When you write scripts for administrative purposes, often you may want to evaluate a list and then take actions based on the list.
This script is an example of that process and is designed to be a script used by a Nagios server to monitor and respond to web site attacks.
The heart of the script is this loop which compares each signature in a list to log files looking for a match.
for i in $(awk ‘{print}’ > /tmp/attack
done
This script is a simple example of creating a script that monitors a number of attack signatures focused on a web site.
Once the attack has been recognized the script is designed to respond to the attack by blocking the attacker IP Address , notifying administrators and then resetting the check ready for the next attack, thus MRNR (Monitor, Respond, Notify, Reset).
cfg=”/usr/local/nagios/etc/send_nsca.cfg”
logfile=”/var/log/httpd/access_log”
attacksig=attacksig.txt
badip=”/etc/banned”
rm -f /tmp/attack
for i in $(awk ‘{print}’ > /tmp/attack
done
x=$(egrep “1|2″ /tmp/attack | wc -l)
if [ $x -eq 0 ]
then
cmd=”bash;Pass-WebMultAttack;0;All Systems Look OK”
else
cmd=”bash;Pass-WebMultAttack;2;ATTACK UNDER WAY: DEFENSIVE ACTIONS BEING TAKEN”
fi
grep $attacksig $logfile | awk ‘{ print $1 }’ >> /etc/banned
# THIS SECTION COMMENTED TO STOP BLOCKING IN DEMO
banned=$( grep -v -E “^#” $badip )
for ip in $banned
do
iptables -I INPUT -p tcp -s $ip -j DROP
done
exit $stateid
Understanding the Script
cfg=”/usr/local/nagios/etc/send_nsca.cfg”
This line points to the configuration file that contains the password and encryption method for connection to the Nagios server. [Read full story…]
The Darkness 