Swatch: Unterschied zwischen den Versionen

Aus crazylinux.de
Zur Navigation springen Zur Suche springen
(swatch)
 
(typo)
Zeile 1: Zeile 1:
the active log file monitoring tool. Swatch started out as the "simple watchdog" for activly monitoring log files produced by UNIX's syslog facility. It has since been evolving into a utility that can monitor just about any type of log.  
the active log file monitoring tool. Swatch started out as the "simple watchdog" for activly monitoring log files produced by UNIX's syslog facility. It has since been evolving into a utility that can monitor just about any type of log.


http://swatch.sourceforge.net/
http://swatch.sourceforge.net/
Zeile 14: Zeile 14:


=/etc/init.d/swatch=
=/etc/init.d/swatch=
<source lang=sh>
<source lang="bash">
#! /bin/sh
#! /bin/sh
### BEGIN INIT INFO
### BEGIN INIT INFO
Zeile 62: Zeile 62:
do_start()
do_start()
{
{
        # Return
# Return
        #  0 if daemon has been started
#  0 if daemon has been started
        #  1 if daemon was already running
#  1 if daemon was already running
        #  2 if daemon could not be started
#  2 if daemon could not be started
        #start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
#start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
        #      || return 1
#      || return 1
        #start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
#start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
        #      $DAEMON_ARGS \
#      $DAEMON_ARGS \
        #      || return 2
#      || return 2
        # Add code here, if necessary, that waits for the process to be ready
# Add code here, if necessary, that waits for the process to be ready
        # to handle requests from services started subsequently which depend
# to handle requests from services started subsequently which depend
        # on this one.  As a last resort, sleep for some time.
# on this one.  As a last resort, sleep for some time.
        if [ ! -d ${SWATCH_SCRIPTDIR} ]; then
if [ ! -d ${SWATCH_SCRIPTDIR} ]; then
                mkdir ${SWATCH_SCRIPTDIR}
mkdir ${SWATCH_SCRIPTDIR}
        fi
fi


        swatch --script-dir=${SWATCH_SCRIPTDIR} \
swatch --script-dir=${SWATCH_SCRIPTDIR} \
                --tail-file=${SWATCH_TAILFILE} \
--tail-file=${SWATCH_TAILFILE} \
                --config-file=/etc/swatch/swatch.conf \
--config-file=/etc/swatch/swatch.conf \
                --pid-file=/var/run/swatch.pid \
--pid-file=/var/run/swatch.pid \
                --tail-args='--follow=name --lines=1' \
--tail-args='--follow=name --lines=1' \
                --daemon \
--daemon \
                >> /var/log/swatch.log \
>> /var/log/swatch.log \
                2>> /var/log/swatch-err.log
2>> /var/log/swatch-err.log
        #      --tail-args='--follow=name --lines=1'
#      --tail-args='--follow=name --lines=1'
                #--tail-args="${SWATCH_TAILARGS}" \
#--tail-args="${SWATCH_TAILARGS}" \


}
}
Zeile 96: Zeile 96:
do_stop()
do_stop()
{
{
        # Return
# Return
        #  0 if daemon has been stopped
#  0 if daemon has been stopped
        #  1 if daemon was already stopped
#  1 if daemon was already stopped
        #  2 if daemon could not be stopped
#  2 if daemon could not be stopped
        #  other if a failure occurred
#  other if a failure occurred
        #start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
#start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
        kill -9 `cat /var/run/swatch.pid`
kill -9 `cat /var/run/swatch.pid`
        RETVAL="$?"
RETVAL="$?"
        [ "$RETVAL" = 2 ] && return 2
[ "$RETVAL" = 2 ] && return 2
        # Wait for children to finish too if this is a daemon that forks
# Wait for children to finish too if this is a daemon that forks
        # and if the daemon is only ever run from this initscript.
# and if the daemon is only ever run from this initscript.
        # If the above conditions are not satisfied then add some other code
# If the above conditions are not satisfied then add some other code
        # that waits for the process to drop all resources that could be
# that waits for the process to drop all resources that could be
        # needed by services started subsequently.  A last resort is to
# needed by services started subsequently.  A last resort is to
        # sleep for some time.
# sleep for some time.
        start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
        [ "$?" = 2 ] && return 2
[ "$?" = 2 ] && return 2
        # Many daemons don't delete their pidfiles when they exit.
# Many daemons don't delete their pidfiles when they exit.
        rm -f $PIDFILE
rm -f $PIDFILE
        return "$RETVAL"
return "$RETVAL"
}
}


