/usr/bin/env ruby
-
-require 'optparse'
-require 'syslog'
-
-DEFAULT_CONFFILE = '/etc/autodrop.conf'
-
-$debug = false
-
-def log msg
-  if $debug
-    puts "#{Time.now}: syslog: #{msg}"
-  else
-    if Syslog.opened?
-      Syslog.info msg
-    end
-  end
-end
-
-def debug msg
-  return unless $debug
-  puts "#{Time.now}: debug: #{msg}"
-end
-
-def terminate whymsg, status = 0
-  log "terminate (#{whymsg})"
-  exit! status
-end
-
-module Autodrop
-  # { ip => Dog obj }
-  @dogs = {}
-
-  def Autodrop.house ip
-    @dogs.delete ip
-  end
-
-  def Autodrop.watch
-    log "start watching '#{WATCH_FIFO_}'"
-    loop {
-      begin
-        File.open(WATCH_FIFO_, File::RDONLY | File::NONBLOCK) { |f|
-          ready = File.select([f])
-          if ready
-            line = ready[0][0].gets
-            ip = nil
-            MESSAGES_TO_WATCH.each { |msg|
-              ip = $1 if line =~ msg
-            }
-            if ip
-              if @dogs.has_key? ip
-                @dogs[ip].bark
-              else
-                @dogs[ip] = Dog.new(ip)
-              end
-            end
-          end
-        }
-      rescue Errno::ENOENT => ex
-        log "lost FIFO '#{WATCH_FIFO_}'. exit"
-        break
-      end
-    }
-  end
-end  # Autodrop
-
-class Dog
-  def initialize ip
-    @ip = ip
-    @count = 1
-    @time = Time.now + INTERVAL
-    @thread = Thread.new {
-      debug "[#{@ip}] bark! (#{@count})"
-      loop {
-        if Time.now >= @time
-          debug "[#{@ip}] leave"
-          break
-        end
-        if @count >= COUNT_MAX
-          bite
-          break
-        end
-        debug "[#{@ip}] grrr..."
-        sleep 1
-      }
-      Autodrop.house @ip
-      debug "[#{@ip}] end"
-    }
-  end
-
-  def bark
-    @count += 1
-    @time = Time.now + INTERVAL
-    debug "[#{@ip}] bark! (#{@count})"
-  end
-
-  def bite
-    if $debug
-      log "DROP (#{@ip})"
-      return
-    end
-    if system(IPTABLES_PROGRAM, '-I', 'INPUT', '-s', @ip, '-j', 'DROP')
-      log "DROP (#{@ip})"
-    else
-      log "error (iptables fail)"
-    end
-  end
-end  # Dog
-
-### main
-
-@conffile = nil
-opts = OptionParser.new
-opts.on("-c CONFFILE", "--config CONFFILE", String, /.*/,
-        "Configuration file",
-        "(default: '#{DEFAULT_CONFFILE}')") { |conffile|
-  @conffile = conffile
-}
-opts.on("-d", "--debug", nil, nil,
-        "Debug mode",
-        "+ no daemon",
-        "+ write logs to stdout",
-        "+ watch fifo named './fifo'") { |flag|
-  $debug = true
-}
-opts.parse! ARGV
-opts = nil
-
-@conffile ||= DEFAULT_CONFFILE
-unless File.file? @conffile
-  puts "#{@conffile} does not exist."
-  exit 1
-end
-
-eval File.readlines(@conffile).join("\n")
-
-unless File.executable? IPTABLES_PROGRAM
-  puts "#{IPTABLES_PROGRAM} is not executable."
