Looking for a existing entry - hosts.deny#1099
Merged
ddpbsd merged 3 commits intoossec:masterfrom Sep 6, 2017
Merged
Conversation
More one simple condition/test before submit a ip/hostname to hosts.deny. ~~~~ bash -x host-deny.sh add ncaio 190.80.12.180 + ACTION=add + USER=ncaio + IP=190.80.12.180 ++ dirname host-deny.sh + LOCAL=. + cd . + cd ../ ++ pwd + PWD=/var/ossec/active-response + LOCK=/var/ossec/active-response/host-deny-lock + LOCK_PID=/var/ossec/active-response/host-deny-lock/pid ++ uname + UNAME=Linux + MAX_ITERATION=50 ++ date + echo 'Wed Mar 29 09:54:51 BRT 2017 host-deny.sh add ncaio 190.80.12.180 ' + '[' x190.80.12.180 = x ']' + echo 190.80.12.180 + grep '\.' + '[' '!' 0 = 0 ']' ++ grep -w 190.80.12.180 /etc/hosts.deny + IPKEY='ALL: 190.80.12.180' + '[' '!' -z 'ALL: 190.80.12.180' ']' ++ date + echo 'Wed Mar 29 09:54:51 BRT 2017 Duplicate ip/hostname entry: 190.80.12.180' + exit 1 ~~~~
i guess that don't need to apply iptables rules on FORWARD chain in a box without IPV4 or IPV6 "IP FORWARD"
++ uname
+ UNAME=Linux
+ ECHO=/bin/echo
+ GREP=/bin/grep
+ IPTABLES=
+ IP4TABLES=/sbin/iptables
+ IP6TABLES=/sbin/ip6tables
+ IPFILTER=/sbin/ipf
+ '[' XLinux = XSunOS ']'
+ GENFILT=/usr/sbin/genfilt
+ LSFILT=/usr/sbin/lsfilt
+ MKFILT=/usr/sbin/mkfilt
+ RMFILT=/usr/sbin/rmfilt
+ ARG1=
+ ARG2=
+ RULEID=
+ ACTION=add
+ USER=ncaio
+ IP=123.123.0.15
++ pwd
+ PWD=/var/ossec/active-response/bin
+ LOCK=/var/ossec/active-response/bin/fw-drop
+ LOCK_PID=/var/ossec/active-response/bin/fw-drop/pid
++ cat /proc/sys/net/ipv4/ip_forward
+ IPV4F=0
++ cat /proc/sys/net/ipv6/conf/all/forwarding
+ IPV6F=0
++ dirname firewall-drop.sh
+ LOCAL=.
+ cd .
+ cd ../
++ basename firewall-drop.sh
+ filename=firewall-drop.sh
+ LOG_FILE=/var/ossec/active-response/../logs/active-responses.log
++ date
+ echo 'Wed Mar 29 10:58:48 BRT 2017 firewall-drop.sh add ncaio 123.123.0.15 '
+ '[' x123.123.0.15 = x ']'
+ case "${IP}" in
+ IPTABLES=/sbin/iptables
+ MAX_ITERATION=50
+ '[' xadd '!=' xadd -a xadd '!=' xdelete ']'
+ '[' XLinux = XLinux ']'
+ '[' xadd = xadd ']'
+ ARG1='-I INPUT -s 123.123.0.15 -j DROP'
+ ARG2='-I FORWARD -s 123.123.0.15 -j DROP'
+ '[' '!' -x /sbin/iptables ']'
+ COUNT=0
+ lock
+ i=0
+ '[' 1 ']'
+ mkdir /var/ossec/active-response/bin/fw-drop
+ MSL=0
+ '[' 0 = 0 ']'
+ echo 107768
+ return
+ '[' 1 ']'
+ /sbin/iptables -I INPUT -s 123.123.0.15 -j DROP
+ RES=0
+ '[' 0 = 0 ']'
+ break
+ COUNT=0
+ '[' 1 ']'
+ '[' 0 == 0 ']' <---- here
+ '[' 0 == 0 ']' <---- and here
+ break
+ unlock
+ rm -rf /var/ossec/active-response/bin/fw-drop
+ exit 0
ddpbsd
reviewed
Mar 29, 2017
active-response/firewall-drop.sh
Outdated
| LOCK="${PWD}/fw-drop" | ||
| LOCK_PID="${PWD}/fw-drop/pid" | ||
|
|
||
| IPV4F="$(cat /proc/sys/net/ipv4/ip_forward)" |
Member
There was a problem hiding this comment.
These lines would cause issues on systems without /proc
Contributor
Author
There was a problem hiding this comment.
hello @ddpbsd, thanks for your attention.
indeed! let me know if this functionality is or not interesting to ossec. If yes, i'll spend more time or more 'ifs' coding a solution.
Member
There was a problem hiding this comment.
It's not interesting to me, I don't use it. But other people might like it. I have no objections to it. :-)
+ To remove possible issues with systems without /proc. + This condition prevents rules in FORWARD chain where don't has ip forward
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
More one simple condition/test before submit a ip/hostname to hosts.deny.
This change is