diff -urN smeserver-xt_geoip-1.0.1.old/createlinks smeserver-xt_geoip-1.0.1/createlinks --- smeserver-xt_geoip-1.0.1.old/createlinks 2017-09-22 09:50:47.000000000 +0400 +++ smeserver-xt_geoip-1.0.1/createlinks 2019-03-14 20:58:14.000000000 +0400 @@ -15,6 +15,7 @@ for my $event (qw(xt_geoip-modify xt_geoip-update bootstrap-console-save console-save)) { templates2events("/etc/rc.d/init.d/masq", $event); + templates2events("/etc/crontab", $event); templates2events("/usr/share/xt_geoip/update_base", $event); if ($event ne 'xt_geoip-modify') { event_link("smeserver-xt_geoip-download-action", $event, "10"); diff -urN smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/crontab/xt_geoip smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/crontab/xt_geoip --- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/crontab/xt_geoip 2019-02-28 11:38:16.000000000 +0400 +++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/crontab/xt_geoip 2019-03-19 21:50:21.000000000 +0400 @@ -1,2 +1,6 @@ # saturday at 06:00 update xtables geoip base 00 06 * * 6 root /usr/share/xt_geoip/update_base +50 1 * * * root /usr/share/xt_geoip/geoip_stats ssh +55 1 * * * root /usr/share/xt_geoip/geoip_stats ipt +05 2 * * * root /usr/share/xt_geoip/geoip_listat +# \ Pas de fin de ligne à la fin du fichier. diff -urN smeserver-xt_geoip-1.0.1.old/root/usr/share/xt_geoip/geoip_exstat smeserver-xt_geoip-1.0.1/root/usr/share/xt_geoip/geoip_exstat --- smeserver-xt_geoip-1.0.1.old/root/usr/share/xt_geoip/geoip_exstat 1970-01-01 04:00:00.000000000 +0400 +++ smeserver-xt_geoip-1.0.1/root/usr/share/xt_geoip/geoip_exstat 2019-03-19 22:33:38.000000000 +0400 @@ -0,0 +1,100 @@ +#!/bin/sh +# Read one of the files updated by geoip_stats depending on $1 (PREF) +# Read all of the daily scores by country on a period of D(ay) -default-, W(eek) or M(onth) +# depending on $2 + +EXECDIR="/usr/share/xt_geoip" +STATDIR="/var/lib/xt_geoip" + +case $1 in + "ssh") + PREF="ssh" + TITLE=" Numbers of SSH bad attempts by country" + ;; + "ipt") + PREF="ipt" + TITLE=" Numbers of IPs banned (xt_geoip) by country" + ;; + *) + echo "usage : $0 'ssh|ipt' [D|W|M]" + exit 1 + ;; +esac + +# permanent files +BASE2FILE="$STATDIR/Base_${PREF}_country.lst" +# results files +RESFILE="$STATDIR/ext${2}_${PREF}_country.lst" +# tempo +TMPFILE=$(mktemp $STATDIR/xt_${PREF}.XXXXXXX) + +# Day -1 -7 -31 +DATE1=$(date --date '1 day ago' '+%Y-%m-%d') + +DATE2=$DATE1 +PRD="DAY" +if [ "X$2" == "XW" ] +then + DATE2=$(date --date '8 day ago' '+%Y-%m-%d') + PRD="WEEK" + +else + if [ "X$2" == "XM" ] + then + DATE2=$(date --date '31 day ago' '+%Y-%m-%d') + PRD="MONTH" + fi +fi + +#echo "d1: $DATE1 d2: $DATE2" +Date1=$(date -d $DATE1 +%s) +Date2=$(date -d $DATE2 +%s) +#echo "d1: $Date1 d2: $Date2" + +cd $EXECDIR + +# yesterday already in base ? +if [ ! -f $BASE2FILE ] +then + echo "$0 : File $BASE2FILE does not exist." + exit 1 +fi + +TOT=0 +while read -r line +do + DATELIG=$(date -d $(echo "$line" | cut -s -d';' -f1) +%s) + if [ $DATELIG -le $Date1 -a $DATELIG -ge $Date2 ] + then + echo "$line" >> $TMPFILE + TOT=$(expr $TOT + $(echo "$line" | cut -s -d';' -f3)) + fi +done < $BASE2FILE + +#echo "tot: $TOT" + +# number of incidents by country code, sorted reverse by number +awk -F ";" -v v1=$TOT -v OFS=";" \ + '{t[$2]=$2; t1[$2]+=$3} END {for(n in t) printf("%s | %d | %0.1f%\n", t[n], t1[n], (t1[n]*100)/v1)}' $TMPFILE | sort -t "|" -k 3 -r -n > $RESFILE + +rm -f $TMPFILE + +# for mail +if [ -s $RESFILE ] +then + echo "" + echo " Smeserver daily statistics for Xtables - GEOIP" + echo " from $(hostname) - $DATE1" + echo "" + echo " $TITLE during LAST $PRD" + echo " ( XX means 'country not found' )" + echo "" + echo "--------------------" + cat $RESFILE + echo "--------------------" + echo " | $TOT | 100%" + echo "--------------------" + echo "" + +fi + diff -urN smeserver-xt_geoip-1.0.1.old/root/usr/share/xt_geoip/geoip_listat smeserver-xt_geoip-1.0.1/root/usr/share/xt_geoip/geoip_listat --- smeserver-xt_geoip-1.0.1.old/root/usr/share/xt_geoip/geoip_listat 1970-01-01 04:00:00.000000000 +0400 +++ smeserver-xt_geoip-1.0.1/root/usr/share/xt_geoip/geoip_listat 2019-03-16 18:34:46.000000000 +0400 @@ -0,0 +1,14 @@ +#!/bin/sh + +EXECDIR="/usr/share/xt_geoip" +STATDIR="/var/lib/xt_geoip" + +for pref in $(echo 'ipt ssh') +do + echo "" > ${STATDIR}/extA_${pref}_country.lst + for period in $(echo 'D W M') + do + ${EXECDIR}/geoip_exstat $pref $period >> $STATDIR/extA_${pref}_country.lst + done + cat $STATDIR/extA_${pref}_country.lst +done diff -urN smeserver-xt_geoip-1.0.1.old/root/usr/share/xt_geoip/geoip_look smeserver-xt_geoip-1.0.1/root/usr/share/xt_geoip/geoip_look --- smeserver-xt_geoip-1.0.1.old/root/usr/share/xt_geoip/geoip_look 1970-01-01 04:00:00.000000000 +0400 +++ smeserver-xt_geoip-1.0.1/root/usr/share/xt_geoip/geoip_look 2019-03-19 22:36:34.000000000 +0400 @@ -0,0 +1,14 @@ +#! /bin/bash + +if [ "X$1" == "X" ]; then exit 1; fi +if [ ! $(which geoiplookup 2>/dev/null) ]; then echo "??"; exit 9; fi + +CN=$(geoiplookup $1 2>/dev/null | grep 'GeoIP Country' | sed -e 's/^.*: //' -e 's/,.*$//') +if [ "$CN" = "IP Address not found" ] +then + echo "XX" +else + echo $CN +fi + + diff -urN smeserver-xt_geoip-1.0.1.old/root/usr/share/xt_geoip/geoip_stats smeserver-xt_geoip-1.0.1/root/usr/share/xt_geoip/geoip_stats --- smeserver-xt_geoip-1.0.1.old/root/usr/share/xt_geoip/geoip_stats 1970-01-01 04:00:00.000000000 +0400 +++ smeserver-xt_geoip-1.0.1/root/usr/share/xt_geoip/geoip_stats 2019-03-06 13:50:37.000000000 +0400 @@ -0,0 +1,88 @@ +#!