Zeile 122: Zeile 122:
#
#
do_reload() {
do_reload() {
        #
#
        # If the daemon can reload its configuration without
# If the daemon can reload its configuration without
        # restarting (for example, when it is sent a SIGHUP),
# restarting (for example, when it is sent a SIGHUP),
        # then implement that here.
# then implement that here.
        #
#
        start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
        return 0
return 0
}
}


case "$1" in
case "$1" in
  start)
start)
        [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
        do_start
do_start
        case "$?" in
case "$?" in
                0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
                2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
        esac
esac
        ;;
;;
  stop)
stop)
        [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
        do_stop
do_stop
        case "$?" in
case "$?" in
                0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
                2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
        esac
esac
        ;;
;;
  #reload|force-reload)
#reload|force-reload)
        #
#
        # If do_reload() is not implemented then leave this commented out
# If do_reload() is not implemented then leave this commented out
        # and leave 'force-reload' as an alias for 'restart'.
# and leave 'force-reload' as an alias for 'restart'.
        #
#
        #log_daemon_msg "Reloading $DESC" "$NAME"
#log_daemon_msg "Reloading $DESC" "$NAME"
        #do_reload
#do_reload
        #log_end_msg $?
#log_end_msg $?
        #;;
#;;
  restart|force-reload)
restart|force-reload)
        #
#
        # If the "reload" option is implemented then remove the
# If the "reload" option is implemented then remove the
        # 'force-reload' alias
# 'force-reload' alias
        #
#
        log_daemon_msg "Restarting $DESC" "$NAME"
log_daemon_msg "Restarting $DESC" "$NAME"
        do_stop
do_stop
        case "$?" in
case "$?" in
          0|1)
0|1)
                do_start
do_start
                case "$?" in
case "$?" in
                        0) log_end_msg 0 ;;
0) log_end_msg 0 ;;
                        1) log_end_msg 1 ;; # Old process is still running
1) log_end_msg 1 ;; # Old process is still running
                        *) log_end_msg 1 ;; # Failed to start
*) log_end_msg 1 ;; # Failed to start
                esac
esac
                ;;
;;
          *)
*)
                # Failed to stop
# Failed to stop
                log_end_msg 1
log_end_msg 1
                ;;
;;
        esac
esac
        ;;
;;
  *)
*)
        #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
        echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
        exit 3
exit 3
        ;;
;;
esac
esac


Zeile 190: Zeile 190:


=/etc/swatch/swatch.conf=
=/etc/swatch/swatch.conf=
<source lang=sh>
<source lang="bash">
# Global swatch filter file
# Global swatch filter file


