Rename some functions, list prerequisites.

2020-08-03 13:19:18 +02:00 · 2020-08-03 13:19:18 +02:00 · c5dc76f8eb
parent ea0fae026a
commit c5dc76f8eb
1 changed files with 40 additions and 8 deletions
--- a/ddos-mitigator.sh
+++ b/ddos-mitigator.sh
@ -1,11 +1,17 @@
 #!/bin/sh
+################################################################################
+################################################################################
+########### FIXME: This text is outdated and needs to be rewritten.  ###########
+################################################################################
+################################################################################
+
 ################################################################################
 #                                                                              #
 # Try and prevent apache overloads by banning IP addresses that have (too)     #
 # many open connections.                                                       #
 # This script uses netstat to determine the connections to the HTTPS port of   #
 # the host machine and provides automated whois information retrieval based on #
-# the address or the /24- /16- or /8-subnet thereof. Addresses (or subnets)    #
+# the address or the /24-, /16- or /8-subnet thereof. Addresses (or subnets)   #
 # are presented to the user in order of descending connection count. For each  #
 # address (or subnet), the user can choose to ban or ignore it. Addresses (or  #
 # subnets) chosen to be banned will be blocked by the apache-badbots jail of   #
@ -16,6 +22,20 @@
 #                                                                              #
 ################################################################################

+################################################################################
+#                                                                              #
+# Prerequisites:                                                               #
+#   - app-admin/sudo (`sudo`)                                                  #
+#   - net-analyzer/fail2ban (`fail2ban-client`)                                #
+#   - net-misc/whois (`whois`)                                                 #
+#   - sys-apps/coreutils (`cut`, `id`, `sort`, `touch`, `tr`, `uniq`)          #
+#   - sys-apps/grep (`grep`)                                                   #
+#   - sys-apps/moreutils (`sponge`)                                            #
+#   - sys-apps/net_tools (`netstat`)                                           #
+#   - sys-apps/util-linux (`getopt`)                                           #
+#                                                                              #
+################################################################################
+
 # Set the host's own IP address. So far, only an IPv4 address is supported.
 MY_IP="94.199.214.20"
 # Set the desired port to monitor.
@ -51,6 +71,18 @@ reset="\033[0m"
 # Clean up when the script exits.
 trap 'sudo -k; popd >/dev/null; rm -r ${tmpdir}' EXIT

+function check_installed() {
+       local command="$1"
+       local package="$2"
+       which "${command}" 2>/dev/null >&2
+       local result=$?
+
+       if [[ "${result}" -ne 0 ]] ; then
+               echo -e "${red}Command ${bold}${command}${reset}${red} not found.${reset} Please install package ${blue}${package}${reset}."
+               exit 1
+       fi
+}
+
 # Create a temp directory, chdir into it and create the (initially empty)
 # banlist file.
 tmpdir=$(mktemp -d)
@ -58,7 +90,7 @@ tmpdir=$(mktemp -d)
 pushd "${tmpdir}" > /dev/null
 touch "${banlist}"

-function printHelp() {
+function print_help() {
 	cat <<ENDOFHELP
 Usage: $(basename $0) [OPTION...]

@ -89,7 +121,7 @@ inquired interactively.
 ENDOFHELP
 }

-function execAsRoot() {
+function exec_as_root() {
 	if [[ $(id -un) == "root" ]] ; then
 		"$@"
 	else
@ -97,7 +129,7 @@ function execAsRoot() {
 	fi
 }

-function parseCommandline() {
+function parse_command_line_args() {
 	TEMP=$(getopt -o 'a::,j:,n:,h' -l 'auto::,jail:,netmask:,help' -- "$@")

 	if [ $? -ne 0 ] ; then
@ -151,7 +183,7 @@ function parseCommandline() {
 				shift
 			;;
 			'-h'|'--help')
-				printHelp
+				print_help
 				exit
 			;;
 			'--')
@ -172,10 +204,10 @@ autopilot=0
 netmask=0
 jail="apache-auth"

-parseCommandline "$@"
+parse_command_line_args "$@"

 # List already banned addresses in the chosen jail
-banned="$(execAsRoot fail2ban-client get "${jail}" banip)"
+banned="$(exec_as_root fail2ban-client get "${jail}" banip)"

 # Determine the current connections to the desired port; store the raw data in
 # $fileraw.
@ -422,7 +454,7 @@ sudo -k
 # one of them.
 while read -r addr ; do
 	echo "Banning ${addr} ..."
-	execAsRoot fail2ban-client set "${jail}" banip "${addr}"
+	exec_as_root fail2ban-client set "${jail}" banip "${addr}"
 done < "${banlist}"

 echo -e "${green}All done!${reset}"