linnou
11-02-2013, بتوقيت غرينيتش 01:49 AM
السلام عليكم ورحمته الله وبركاته
نقوم بعمل سكربت لمراقبه فشل دخول لسيرفر SERVER
يجب وضع سكربت لمراقبه فشل دخول عند مراقبة ملف سجل اف تي بي ProFTPD
قم بانشاء سكربت ملف باسم proftpd_block.sh
اوضع بداخلة :-
رمز PHP:
<code style="white-space:nowrap"> <code> #!/bin/sh
# script name: proftpd.block script
# location: /share/custom/scripts
# purpose: watch proftpd logfile and detect failed login attempts
# designed for Qnap TS-201
#
# this script asumes the following log config (in proftpd.conf):
# LogFormat userlog "%u %P %a %h %t \"%r\" %s"
# ExtendedLog /share/MD0_DATA/data/website/ftplogs/proftpd.log AUTH,READ,WRITE userlog
datim=$(date +%F-%H%M)
# customize paths of files:
log2file=/share/.../ftplogs/block.log
# proftpd logfile:
logfile=/share/.../ftplogs/proftpd.log
# file that stores the ips that failed to login:
watchfile=/share/custom/scripts/proftpd_watch.ip
# tmp watch file (used when editing the file)
tmpfile=/share/custom/scripts/proftpd_watch.ip.new
# path to your standard/customized proftpd.conf file
# the file must be manually edited to end with the following lines:
# <Limit LOGIN>
# #manually entered blocked ips:
# #1.2.3.4
# #######################################
# ## IPs below are automatically added ##
# #######################################
# </Limit>
cfgfile=/share/custom/customized/proftpd.conf
# intermediate configfile (used when editing config)
tmpcfgfile=/share/custom/customized/proftpd.conf.new
# max number of filed logins per ip:
maxfailedlogin=3
# manage logfiles:
#(customize location of logfiles!)
/bin/mv /share/.../ftplogs/block.log.8 /share/.../ftplogs/block.log.9
/bin/mv /share/.../ftplogs/block.log.7 /share/.../ftplogs/block.log.8
/bin/mv /share/.../ftplogs/block.log.6 /share/.../ftplogs/block.log.7
/bin/mv /share/.../ftplogs/block.log.5 /share/.../ftplogs/block.log.6
/bin/mv /share/.../ftplogs/block.log.4 /share/.../ftplogs/block.log.5
/bin/mv /share/.../ftplogs/block.log.3 /share/.../ftplogs/block.log.4
/bin/mv /share/.../ftplogs/block.log.2 /share/.../ftplogs/block.log.3
/bin/mv /share/.../ftplogs/block.log.1 /share/.../ftplogs/block.log.2
/bin/mv /share/.../ftplogs/block.log /share/.../ftplogs/block.log.1
echo $(date +%F-%H%M) "BCK: Starting Proftpd blocking..." $datim > $log2file
# ensure the logfile exists, so the tail will not fail &exit the script:
touch $logfile
#tail the logfile:
tail -n 0 -f $logfile | while read logline
do
ip=''
result=''
#echo $logline
let ncount=0
for e in $logline
do
let ncount=$ncount+1
#echo $ncount $e
if [ "x${ncount}" = "x3" ]; then
ip=$e;
#echo $ip;
fi
result=$e
done
#echo $ip: $result
if [ "x$result" = "x530" ]; then
# failed login
echo $(date +%F-%H%M) 'BCK: FAILED login from' $ip >> $log2file
# read attempts from watchfile
#echo grep -i $ip $watchfile
block=`grep -i $ip $watchfile`
#echo $(date +%F-%H%M) $block >> $log2file
let count=0
if [ "x${block}" = "x" ]; then
# new ip:
echo $(date +%F-%H%M) 'BCK: new ip:' $ip >> $log2file
let count=1
else
#existing ip
echo $(date +%F-%H%M) 'BCK: existing ip' $ip >> $log2file
# read nr attempts:
let ncount=0
for t in $block
do
let ncount=$ncount+1
if [ "x${ncount}" = "x2" ]; then
# nr of login attempts
count=$t;
#echo $t
fi
done
let count=$count+1
#echo $count
fi
# remove ip from watchlist
grep -vi $ip $watchfile > $tmpfile
mv $tmpfile $watchfile
if expr $count \> $maxfailedlogin ; then
echo $(date +%F-%H%M) 'BCK: Denying' $ip >> $log2file
echo $ip 0 $(date +%s) $(date +%F-%H%M) >> $watchfile
# must modify proftpd.conf
grep -vi $ip $cfgfile | grep -vi /LIMIT > $tmpcfgfile
#echo $(date +%F-%H%M) "BCK: Deny" $ip >> $log2file
echo " Deny" $ip >> $tmpcfgfile
echo "</LIMIT>" >> $tmpcfgfile
mv $tmpcfgfile $cfgfile
# and reread config:
/etc/init.d/ftp.sh reconfig >> $log2file
else
# add to watchfile :
#echo $ip $count $(date +%F-%H%M)