Zeile 199: Zeile 199:
#Apr  5 01:12:58 mygretchen pure-ftpd: (?@217.229.137.69) [WARNING] Sorry, cleartext sessions are not accepted on this server. Please reconnect using SSL/TLS security mechanisms.
#Apr  5 01:12:58 mygretchen pure-ftpd: (?@217.229.137.69) [WARNING] Sorry, cleartext sessions are not accepted on this server. Please reconnect using SSL/TLS security mechanisms.
watchfor /(.*)pure-ftpd: (.*)\@(.*)\)( \[WARNING\] Sorry, cleartext sessions are not accepted)(.*)/
watchfor /(.*)pure-ftpd: (.*)\@(.*)\)( \[WARNING\] Sorry, cleartext sessions are not accepted)(.*)/
        throttle threshold=20,delay=0:1:0,key=PUREFTP
throttle threshold=20,delay=0:1:0,key=PUREFTP
        echo bold
echo bold
        mail addresses=sadmin\@mygretchen.de,subject="FTP:\ Invalid\ User\ Access-IPTables\ Rule\ Added"
mail addresses=sadmin\@mygretchen.de,subject="FTP:\ Invalid\ User\ Access-IPTables\ Rule\ Added"
        exec "/etc/swatch/scripts/shorewall.sh $3"
exec "/etc/swatch/scripts/shorewall.sh $3"
        #exec echo $3 >> /var/log/swatch_ftp.log
#exec echo $3 >> /var/log/swatch_ftp.log


</source>
</source>
=/etc/swatch/scripts/shorewall.sh=
=/etc/swatch/scripts/shorewall.sh=
<source lang=sh>
<source lang="bash">
#!/bin/sh
#!/bin/sh
IP=`host $1|awk {'print $3'}`
IP=`host $1|awk {'print $3'}`
Zeile 213: Zeile 213:


if [ "x$IP" != "x" ]; then
if [ "x$IP" != "x" ]; then
        /sbin/shorewall drop $IP
/sbin/shorewall drop $IP
        mail sadmin -s shorewall<<END
mail sadmin -s shorewall<<END
$IP was dropped
$IP was dropped
END
END
else
else
        IP=`host $1|grep Address|awk {'print $2'}`
IP=`host $1|grep Address|awk {'print $2'}`
        if [ "x$IP" != "x" ]; then
if [ "x$IP" != "x" ]; then
                /sbin/shorewall drop $IP
/sbin/shorewall drop $IP
                mail sadmin -s shorewall<<END
mail sadmin -s shorewall<<END
$IP was dropped
$IP was dropped
END
END
        else
else
        mail sadmin -s shorewall<<END
mail sadmin -s shorewall<<END
Problem to drop $1: $IP
Problem to drop $1: $IP
END
END
        fi
fi
fi
fi
</source>
</source>
[[Kategorie:Debian]]

Version vom 13. April 2008, 19:07 Uhr

the active log file monitoring tool. Swatch started out as the "simple watchdog" for activly monitoring log files produced by UNIX's syslog facility. It has since been evolving into a utility that can monitor just about any type of log.

http://swatch.sourceforge.net/

Problem: Scan-Attacken auf den FTP-Server

Apr 13 05:25:00 mygretchen pure-ftpd: (?@88.198.15.174) [INFO] New connection from 88.198.15.174
Apr 13 05:25:00 mygretchen pure-ftpd: (?@88.198.15.174) [WARNING] Sorry, cleartext sessions are not accepted on this server. Please reconnect using SSL/TLS security mechanisms.

Solution: Monitor syslog and drop IP-Adress via Shorewall (iptables)

/etc/init.d/swatch

#! /bin/sh
### BEGIN INIT INFO
# Provides:          skeleton
# Required-Start:    $local_fs $remote_fs
# Required-Stop:     $local_fs $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Example initscript
# Description:       This file should be used to construct scripts to be
#                    placed in /etc/init.d.
### END INIT INFO

# Author: Jonathan Tietz
#
# Please remove the "Author" lines above and replace them
# with your own name if you copy and modify this script.

