Merge branch 'master' of dev.lugh.ch:/var/www/git/scripts

cave_washmachine.sh

@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+#
+# Streams microphone in to rtsp://10.7.1.12:8085/stream.sdp
+cvlc -vvv alsa://hw:0,0 --sout '#transcode{acodec=mp3,ab=128}:rtp{dst=10.7.1.12,port=1234,sdp=rtsp://10.7.1.12:8085/stream.sdp}'

mysqlstats.sh

@@ -0,0 +1,2 @@
+#/usr/bin/env bash
+mysql -e 'SELECT table_schema AS "database", ROUND(SUM(data_length + index_length) / 1024 / 1024,2) AS "size MB" FROM information_schema.TABLES GROUP BY table_schema ORDER BY `size MB` DESC;'

netstat.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+#
+# ugliest netstat pwnage.
+
+MY_UID=$(id -g)
+
+if [ $MY_UID -gt 0 ]; then
+        echo "You must be root, running limited version without -p"
+        netstat -tlen | grep LISTEN | awk '{print $4}' | sed 's/:::/:/g' | cut -d ":" -f2
+else
+        netstat -tlpen | grep LISTEN | awk '{print $4 ":" $9}' | sed 's/:::/:/g' | cut -d ":" -f2-3 | sed 's/\//:/g' | cut -d ":" -f1,3
+fi

rbl_expire.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+#
+# Expire old RBL records
+
+listtype=$1
+if ! [[ "$listtype" =~ ^[4,6]+$ ]]; then
+        echo "first parameter is mandatory and must be either 4 or 6."
+        exit 1
+fi
+rblfile="/var/lib/rbldns/listv$listtype"
+maxage=96 # in hours
+
+if [ $listtype -eq 4 ]; then
+	egrep '^[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}' $rblfile | while read -r ip delimiter timestamp foo; do
+		if [ "$timestamp" -gt "0" ]; then
+	        	expiration=$(echo "$(date +%s)-$timestamp" | bc)
+	
+	        	if [ "$expiration" -gt "$(($maxage * 3600))" ]; then
+	        	        #echo "DEBUG: entry $ip older than $maxage hours (expired $(($expiration / 3600)) hours ago)"
+	        	        sed -i "/^$ip.*# $timestamp.*$/d" $rblfile || echo "Error while deleting $ip: $?"
+	        	fi
+		fi
+	done
+fi
+
+# FIXME: ipv6 regex needed
+if [ $listtype -eq 6 ]; then
+	:
+fi