-  exit 1
-end
-
-if $debug
-  WATCH_FIFO_ = 'fifo'
-else
-  WATCH_FIFO_ = WATCH_FIFO
-  if Process.euid != 0
-    puts 'Run as root'
-    exit 1
-  end
-end
-
-begin
-  Syslog.open('autodrop', Syslog::LOG_PID|Syslog::LOG_CONS, Syslog::LOG_AUTH)
-  if $debug
-    Autodrop.watch
-  else
-    # daemonify self
-    Process.fork {
-      Process.setsid
-      Dir.chdir "/"
-      trap("SIGINT") { terminate 'SIGINT' }
-      trap("SIGTERM") { terminate 'SIGTERM' }
-      trap("SIGHUP") { terminate 'SIGHUP' }
-      STDIN.reopen "/dev/null"
-      STDOUT.reopen "/dev/null"
-      STDERR.reopen "/dev/null"
-      File.open(PIDFILE, 'w') {|f|
-        f.puts Process.pid
-      }
-      Autodrop.watch
-    }
-  end
-rescue => ex
-  log "error (#{ex}). exit"
-  exit! 1
-end
-
-# Copyright (c) 2009, NOZAWA Hiromasa. All rights reserved.
-# 
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-# 
-#  1. Redistributions of source code must retain the above copyright
-#     notice, this list of conditions and the following disclaimer.
-#  2. Redistributions in binary form must reproduce the above
-#     copyright notice, this list of conditions and the following
-#     disclaimer in the documentation and/or other materials provided
-#     with the distribution.
-# 
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
-# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
-# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
-# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
-# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-# POSSIBILITY OF SUCH DAMAGE.

data/bin/autodrop.rb

@@ -1,202 +0,0 @@
-#!/usr/bin/env ruby
-
-require 'optparse'
-require 'syslog'
-
-DEFAULT_CONFFILE = '/etc/autodrop.conf'
-
-$debug = false
-
-def log msg
-  if $debug
-    puts "#{Time.now}: syslog: #{msg}"
-  else
-    if Syslog.opened?
-      Syslog.info msg
-    end
-  end
-end
-
-def debug msg
-  return unless $debug
-  puts "#{Time.now}: debug: #{msg}"
-end
-
-def terminate whymsg, status = 0
-  log "terminate (#{whymsg})"
-  exit! status
-end
-
-module Autodrop
-  # { ip => Dog obj }
-  @dogs = {}
-
-  def Autodrop.house ip
-    @dogs.delete ip
-  end
-
-  def Autodrop.watch
-    log "start watching '#{WATCH_FIFO_}'"
-    loop {
-      begin
-        File.open(WATCH_FIFO_, File::RDONLY | File::NONBLOCK) { |f|
-          ready = File.select([f])
-          if ready
-            line = ready[0][0].gets
-            ip = nil
-            MESSAGES_TO_WATCH.each { |msg|
-              ip = $1 if line =~ msg
-            }
-            if ip
-              if @dogs.has_key? ip
-                @dogs[ip].bark
-              else
-                @dogs[ip] = Dog.new(ip)
-              end
-            end
-          end
-        }
-      rescue Errno::ENOENT => ex
-        log "lost FIFO '#{WATCH_FIFO_}'. exit"
-        break
-      end
-    }
-  end
-end  # Autodrop
-
-class Dog
-  def initialize ip
-    @ip = ip
-    @count = 1
-    @time = Time.now + INTERVAL
-    @thread = Thread.new {
-      debug "[#{@ip}] bark! (#{@count})"
-      loop {
-        if Time.now >= @time
-          debug "[#{@ip}] leave"
-          break
-        end
-        if @count >= COUNT_MAX
-          bite
-          break
-        end
-        debug "[#{@ip}] grrr..."