# Do NOT "set -e"

# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="Swatch LogFile-Monitor"
NAME=swatch
DAEMON=/usr/bin/$NAME
DAEMON_ARGS="--daemon --awk-field-syntax --config-file=/etc/swatch/swatch.conf"
#--tail-args=\'--follow=name --lines=1\'
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME

# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0

# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME

# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh

# Define LSB log_* functions.
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
. /lib/lsb/init-functions

#
# Function that starts the daemon/service
#
do_start()
{
# Return
#   0 if daemon has been started
#   1 if daemon was already running
#   2 if daemon could not be started
#start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
#       || return 1
#start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
#       $DAEMON_ARGS \
#       || return 2
# Add code here, if necessary, that waits for the process to be ready
# to handle requests from services started subsequently which depend
# on this one.  As a last resort, sleep for some time.
if [ ! -d ${SWATCH_SCRIPTDIR} ]; then
mkdir ${SWATCH_SCRIPTDIR}
fi

swatch --script-dir=${SWATCH_SCRIPTDIR} \
--tail-file=${SWATCH_TAILFILE} \
--config-file=/etc/swatch/swatch.conf \
--pid-file=/var/run/swatch.pid \
--tail-args='--follow=name --lines=1' \
--daemon \
>> /var/log/swatch.log \
2>> /var/log/swatch-err.log
#       --tail-args='--follow=name --lines=1'
#--tail-args="${SWATCH_TAILARGS}" \

}

#
# Function that stops the daemon/service
#
do_stop()
{
# Return
#   0 if daemon has been stopped
#   1 if daemon was already stopped
#   2 if daemon could not be stopped
#   other if a failure occurred
#start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
kill -9 `cat /var/run/swatch.pid`
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
# Wait for children to finish too if this is a daemon that forks
# and if the daemon is only ever run from this initscript.
# If the above conditions are not satisfied then add some other code
# that waits for the process to drop all resources that could be
# needed by services started subsequently.  A last resort is to
# sleep for some time.
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
[ "$?" = 2 ] && return 2
# Many daemons don't delete their pidfiles when they exit.
rm -f $PIDFILE
return "$RETVAL"
}

#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
#
# If the daemon can reload its configuration without
# restarting (for example, when it is sent a SIGHUP),
# then implement that here.
#
start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
return 0
}

case "$1" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
do_start
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
#reload|force-reload)
#
# If do_reload() is not implemented then leave this commented out
# and leave 'force-reload' as an alias for 'restart'.
#
#log_daemon_msg "Reloading $DESC" "$NAME"
#do_reload
#log_end_msg $?
#;;
restart|force-reload)
#
# If the "reload" option is implemented then remove the
# 'force-reload' alias
#
log_daemon_msg "Restarting $DESC" "$NAME"
do_stop
case "$?" in
0|1)
do_start
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process is still running
*) log_end_msg 1 ;; # Failed to start
esac
;;
*)
# Failed to stop
log_end_msg 1
;;
esac
;;
*)
#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
exit 3
;;
esac

:

/etc/swatch/swatch.conf

# Global swatch filter file

# To ignore a IP-range
#ignore /216\.239\.37\./

# Invalid FTP Login Attempts
#Apr  5 01:12:58 mygretchen pure-ftpd: (?@217.229.137.69) [WARNING] Sorry, cleartext sessions are not accepted on this server. Please reconnect using SSL/TLS security mechanisms.
watchfor /(.*)pure-ftpd: (.*)\@(.*)\)( \[WARNING\] Sorry, cleartext sessions are not accepted)(.*)/
throttle threshold=20,delay=0:1:0,key=PUREFTP
echo bold
mail addresses=sadmin\@mygretchen.de,subject="FTP:\ Invalid\ User\ Access-IPTables\ Rule\ Added"
exec "/etc/swatch/scripts/shorewall.sh $3"
#exec echo $3 >> /var/log/swatch_ftp.log

/etc/swatch/scripts/shorewall.sh

#!/bin/sh
IP=`host $1|awk {'print $3'}`
#echo $IP

if [ "x$IP" != "x" ]; then
/sbin/shorewall drop $IP
mail sadmin -s shorewall<<END
$IP was dropped
END
else
IP=`host $1|grep Address|awk {'print $2'}`
if [ "x$IP" != "x" ]; then
/sbin/shorewall drop $IP
mail sadmin -s shorewall<<END
$IP was dropped
END
else
mail sadmin -s shorewall<<END
Problem to drop $1: $IP
END
fi
fi