echo $(date +%F-%H%M) 'BCK: Inc Atttempts to' $count 'for' $ip >> $log2file
echo $ip $count $(date +%s) $(date +%F-%H%M) >> $watchfile
fi
elif [ "x$result" = "x230" ]; then
# login OK!
echo $(date +%F-%H%M) 'BCK: login OK from' $ip >> $log2file
blocked=`grep -i $ip $cfgfile`
#echo 'blocked:' $blocked
if [ "x$blocked" = "x" ] ; then
echo $(date +%F-%H%M) 'BCK:' $ip 'not blocked in proftpd.conf' >> $log2file
else
# remove from config
echo $(date +%F-%H%M) 'BCK: removing' $ip 'from proftpd.conf' >> $log2file
grep -vi $ip $cfgfile > $tmpcfgfile
mv $tmpcfgfile $cfgfile
# and reread config:
/etc/init.d/ftp.sh reconfig >> $log2file
fi
# remove ip from watch list
blocked=`grep -i $ip $watchfile`
if [ "x$blocked" = "x" ] ; then
echo $(date +%F-%H%M) 'BCK:' $ip 'nothing to do' >> $log2file
else
echo $(date +%F-%H%M) 'BCK: removing' $ip 'from watchlist' >> $log2file
grep -vi $ip $watchfile > $tmpfile
mv $tmpfile $watchfile
fi
fi
done
</code> </code>
لاضافة كرون جوب لسكربت crontab
رمز PHP:
<code style="white-space:nowrap"> <code> 37 4 * * * /share/custom/scripts/proftpd_block.sh &
</code> </code>
هذا امر كرون جوب لفك حظر تلقائي افتراضي هو 60 دقيقة
رمز PHP:
<code style="white-space:nowrap"> <code> 00 * * * * /share/custom/scripts/proftpd_block_check.sh
</code> </code>
لقيام بشيك بالسكربت قم بعمل ملف باسم proftpd_block_check.sh
اضف بدااخلة
رمز PHP:
<code style="white-space:nowrap"> <code> #!/bin/sh
# script name: proftpd.block.check script
# location: /share/custom/scripts
# purpose: unblock blocked ip addresses from proftpd.conf
# designed for Qnap TS-201
datim=$(date +%F-%H%M)
# customize file locations!
log2file=/share/.../ftplogs/block.log
watchfile=/share/custom/scripts/proftpd_watch.ip
tmpfile=/share/custom/scripts/proftpd_watch.ip.new
# standard or your customized proftpd.conf:
cfgfile=/share/custom/customized/proftpd.conf
# tmp file, used when editing:
tmpcfgfile=/share/custom/customized/proftpd.conf.new
#block duration (in sec):
blocktime=3600
echo $(date +%F-%H%M) 'CHK: checking expired records...' >> $log2file
#ensure tmpfile is empty & exists:
rm $tmpfile 2>&1 >/dev/null
touch $tmpfile
#init global vars:
let found=0
# read through watchfile:
while read watchline
do
echo $(date +%F-%H%M) 'CHK:' $watchline >> $log2file
#init loop vars:
ncount=0
ip=''
dt=''
dt2=''
# determine <date to unblock
dt2=$(date +%s)
dt2=$(($dt2 - $blocktime))
# find blocked time & ip in line:
for w in $watchline
do
let ncount=$ncount+1
if [ "x$ncount" = "x1" ]; then
ip=$w
elif [ "x$ncount" = "x3" ]; then
#datetime: blocked since (in secs)
dt=$w
fi
done
echo $(date +%F-%H%M) 'CHK: check if' $dt '<' $dt2 'for ip' $ip >> $log2file
if expr $dt \< $dt2 ; then
blocked=`grep -i $ip $cfgfile`
#echo 'blocked:' $blocked
if [ "x${blocked}" = "x" ] ; then
echo $(date +%F-%H%M) 'CHK: removed:' $watchline >> $log2file
else
echo $(date +%F-%H%M) 'CHK: removed: also remove' $ip 'from proftpd.conf' >> $log2file