-        sleep 1
-      }
-      Autodrop.house @ip
-      debug "[#{@ip}] end"
-    }
-  end
-
-  def bark
-    @count += 1
-    @time = Time.now + INTERVAL
-    debug "[#{@ip}] bark! (#{@count})"
-  end
-
-  def bite
-    if $debug
-      log "DROP (#{@ip})"
-      return
-    end
-    if system(IPTABLES_PROGRAM, '-I', 'INPUT', '-s', @ip, '-j', 'DROP')
-      log "DROP (#{@ip})"
-    else
-      log "error (iptables fail)"
-    end
-  end
-end  # Dog
-
-### main
-
-@conffile = nil
-opts = OptionParser.new
-opts.on("-c CONFFILE", "--config CONFFILE", String, /.*/,
-        "Configuration file",
-        "(default: '#{DEFAULT_CONFFILE}')") { |conffile|
-  @conffile = conffile
-}
-opts.on("-d", "--debug", nil, nil,
-        "Debug mode",
-        "+ no daemon",
-        "+ write logs to stdout",
-        "+ watch fifo named './fifo'") { |flag|
-  $debug = true
-}
-opts.parse! ARGV
-opts = nil
-
-@conffile ||= DEFAULT_CONFFILE
-unless File.file? @conffile
-  puts "#{@conffile} does not exist."
-  exit 1
-end
-
-eval File.readlines(@conffile).join("\n")
-
-unless File.executable? IPTABLES_PROGRAM
-  puts "#{IPTABLES_PROGRAM} is not executable."
-  exit 1
-end
-
-if $debug
-  WATCH_FIFO_ = 'fifo'
-else
-  WATCH_FIFO_ = WATCH_FIFO
-  if Process.euid != 0
-    puts 'Run as root'
-    exit 1
-  end
-end
-
-begin
-  Syslog.open('autodrop', Syslog::LOG_PID|Syslog::LOG_CONS, Syslog::LOG_AUTH)
-  if $debug
-    Autodrop.watch
-  else
-    # daemonify self
-    Process.fork {
-      Process.setsid
-      Dir.chdir "/"
-      trap("SIGINT") { terminate 'SIGINT' }
-      trap("SIGTERM") { terminate 'SIGTERM' }
-      trap("SIGHUP") { terminate 'SIGHUP' }
-      STDIN.reopen "/dev/null"
-      STDOUT.reopen "/dev/null"
-      STDERR.reopen "/dev/null"
-      File.open(PIDFILE, 'w') {|f|
-        f.puts Process.pid
-      }
-      Autodrop.watch
-    }
-  end
-rescue => ex
-  log "error (#{ex}). exit"
-  exit! 1
-end
-
-# Copyright (c) 2009, NOZAWA Hiromasa. All rights reserved.
-# 
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-# 
-#  1. Redistributions of source code must retain the above copyright
-#     notice, this list of conditions and the following disclaimer.
-#  2. Redistributions in binary form must reproduce the above
-#     copyright notice, this list of conditions and the following
-#     disclaimer in the documentation and/or other materials provided
-#     with the distribution.
-# 
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
-# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
-# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
-# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
-# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-# POSSIBILITY OF SUCH DAMAGE.

data/conf/autodrop.conf.default

@@ -1,17 +0,0 @@
-# configration file for autodrop
-# -*-ruby-*-
-
-# $1 must match with an IP address
-MESSAGES_TO_WATCH =
-  [
-   # OpenSSH
-   /Invalid user [^\s]+ from (.+)/,
-   /Address (.+) maps to [^\s]+, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!/,
-  ]
-
-COUNT_MAX = 3
