Added logtail.

fecba9a5 · Steve Kemp · 64227c51 · fecba9a5 · fecba9a5 · fecba9a5
Commit fecba9a5 authored Jul 31, 2009 by Steve Kemp
--- a/firewall/bin/firewall-blacklist
+++ b/firewall/bin/firewall-blacklist
@@ -98,8 +98,8 @@ $CONFIG{ 'input' }     = "/etc/firewall/patterns.d/";
 $CONFIG{ 'blacklist' } = "/etc/firewall/blacklist.d/";
 $CONFIG{ 'whitelist' } = "/etc/firewall/whitelist.d/";
 $CONFIG{ 'verbose' }   = 0;
-$CONFIG{ 'attempts' } = 5;    # count of attacks before blacklisting
-$CONFIG{ 'expire' }   = 2;    # number of days to keep records
+$CONFIG{ 'attempts' }  = 5;    # count of attacks before blacklisting
+$CONFIG{ 'expire' }    = 2;    # number of days to keep records



@@ -393,7 +393,7 @@ sub processRules
    return 0 if ( !-e $file );


-    open( FILE, "<", $file )
+    open( FILE, "/usr/bin/firewall-logtail $file|" )
      or die "failed to read logfile: $file - $!";

    foreach my $line (<FILE>)

--- a/firewall/bin/firewall-logtail
+++ b/firewall/bin/firewall-logtail
+#!/usr/bin/perl
+
+# Copyright (C) 2003 Jonathan Middleton <jjm@ixtab.org.uk>
+# Copyright (C) 2001 Paul Slootman <paul@debian.org>
+
+# This file is part of Logcheck.
+
+# Logcheck is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+
+# Logcheck is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with Logcheck; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+use strict;
+use warnings;
+my ($size, $logfile, $offsetfile);
+use Getopt::Std;
+my %opts = ();
+
+# process args and switches
+my ($TEST_MODE) = 0;
+getopts("f:o:t", \%opts);
+
+# try to detect plain logtail invocation without switches
+if (!$opts{f} && $#ARGV != 0 && $#ARGV != 1) {
+   print STDERR "No logfile to read. Use -f [LOGFILE].\n";
+   exit 66;
+} elsif ($#ARGV == 0) {
+   $logfile = $ARGV[0];
+} elsif ($#ARGV == 1) {
+   ($logfile, $offsetfile) = ($ARGV[0], $ARGV[1]);
+} else {
+   ($logfile, $offsetfile) = ($opts{f}, $opts{o});
+}
+
+if ($opts{t}) {
+    $TEST_MODE = 1;
+}
+
+
+if (! -f $logfile) {
+    print STDERR "File $logfile cannot be read.\n";
+    exit 66;
+}
+unless ($offsetfile) {
+    # offsetfile not given, use .offset/$logfile in the same directory
+    $offsetfile = $logfile . '.offset';
+}
+
+unless (open(LOGFILE, $logfile)) {
+    print STDERR "File $logfile cannot be read.\n";
+    exit 66;
+}
+
+my ($inode, $ino, $offset) = (0, 0, 0);
+
+unless (not $offsetfile) {
+    if (open(OFFSET, $offsetfile)) {
+        $_ = <OFFSET>;
+        unless (! defined $_) {
+       	    chomp $_;
+	    $inode = $_;
+	    $_ = <OFFSET>;
+	    unless (! defined $_) {
+	        chomp $_;
+	        $offset = $_;
+	    }
+        }
+    }
+
+    unless ((undef,$ino,undef,undef,undef,undef,undef,$size) = stat $logfile) {
+        print STDERR "Cannot get $logfile file size.\n", $logfile;
+        exit 65;
+    }
+
+    if ($inode == $ino) {
+        exit 0 if $offset == $size; # short cut
+        if ($offset > $size) {
+            $offset = 0;
+        }
+    }
+    if ($inode != $ino || $offset > $size) {
+        $offset = 0;
+    }
+    seek(LOGFILE, $offset, 0);
+}
+
+while (<LOGFILE>) {
+    print $_;
+}
+
+$size = tell LOGFILE;
+close LOGFILE;
+
+# update offset, unless test mode
+unless ($TEST_MODE) {
+    unless (open(OFFSET, ">$offsetfile")) {
+        print STDERR "File $offsetfile cannot be created. Check your permissions.\n";
+        exit 73;
+    }
+    print OFFSET "$ino\n$size\n";
+    close OFFSET;
+}
+exit 0;
--- a/firewall/cron.d/firewall-blocker
+++ b/firewall/cron.d/firewall-blocker
 # Crontab snippet which will invoke our firewall-based blocker to firewall
 # away people who conduct dictionary attacks.
+#
+# We run every fifteen minutes deliberately so that we get a fair chance of
+# catching a remote IP which makes multiple rejections in between our testing
+# attempts.
+#
+# (Since we only process *new* logfile entries each time we start.)
+#

-*/5 * * * * root [ -x /usr/bin/firewall-blacklist ] && /usr/bin/firewall-blacklist
+*/15 * * * * root [ -x /usr/bin/firewall-blacklist ] && /usr/bin/firewall-blacklist

--- a/firewall/debian/bytemark-vhost-firewall.install
+++ b/firewall/debian/bytemark-vhost-firewall.install
 rule.d/*               usr/share/firewall
 bin/firewall           usr/bin
 bin/firewall-blacklist usr/bin
+bin/firewall-logtail   usr/bin
 bin/firewall-test      etc/cron.hourly
 patterns.d/            etc/firewall
 cron.d/*               etc/cron.d/
\ No newline at end of file
--- a/firewall/debian/changelog
+++ b/firewall/debian/changelog
@@ -2,6 +2,9 @@ bytemark-vhost-firewall (20090731104804) stable; urgency=low

  * If the firewall-blacklist program is disabled then reload the
    firewall prior to exiting - to flush out bogus entries.
+  * Added the "logtail" script from the Debian logcheck package so
+    that we only process new entries.
+  * Changed our cronjob so that we run every 15 minutes not every 5.

 -- Steve Kemp <steve@bytemark.co.uk>  Fri, 31 Jul 2009 10:48:04 +0000