found=1
grep -vi $ip $cfgfile > $tmpcfgfile
mv $tmpcfgfile $cfgfile
chown michiel.everyone $cfgfile
fi
else
echo $watchline >> $tmpfile
fi
done < $watchfile
mv $tmpfile $watchfile
echo $(date +%F-%H%M) 'CHK: found: ' $found >> $log2file
if expr $found \= 1 ; then
# removed ips from watch list & config file; reread config file:
echo $(date +%F-%H%M) 'CHK: Removed expired records' >> $log2file
/etc/init.d/ftp.sh reconfig >> $log2file
fi
echo $(date +%F-%H%M) 'CHK: checking expired records: done' >> $log2file
</code> </code>
للتعطيل سكربت قم بعمل ملف باسم بـproftpd_block_stop.sh
اضف بداخلة :-
رمز PHP:
<code style="white-space:nowrap"> <code> #!/bin/sh
# script name: proftpd_block_stop.script
# location: /share/custom/scripts
# purpose: stop monitoring the proftpd log file and lock out ips
# designed for Qnap TS-201
#stop script from running:
kill -9 `ps -ef | grep proftpd_block.sh | cut -c 1-5`
kill -9 `ps -ef | grep /proftpd.log | cut -c 1-5`
</code> </code>
كرون جوب لتعطيل سكربت
رمز PHP:
<code style="white-space:nowrap"> <code> 34 4 * * * /share/custom/scripts/proftpd_block_stop.sh
</code> </code>
في امان الله
https://fbcdn-sphotos-d-a.akamaihd.net/hphotos-ak-ash4/482113_236967293114455_1193518507_n.png (http://www.dzbatna.com)
©المشاركات المنشورة تعبر عن وجهة نظر صاحبها فقط، ولا تُعبّر بأي شكل من الأشكال عن وجهة نظر إدارة المنتدى (http://www.dzbatna.com)©
نقوم بعمل سكربت لمراقبه فشل دخول لسيرفر SERVER
يجب وضع سكربت لمراقبه فشل دخول عند مراقبة ملف سجل اف تي بي ProFTPD
قم بانشاء سكربت ملف باسم proftpd_block.sh
اوضع بداخلة :-
رمز PHP:
<code style="white-space:nowrap"> <code> #!/bin/sh
# script name: proftpd.block script
# location: /share/custom/scripts
# purpose: watch proftpd logfile and detect failed login attempts
# designed for Qnap TS-201
#
# this script asumes the following log config (in proftpd.conf):
# LogFormat userlog "%u %P %a %h %t \"%r\" %s"
# ExtendedLog /share/MD0_DATA/data/website/ftplogs/proftpd.log AUTH,READ,WRITE userlog
datim=$(date +%F-%H%M)
# customize paths of files:
log2file=/share/.../ftplogs/block.log
# proftpd logfile:
logfile=/share/.../ftplogs/proftpd.log
# file that stores the ips that failed to login:
watchfile=/share/custom/scripts/proftpd_watch.ip
# tmp watch file (used when editing the file)
tmpfile=/share/custom/scripts/proftpd_watch.ip.new
# path to your standard/customized proftpd.conf file
# the file must be manually edited to end with the following lines:
# <Limit LOGIN>
# #manually entered blocked ips:
# #1.2.3.4
# #######################################
# ## IPs below are automatically added ##
# #######################################
# </Limit>
cfgfile=/share/custom/customized/proftpd.conf
# intermediate configfile (used when editing config)
tmpcfgfile=/share/custom/customized/proftpd.conf.new
# max number of filed logins per ip:
maxfailedlogin=3
# manage logfiles:
#(customize location of logfiles!)
