Rename some functions, list prerequisites.

This commit is contained in:
Manuel Friedli 2020-08-03 13:19:18 +02:00
parent ea0fae026a
commit c5dc76f8eb

View file

@ -1,11 +1,17 @@
#!/bin/sh
################################################################################
################################################################################
########### FIXME: This text is outdated and needs to be rewritten. ###########
################################################################################
################################################################################
################################################################################
# #
# Try and prevent apache overloads by banning IP addresses that have (too) #
# many open connections. #
# This script uses netstat to determine the connections to the HTTPS port of #
# the host machine and provides automated whois information retrieval based on #
# the address or the /24- /16- or /8-subnet thereof. Addresses (or subnets) #
# the address or the /24-, /16- or /8-subnet thereof. Addresses (or subnets) #
# are presented to the user in order of descending connection count. For each #
# address (or subnet), the user can choose to ban or ignore it. Addresses (or #
# subnets) chosen to be banned will be blocked by the apache-badbots jail of #
@ -16,6 +22,20 @@
# #
################################################################################
################################################################################
# #
# Prerequisites: #
# - app-admin/sudo (`sudo`) #
# - net-analyzer/fail2ban (`fail2ban-client`) #
# - net-misc/whois (`whois`) #
# - sys-apps/coreutils (`cut`, `id`, `sort`, `touch`, `tr`, `uniq`) #
# - sys-apps/grep (`grep`) #
# - sys-apps/moreutils (`sponge`) #
# - sys-apps/net_tools (`netstat`) #
# - sys-apps/util-linux (`getopt`) #
# #
################################################################################
# Set the host's own IP address. So far, only an IPv4 address is supported.
MY_IP="94.199.214.20"
# Set the desired port to monitor.
@ -51,6 +71,18 @@ reset="\033[0m"
# Clean up when the script exits.
trap 'sudo -k; popd >/dev/null; rm -r ${tmpdir}' EXIT
function check_installed() {
local command="$1"
local package="$2"
which "${command}" 2>/dev/null >&2
local result=$?
if [[ "${result}" -ne 0 ]] ; then
echo -e "${red}Command ${bold}${command}${reset}${red} not found.${reset} Please install package ${blue}${package}${reset}."
exit 1
fi
}
# Create a temp directory, chdir into it and create the (initially empty)
# banlist file.
tmpdir=$(mktemp -d)
@ -58,7 +90,7 @@ tmpdir=$(mktemp -d)
pushd "${tmpdir}" > /dev/null
touch "${banlist}"
function printHelp() {
function print_help() {
cat <<ENDOFHELP
Usage: $(basename $0) [OPTION...]
@ -89,7 +121,7 @@ inquired interactively.
ENDOFHELP
}
function execAsRoot() {
function exec_as_root() {
if [[ $(id -un) == "root" ]] ; then
"$@"
else
@ -97,7 +129,7 @@ function execAsRoot() {
fi
}
function parseCommandline() {
function parse_command_line_args() {
TEMP=$(getopt -o 'a::,j:,n:,h' -l 'auto::,jail:,netmask:,help' -- "$@")
if [ $? -ne 0 ] ; then
@ -151,7 +183,7 @@ function parseCommandline() {
shift
;;
'-h'|'--help')
printHelp
print_help
exit
;;
'--')
@ -172,10 +204,10 @@ autopilot=0
netmask=0
jail="apache-auth"
parseCommandline "$@"
parse_command_line_args "$@"
# List already banned addresses in the chosen jail
banned="$(execAsRoot fail2ban-client get "${jail}" banip)"
banned="$(exec_as_root fail2ban-client get "${jail}" banip)"
# Determine the current connections to the desired port; store the raw data in
# $fileraw.
@ -422,7 +454,7 @@ sudo -k
# one of them.
while read -r addr ; do
echo "Banning ${addr} ..."
execAsRoot fail2ban-client set "${jail}" banip "${addr}"
exec_as_root fail2ban-client set "${jail}" banip "${addr}"
done < "${banlist}"
echo -e "${green}All done!${reset}"