rbl_generate.sh

@@ -0,0 +1,127 @@
+#!/usr/bin/env bash
+#
+# Add new IPs to the RBL based on these detection methods:
+# - undetected spam
+# - fail2ban banned IPs
+#
+# $1 parameter tells if it goes to an IPv4 or IPv6 list
+
+listtype=$1
+if ! [[ "$listtype" =~ ^[4,6]+$ ]]; then
+	echo "first parameter is mandatory and must be either 4 or 6."
+	exit 1
+fi
+rblfile="/var/lib/rbldns/listv$listtype"
+
+function dnsq {
+	if [ $listtype == "4" ]; then
+		echo "$(dig +short $1)"
+	elif [ $listtype == "6" ]; then
+		echo "$(dig +short AAAA $1)"
+	else
+		echo "unknown, fix it"
+	fi	
+}
+
+static_white=(
+$(dnsq lugh.ch)
+$(dnsq ipv6.lugh.ch)
+$(dnsq oxi.ch)
+$(dnsq mail.zephry.ch)
+$(dnsq moni-und-oli.ch)
+)
+static_black=(
+$(dnsq www.uceprotect.net)
+$(dnsq rsync-mirrors.uceprotect.net)
+$(dnsq www.backscatterer.org)
+$(dnsq unimatrix.admins.ws)
+)
+fail2ban_chains=(
+fail2ban-dovecot
+fail2ban-sasl
+fail2ban-ssh
+fail2ban-ssh-ddos
+fail2ban-tumgreyspf
+fail2ban-apache-digest
+)
+ban_ip=()
+
+# Get currently banned IPs from fail2ban chains
+iptables_banned=(
+$(for chain in ${fail2ban_chains[@]}; do
+	/sbin/iptables -nL $chain | grep '^DROP' | awk {'print $4'} | grep -v '0.0.0.0/0'
+done | sort | uniq)
+)
+
+# Get SPAM mails sent to specific address
+spamtrap=(
+$(grep ' -> <hans.muster@lugh.ch>' /var/log/mail.log | awk -F'[][]' '{print $6}')
+)
+
+if [ $listtype -eq 4 ]; then
+	testentry="127.0.0.2 RFC 5782 test entry # 0 # Test entry RFC 5782"
+elif [ $listtype -eq 6 ]; then
+	testentry="::ffff:7f00:2 RFC 5782 test entry # 0 # Test entry RFC 5782"
+fi
+
+if [ ! -s $rblfile ]; then
+cat << HEREDOC > $rblfile
+# Automatically generated at $(date) by $0 $1
+
+# Test entry http://www.ietf.org/rfc/rfc5782.txt
+$testentry
+
+:127.0.0.2:$ is listed because of misbehaviour. See http://lugh.ch/dnsbl.html for details
+# Whitelist
+$(printf "!%s # 0\n" "${static_white[@]}")
+
+# Blacklist
+$(printf "%s # 0 # Infinite listing (UCEPROTECT)\n" "${static_black[@]}")
+
+# Recent temporary listings
+HEREDOC
+fi
+
+# fail2ban (IPv4 only)
+if [ $listtype -eq 4 ]; then
+	for ip in ${iptables_banned[@]}; do
+		if [[ $(grep -c "$ip" $rblfile) -lt 1 ]]; then
+			# Add IP
+			geoip=$(geoiplookup $ip | sed 's/GeoIP Country Edition: //' | awk {' if($1=="IP") print $0; else print $2,$3,$4,$5,$6,$7,$8'})
+			printf "%s # $(date +%s) # Service login attempts/misconfiguration # %s\n" "$ip" "$geoip" >> $rblfile
+		fi
+	done
+fi
+
+# SPAM
+for ip in ${spamtrap[@]}; do
+	if [[ $(grep -c "$ip" $rblfile) -lt 1 ]]; then
+		# Add IP
+		# IPv4 or IPv6 switch
+		if [ $(echo "$ip" | grep -c ':') -gt 0 ]; then
+			if [ $listtype -eq 6 ]; then
+				geoip=$(geoiplookup6 $ip | sed 's/GeoIP Country V6 Edition: //' | awk {' if($1=="IP") print $0; else print $2,$3,$4,$5,$6,$7,$8'})
+				printf "%s # $(date +%s) # SPAM mail to trap address #         %s\n" "$ip" "$geoip" >> $rblfile
+			fi
+		else
+			if [ $listtype -eq 4 ]; then
+				geoip=$(geoiplookup $ip | sed 's/GeoIP Country Edition: //' | awk {' if($1=="IP") print $0; else print $2,$3,$4,$5,$6,$7,$8'})
+				printf "%s # $(date +%s) # SPAM mail to trap address #         %s\n" "$ip" "$geoip" >> $rblfile
+			fi
+		fi
+	fi
+done
+
+# Generate user friendly web-viewable list
+echo -e "IP\t\tDate listed\t\t\tCause\t\t\t\t\tCountry" > /var/www/virtsrv/lugh.ch/listv$listtype.txt
+echo -e "--\t\t-----------\t\t\t-----\t\t\t\t\t-------" >> /var/www/virtsrv/lugh.ch/listv$listtype.txt
+cat $rblfile | grep -v -i uceprotect | grep '^[1-9]' | grep -v '^127.0.0.2' | sed 's/ # /\t/g' >> /var/www/virtsrv/lugh.ch/listv$listtype.txt
+
+for timestamp in $(grep -e '^[0-9]' /var/www/virtsrv/lugh.ch/listv$listtype.txt | awk {'print $2'}); do
+	newtime=$(date -d @$(echo $timestamp))
+	sed -i "s/$timestamp/$newtime/" /var/www/virtsrv/lugh.ch/listv$listtype.txt
+
+done
+
+# Concatenate IPv4 and IPv6 lists together
+cat /var/www/virtsrv/lugh.ch/listv4.txt $(grep -e '^[0-9]' /var/www/virtsrv/lugh.ch/listv6.txt) > /var/www/virtsrv/lugh.ch/list.txt

varnish_ban.sh

@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Ban (purge) all on localhost
+varnishadm -T localhost:6082 "ban req.url ~ ." -S /etc/varnish/secret