/bin/mv /share/.../ftplogs/block.log.8 /share/.../ftplogs/block.log.9
/bin/mv /share/.../ftplogs/block.log.7 /share/.../ftplogs/block.log.8
/bin/mv /share/.../ftplogs/block.log.6 /share/.../ftplogs/block.log.7
/bin/mv /share/.../ftplogs/block.log.5 /share/.../ftplogs/block.log.6
/bin/mv /share/.../ftplogs/block.log.4 /share/.../ftplogs/block.log.5
/bin/mv /share/.../ftplogs/block.log.3 /share/.../ftplogs/block.log.4
/bin/mv /share/.../ftplogs/block.log.2 /share/.../ftplogs/block.log.3
/bin/mv /share/.../ftplogs/block.log.1 /share/.../ftplogs/block.log.2
/bin/mv /share/.../ftplogs/block.log /share/.../ftplogs/block.log.1
echo $(date +%F-%H%M) "BCK: Starting Proftpd blocking..." $datim > $log2file
# ensure the logfile exists, so the tail will not fail &exit the script:
touch $logfile
#tail the logfile:
tail -n 0 -f $logfile | while read logline
do
ip=''
result=''
#echo $logline
let ncount=0
for e in $logline
do
let ncount=$ncount+1
#echo $ncount $e
if [ "x${ncount}" = "x3" ]; then
ip=$e;
#echo $ip;
fi
result=$e
done
#echo $ip: $result
if [ "x$result" = "x530" ]; then
# failed login
echo $(date +%F-%H%M) 'BCK: FAILED login from' $ip >> $log2file
# read attempts from watchfile
#echo grep -i $ip $watchfile
block=`grep -i $ip $watchfile`
#echo $(date +%F-%H%M) $block >> $log2file
let count=0
if [ "x${block}" = "x" ]; then
# new ip:
echo $(date +%F-%H%M) 'BCK: new ip:' $ip >> $log2file
let count=1
else
#existing ip
echo $(date +%F-%H%M) 'BCK: existing ip' $ip >> $log2file
# read nr attempts:
let ncount=0
for t in $block
do
let ncount=$ncount+1
if [ "x${ncount}" = "x2" ]; then
# nr of login attempts
count=$t;
#echo $t
fi
done
let count=$count+1
#echo $count
fi
# remove ip from watchlist
grep -vi $ip $watchfile > $tmpfile
mv $tmpfile $watchfile
if expr $count \> $maxfailedlogin ; then
echo $(date +%F-%H%M) 'BCK: Denying' $ip >> $log2file
echo $ip 0 $(date +%s) $(date +%F-%H%M) >> $watchfile
# must modify proftpd.conf
grep -vi $ip $cfgfile | grep -vi /LIMIT > $tmpcfgfile
#echo $(date +%F-%H%M) "BCK: Deny" $ip >> $log2file
echo " Deny" $ip >> $tmpcfgfile
echo "</LIMIT>" >> $tmpcfgfile
mv $tmpcfgfile $cfgfile
# and reread config:
/etc/init.d/ftp.sh reconfig >> $log2file
else
# add to watchfile :
#echo $ip $count $(date +%F-%H%M)
echo $(date +%F-%H%M) 'BCK: Inc Atttempts to' $count 'for' $ip >> $log2file
echo $ip $count $(date +%s) $(date +%F-%H%M) >> $watchfile
fi
elif [ "x$result" = "x230" ]; then
# login OK!
echo $(date +%F-%H%M) 'BCK: login OK from' $ip >> $log2file
blocked=`grep -i $ip $cfgfile`
#echo 'blocked:' $blocked
if [ "x$blocked" = "x" ] ; then
echo $(date +%F-%H%M) 'BCK:' $ip 'not blocked in proftpd.conf' >> $log2file
else
# remove from config
echo $(date +%F-%H%M) 'BCK: removing' $ip 'from proftpd.conf' >> $log2file
grep -vi $ip $cfgfile > $tmpcfgfile
mv $tmpcfgfile $cfgfile
# and reread config:
/etc/init.d/ftp.sh reconfig >> $log2file
fi
# remove ip from watch list
blocked=`grep -i $ip $watchfile`
if [ "x$blocked" = "x" ] ; then
echo $(date +%F-%H%M) 'BCK:' $ip 'nothing to do' >> $log2file
else
echo $(date +%F-%H%M) 'BCK: removing' $ip 'from watchlist' >> $log2file
grep -vi $ip $watchfile > $tmpfile
mv $tmpfile $watchfile
fi
fi
done
</code> </code>
لاضافة كرون جوب لسكربت crontab
رمز PHP:
<code style="white-space:nowrap"> <code> 37 4 * * * /share/custom/scripts/proftpd_block.sh &
</code> </code>
هذا امر كرون جوب لفك حظر تلقائي افتراضي هو 60 دقيقة
رمز PHP:
<code style="white-space:nowrap"> <code> 00 * * * * /share/custom/scripts/proftpd_block_check.sh
</code> </code>
لقيام بشيك بالسكربت قم بعمل ملف باسم proftpd_block_check.sh
اضف بدااخلة
رمز PHP:
<code style="white-space:nowrap"> <code> #!/bin/sh
# script name: proftpd.block.check script
# location: /share/custom/scripts
# purpose: unblock blocked ip addresses from proftpd.conf
# designed for Qnap TS-201
datim=$(date +%F-%H%M)