/bin/sh +# Read the log files depending on $1 (PREF) +# Read all of the IPs concerned, search countries and count them. +# exec crontab 2h AM for previous day + +EXECDIR="/usr/share/xt_geoip" +STATDIR="/var/lib/xt_geoip" + +case $1 in + "ssh") + PREF="ssh" + LOGDIR="/var/log/sshd" + CMD1='cat' + CMD2=' | /usr/local/bin/tai64nlocal | grep' + CMD3=' | grep "Failed password" | sed -e "s/^.*from //" -e "s/ port.*$//" >> $RESFILE' + ;; + "ipt") + PREF="ipt" + LOGDIR="/var/log/iptables" + CMD1='cat' + CMD2=' | /usr/local/bin/tai64nlocal | grep ' + CMD3=' | grep "GeoIP BAN" | sed -e "s/^.*SRC=//" -e "s/ DST=.*$//" >> $RESFILE' + ;; + *) + echo "usage : $0 [ssh|ipt|....]" + exit 1 + ;; +esac +# files of the day +RESFILE="$STATDIR/${PREF}_ip.lst" +RES2FILE="$STATDIR/${PREF}_country.lst" +# permanent files +BASEFILE="$STATDIR/Base_${PREF}_ip.lst" +BASE2FILE="$STATDIR/Base_${PREF}_country.lst" +# tempo +TMPFILE=$(mktemp $STATDIR/xt_${PREF}.XXXXXXX) +# Day - 1 +DATE=$(date --date '1 day ago' '+%Y-%m-%d') + +cd $EXECDIR + +# yesterday already in base ? +if [ -f $BASEFILE ] +then + if (fgrep $DATE $BASEFILE > /dev/null 2>&1) + then + echo "$0 : $PREF already run for that date. Please verify this !" + exit 1 + fi +fi + +cp /dev/null $RESFILE + +# All logfiles update for 2 days, not empty +for file in $(find $LOGDIR/* -type f -mtime -2 -size +50c) +do + #echo $(echo $CMD1 $file $CMD2 "$DATE" $CMD3) + eval $(echo $CMD1 $file $CMD2 "$DATE" $CMD3) +done + +# number of incidents by IP, sorted by IP +awk -F ";" -v OFS=";" \ + '{t[$1]=$1; t1[$1]+=1} END {for(n in t) print t[n], t1[n]}' $RESFILE | sort -t ";" -n -k 1 > $TMPFILE + +# +date, +country code +awk -F ";" -v v1=$DATE -v OFS=";" \ +'{ printf "%s",v1 ";" $0 ";"; system("./geoip_look " $1) }' $TMPFILE > $RESFILE + +# number of incidents by country code, sorted reverse by number +awk -F ";" -v v1=$DATE -v OFS=";" \ + '{t[$4]=$4; t1[$4]+=$3} END {for(n in t) print v1, t[n], t1[n]}' $RESFILE | sort -t ";" -k 3 -r -n > $RES2FILE + +rm -f $TMPFILE + +# concatenate into bases +cat $RESFILE >> $BASEFILE +cat $RES2FILE >> $BASE2FILE + +# delete files of today +#rm -f $RESFILE $RES2FILE + +# for mail +if [ -s $RES2FILE ] +then + echo "parse $LOGDIR for $PREF events" + cat $RES2FILE +fi + diff -urN smeserver-xt_geoip-1.0.1.old/root/var/lib/xt_geoip/README.txt smeserver-xt_geoip-1.0.1/root/var/lib/xt_geoip/README.txt --- smeserver-xt_geoip-1.0.1.old/root/var/lib/xt_geoip/README.txt 1970-01-01 04:00:00.000000000 +0400 +++ smeserver-xt_geoip-1.0.1/root/var/lib/xt_geoip/README.txt 2019-03-06 23:59:04.000000000 +0400 @@ -0,0 +1,6 @@ +Directory for storing results and stats + + for different periods + +- IPs banned per countries +- SSH attacks not blocked