Merge branch 'master' of https://dev.lugh.ch/git/oli/scripts

README

@@ -1,18 +0,0 @@
-What's that all about?
-----------------------
-This is a part of my scripts which might be useful to others. Scripts marked with "FIXME" need cleanup to get useful.
-License: LGPL
-
-cleanup-chaos-files.sh		Deletes unneeded files like .DS_Store (for example on a NAS)
-delicious_backup.sh		Use delicious API to backup your bookmarks to an XML file
-find_big_files.sh		(FIXME) Just finds files bigger than n MB and displays them
-helmet.sh			(FIXME) Future Debian system security analyzer	
-iptables.sh			Basic iptables script
-libssl-restart-daemons.sh	Shows daemons affected by an OpenSSL upgrade needing a restart
-lighttpd_restart_oom.sh		A temporary workaround for lighttpd OOM events
-openssl-chk-crt.sh		Recursively searches for OpenSSL certificates and shows validity
-policyd-550.sh			Grep the mail.log for e-mails rejected by policyd-weight and score
-rblcheck.sh			Check if your server is listed on an DNSBL
-tls_stats.sh			If you own a mailserver sending e-mails via TLS, show stats of peers
-www-perms.sh			Analyze your $documentroot for files writable by www user/group
-getiface.sh			Shows which interface would be used to connect to a specific host/IP

README.md

@@ -0,0 +1,16 @@
+What's that all about?
+----------------------
+This is a part of my scripts which might be useful to others. Scripts marked with "FIXME" need cleanup to get useful.
+License: LGPL
+
+* `cleanup-chaos-files.sh`: Deletes unneeded files like .DS_Store (for example on a NAS)
+* `delicious_backup.sh`: Use delicious API to backup your bookmarks to an XML file
+* `find_big_files.sh`: (FIXME) Just finds files bigger than n MB and displays them
+* `iptables.sh`: Basic iptables boilerplate
+* `libssl-restart-daemons.sh`: Shows daemons affected by an OpenSSL upgrade needing a restart
+* `openssl-chk-crt.sh`: Recursively searches for OpenSSL certificates and shows validity
+* `policyd-550.sh`: Grep the mail.log for e-mails rejected by policyd-weight and score
+* `rblcheck.sh`: Check if your server is listed on an DNSBL
+* `tls_stats.sh`: If you own a mailserver sending e-mails via TLS, show stats of peers
+* `www-perms.sh`: Analyze your $documentroot for files writable by www user/group
+* `getiface.sh`: Shows which interface would be used to connect to a specific host/IP

backupmx_getusers.sh

@@ -1,28 +0,0 @@
-#!/usr/bin/env bash
-#
-# Fetches all users and aliases from MySQL
-# For import in other backup MX config.
-#
-# Requires a .my.cnf with this content:
-# [client]
-# password=foo
-
-BACKUPMX_USER=/home/backupmx
-MAIL_ADDR=$(mysql -sN -u root mailserver -e "SELECT email
-					     FROM virtual_users
-					     UNION
-					     SELECT source
-					     FROM virtual_aliases;" | sort | uniq)
-FILE_SUFFIX=$(cat /etc/mailname)
-
-# Makes a list of all mail addresses (be it real or aliases)
-for i in $MAIL_ADDR; do
-	echo -e "$i\tOK"
-done > $BACKUPMX_USER/relay_recipients_$FILE_SUFFIX
-
-# Generates list of all domains
-for i in $MAIL_ADDR; do
-	echo $i | cut -d'@' -f2
-done | sort | uniq > $BACKUPMX_USER/domains_$FILE_SUFFIX
-
-scp -i /root/.ssh/linode $BACKUPMX_USER/*_$FILE_SUFFIX backupmx@mx.lugh.ch:

git-repostate.py

@@ -0,0 +1,19 @@
+#!/usr/bin/env python3
+
+import os
+
+curr_pwd = os.getcwd()
+cont_dir = os.scandir(curr_pwd)
+
+with os.scandir(curr_pwd) as it:
+    for entry in it:
+        if not entry.name.startswith('.') and entry.is_dir():
+            # check if directory contains a .git subdirectory
+            with os.scandir(entry.name) as folder:
+                #print(folder)
+                for foobar in folder:
+                    print("debug: " + foobar.name)
+
+            #print(entry.name)
+
+# chdir(path)

helmet.sh

@@ -1,121 +0,0 @@
-#!/usr/bin/env bash
-# Author:  Oliver Ladner <oli@lugh.ch>
-# License: LGPL
-#
-# This tool scans a Debian-based system for threats in programs,
-# configurations, permissions etc. and calculates a score to
-# compare different systems.
-#
-# This script runs noninteractive, so you can rely on these return
-# codes:
-# 0	script run ok, nothing serious found
-# 1	OS detection failed/wrong distribution
-# 2	script run ok, critical stuff found
-#
-# Requirements:
-# -
-
-H_VERSION="0.0.1"
-
-showhelp() {
-cat << EOF
-Usage: $(basename $0) [OPTION]...
-
- -h|--help		This information
- -m|--no-md5		Don't check MD5 sums of packages
- -s|--no-ssh		No SSH-related checks
- -v|--verbose		Be verbose
- -V|--version		Show version
- --force-debian		If OS detection fails, assume Debian
- --force-ubuntu		If OS detection fails, assume Ubuntu
-EOF
-}
-
-# Argument handling
-while [ $# -gt 0 ]; do
-	case $1 in
-		-h|--help) showhelp; exit; shift 1 ;;
-		-V|--version) echo $(basename $0) $H_VERSION; exit; shift 1 ;;
-		-v|--verbose) verb=true; shift 1 ;;
-		-m|--no-md5) md5=false; shift 1 ;;
-		-s|--no-ssh) ssh=false; shift 1 ;;
-		*) showhelp; exit ;;
-	esac
-done
-
-DEBIANCODES=([3]=woody/sarge [4]=etch [5]=lenny [6]=squeeze [7]=wheezy)
-
-# Debian is missing lsb_release command
-if [[ $(which lsb_release) ]]; then
-	H_DISTRO=$(lsb_release -s -i)
-	H_RELEASE=$(lsb_release -s -r)
-	H_CODE=$(lsb_release -s -c)
-# FIXME probably a strange check for Debian
-elif [[ $(grep -c '^[[:digit:]]' /etc/debian_version) > 0 ]]; then
-	H_DISTRO=$(awk -F': ' '/Vendor:/ {print $2}' /etc/dpkg/origins/debian)
-	H_RELEASE=$(cat /etc/debian_version)
-	H_CODE=${DEBIANCODES[$(echo $H_RELEASE | cut -b1)]}
-else
-	echo "Not a Debian-based distribution, please install the package lsb-release and send" .
-		  " the output of 'lsb_release -a' to info@lugh.ch."
-	exit 1
-fi
-
-H_KERNEL=$(uname -r)
-H_ARCH=$(uname -m)
-
-msg() {
-if [[ "$verb" ]]; then
-	echo $1
-fi	
-}
-
-check_md5() {
-	# http://kemovitra.blogspot.com/2010/07/checking-integrity-of-debianubuntu.html
-		if [ $md5 ]; then
-			echo "not run"
-		else
-				msg "Copying /var/lib/dpkg/info/*.md5sums to temporary file..."
-				TEMPMD5=$(mktemp -t)
-				cat /var/lib/dpkg/info/*.md5sums | sort > $TEMPMD5 && cd /
-				msg "Running md5sum, searching for 'FAILED' files..."
-				md5sum -c $TEMPMD5 2>&1 | grep ': FAILED' | awk -F':' {'print "/"$1'} && rm $TEMPMD5
-			fi
-}
-
-check_ssh() {
-	ssh_config_regex="/etc/ssh/ssh*conf*"
-		if [ $ssh ]; then
-			SSHD="not run"
-		else
-			msg "Searching files $ssh_config_regex for PermitRootLogin yes..."
-			if [[ $(grep -i -c 'PermitRootLogin.*yes' $ssh_config_regex) > 0 ]]; then
-				echo "Root login enabled!"
-			else
-				echo "root login disabled"
-			fi
-		fi
-}
-
-#check_dummy() {
-#	echo "this is a dummy check"
-#	msg "debug text of dummy_check..."
-#}
-
-
-#column -t -s':' -c 80 << EOF
-echo "Distribution: $H_DISTRO"
-echo "Release/Codename: $H_RELEASE ($H_CODE)"
-echo "Kernel/Architecture: $H_KERNEL ($H_ARCH)"
- 
-echo -n "md5 check: "
-check_md5
-echo -n "SSH check: "
-check_ssh
-
-# /usr/bin/printf "\u00A9 2010 Oliver Ladner\n" #unicode ausgabe
-
-# Define default return code
-exit 0
-
-# vim: ts=3:sw=3