# customize file locations!
log2file=/share/.../ftplogs/block.log
watchfile=/share/custom/scripts/proftpd_watch.ip
tmpfile=/share/custom/scripts/proftpd_watch.ip.new
# standard or your customized proftpd.conf:
cfgfile=/share/custom/customized/proftpd.conf
# tmp file, used when editing:
tmpcfgfile=/share/custom/customized/proftpd.conf.new
#block duration (in sec):
blocktime=3600
echo $(date +%F-%H%M) 'CHK: checking expired records...' >> $log2file
#ensure tmpfile is empty & exists:
rm $tmpfile 2>&1 >/dev/null
touch $tmpfile
#init global vars:
let found=0
# read through watchfile:
while read watchline
do
echo $(date +%F-%H%M) 'CHK:' $watchline >> $log2file
#init loop vars:
ncount=0
ip=''
dt=''
dt2=''
# determine <date to unblock
dt2=$(date +%s)
dt2=$(($dt2 - $blocktime))
# find blocked time & ip in line:
for w in $watchline
do
let ncount=$ncount+1
if [ "x$ncount" = "x1" ]; then
ip=$w
elif [ "x$ncount" = "x3" ]; then
#datetime: blocked since (in secs)
dt=$w
fi
done
echo $(date +%F-%H%M) 'CHK: check if' $dt '<' $dt2 'for ip' $ip >> $log2file
if expr $dt \< $dt2 ; then
blocked=`grep -i $ip $cfgfile`
#echo 'blocked:' $blocked
if [ "x${blocked}" = "x" ] ; then
echo $(date +%F-%H%M) 'CHK: removed:' $watchline >> $log2file
else
echo $(date +%F-%H%M) 'CHK: removed: also remove' $ip 'from proftpd.conf' >> $log2file
found=1
grep -vi $ip $cfgfile > $tmpcfgfile
mv $tmpcfgfile $cfgfile
chown michiel.everyone $cfgfile
fi
else
echo $watchline >> $tmpfile
fi
done < $watchfile
mv $tmpfile $watchfile
echo $(date +%F-%H%M) 'CHK: found: ' $found >> $log2file
if expr $found \= 1 ; then
# removed ips from watch list & config file; reread config file:
echo $(date +%F-%H%M) 'CHK: Removed expired records' >> $log2file
/etc/init.d/ftp.sh reconfig >> $log2file
fi
echo $(date +%F-%H%M) 'CHK: checking expired records: done' >> $log2file
</code> </code>
للتعطيل سكربت قم بعمل ملف باسم بـproftpd_block_stop.sh
اضف بداخلة :-
رمز PHP:
<code style="white-space:nowrap"> <code> #!/bin/sh
# script name: proftpd_block_stop.script
# location: /share/custom/scripts
# purpose: stop monitoring the proftpd log file and lock out ips
# designed for Qnap TS-201
#stop script from running:
kill -9 `ps -ef | grep proftpd_block.sh | cut -c 1-5`
kill -9 `ps -ef | grep /proftpd.log | cut -c 1-5`
</code> </code>
كرون جوب لتعطيل سكربت
رمز PHP:
<code style="white-space:nowrap"> <code> 34 4 * * * /share/custom/scripts/proftpd_block_stop.sh
</code> </code>
في امان الله
https://fbcdn-sphotos-d-a.akamaihd.net/hphotos-ak-ash4/482113_236967293114455_1193518507_n.png (http://www.dzbatna.com)
©المشاركات المنشورة تعبر عن وجهة نظر صاحبها فقط، ولا تُعبّر بأي شكل من الأشكال عن وجهة نظر إدارة المنتدى (http://www.dzbatna.com)©