-INTERVAL = 10 # sec
-
-IPTABLES_PROGRAM = '/sbin/iptables'
-PIDFILE = '/var/run/autodrop.pid'
-WATCH_FIFO = '/var/log/authfifo'

data/doc/README.jp.txt

@@ -1,164 +0,0 @@
-autodrop README
-
-NOZAWA Hiromasa, Tokyo, Japan
-
-
-= 概要
-
-ホストへのしつこいアクセスを iptables で弾くデーモン。
-
-syslog のログを監視して、パターンにマッチするログを一定期間内に繰り返し
-生じさせるホストを iptables の DROP ルールでアクセス禁止にする。
-
-監視するログのパターン、ログの発生回数、発生回数のカウントを続ける期間
-を設定できる。パターンは複数設定できる。
-
-複数のログファイルをポーリングしたり stat したりせずに、単一の名前つき
-パイプを見るようになっている。このため syslogd が目的のログを名前つきパ
-イプへ吐くように設定する必要がある (syslog.conf で '|' を使う)。
-
-Ruby 製です。Ruby なので、というかスクリプト言語製なので本格的に高トラ
-フィックな環境には向かないでしょう。でもウチでは毎日々々延々と 22 番を
-叩きにくる人たちをしっかり弾いてくれるので重宝してます。なかなか重宝す
-るので公開してみます。
-
-この手のツールの常として自分を自分のホストから締め出すことも可能なので
-注意してください。
-
-
-= 必要なもの
-
-* iptables なので linux
-* syslogd
-* ruby 1.8.6 あたり
-
-
-= ライセンス
-
-BSD
-
-
-= インストール
-
-gem install したあと設定ファイルを作る必要があります。
-#! 行も必要なら書き換えてください。
-
-*1. gem install autodrop
-
-*2. cd <GEMDIR>/gems/autodrop-x.x.x/conf
-
-*3. sudo cp autodrop.conf.default /etc
-
-*6. /etc/autodrop.conf を編集
-
-
-= 使い方
-
-== 起動
-
-root で実行するようになってます。
-
-	------------------------------
-	$ sudo ruby autodrop.rb
-	------------------------------
-
-設定ファイルのデフォルトは /etc/autodrop.conf です。
-コマンドラインから指定すれば別の場所にある設定ファイルも使えます。
-
-	------------------------------
-	$ ruby autodrop.rb -c /foo/bar/autodrop.conf
-	------------------------------
-
-起動すると /var/run/autodrop.pid が作られます。
-
-== 停止
-
-	------------------------------
-	$ sudo kill `cat /var/run/autodrop.pid`
-	------------------------------
-
-== 稼働中
-
-autodrop 自身もプレフィクス `autodrop' で起動、終了、DROP の発生を
-syslog に吐きます。
-
-稼働中は iptables の INPUT テーブルに DROP ルールが溜まる一方になるので、
-たまに手でクリアすることになるかと思います。定期的にクリアするような機
-能はありません。
-
-
-= autodrop.conf
-
-どの設定も省略不可。どれも単なる ruby の定数です。
-
-* MESSAGES_TO_WATCH
-
-	監視するメッセージのパターンを正規表現で書いた配列。
-	$1 がリモートホストの IP アドレスにマッチするようにする。
-
-	------------------------------
-	MESSAGES_TO_WATCH =
-	  [
-           # OpenSSH's
-	   /Invalid user [^\s]+ from (.+)/,
-	   /Address (.+) maps to.*POSSIBLE BREAK-IN ATTEMPT!/,
-	  ]
-	------------------------------
-
-* COUNT_MAX
-
-	DROP するまでのマッチ回数。
-
-	------------------------------
-	COUNT_MAX = 3
-	------------------------------
-
-* INTERVAL
-
-	マッチしたパターン (パターンと IP アドレスの組) についてカウン
-	トをとり続ける時間。秒で指定する。
-	マッチするたびに 0 に戻る。
-
-	------------------------------
-	INTERVAL = 10
-	------------------------------
-
-* IPTABLES_PROGRAM
-
-	用いる iptables を指定する。
-
-	------------------------------
-	IPTABLES_PROGRAM = '/bin/iptables'
-	------------------------------
-
-* PIDFILE
-
-	pid ファイルのパス。
-
-	------------------------------
-	PIDFILE = '/var/run/autodrop.pid'
-	------------------------------
-
-* WATCH_FIFO
-
-	監視する名前つきパイプのパス。
-
-	------------------------------
-	WATCH_FIFO = '/var/log/authfifo'
-	------------------------------
-
-
-= 参考: syslogd の設定例
-
-パイプを作って、
-	------------------------------
-	sudo mkfifo /var/log/authfifo
-	------------------------------
-syslog.conf に登録する。
-	------------------------------
-	authpriv.*		|/var/log/authfifo
-	------------------------------
-
-「|」で名前つきパイプへの出力になる。詳しくは syslog.conf(5) で。
-
-#eof