lighttpd_restart_oom.sh

@@ -1,27 +0,0 @@
-#!/usr/bin/env bash
-# Author:  Oliver Ladner <oli@lugh.ch>
-# License: LGPL
-#
-# Monitors if lighttpd uses too much mem, and if so, restarts it
-
-# 100MB
-MAXRAM=200000
-
-while true; do
-CHECK=$(ps auxww | grep 'lighttpd -f' | grep -v grep | awk '{print $6}')
-sleep 5
-
-	if [ $CHECK -gt $MAXRAM ]; then
-		logger "lighttpd OOM ($CHECK KB used)"
-		/etc/init.d/lighttpd stop
-		sleep 15
-		/etc/init.d/lighttpd start
-		sleep 5
-	elif [ -z $CHECK ]; then
-		logger "lighttpd not running, starting"
-		/etc/init.d/lighttpd start
-		sleep 15
-	else
-		logger "lighttpd normal ($CHECK KB used)"
-	fi
-done

rbl_expire.sh

@@ -4,21 +4,20 @@
 
 listtype=$1
 if ! [[ "$listtype" =~ ^[4,6]+$ ]]; then
-        echo "first parameter is mandatory and must be either 4 or 6."
-        exit 1
+    echo "first parameter is mandatory and must be either 4 or 6."
+    exit 1
 fi
 rblfile="/var/lib/rbldns/listv$listtype"
-maxage=96 # in hours
+maxage=168 # in hours
 
 if [ $listtype -eq 4 ]; then
 	egrep '^[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}' $rblfile | while read -r ip delimiter timestamp foo; do
-		if [ "$timestamp" -gt "0" ]; then
-	        	expiration=$(echo "$(date +%s)-$timestamp" | bc)
-	
-	        	if [ "$expiration" -gt "$(($maxage * 3600))" ]; then
-	        	        #echo "DEBUG: entry $ip older than $maxage hours (expired $(($expiration / 3600)) hours ago)"
-	        	        sed -i "/^$ip.*# $timestamp.*$/d" $rblfile || echo "Error while deleting $ip: $?"
-	        	fi
+        if [ "$timestamp" -gt "0" ]; then
+            expiration=$(echo "$(date +%s)-$timestamp" | bc)
+            if [ "$expiration" -gt "$(($maxage * 3600))" ]; then
+                #echo "DEBUG: entry $ip older than $maxage hours (expired $(($expiration / 3600)) hours ago)"
+                sed -i "/^$ip.*# $timestamp.*$/d" $rblfile || echo "Error while deleting $ip: $?"
+            fi
 		fi
 	done
 fi
@@ -27,3 +26,5 @@ fi
 if [ $listtype -eq 6 ]; then
 	:
 fi
+
+# vim: tabstop=4 expandtab shiftwidth=4 softtabstop=4

rbl_generate.sh

@@ -14,12 +14,9 @@ fi
 rblfile="/var/lib/rbldns/listv$listtype"
 
 function dnsq {
-	if [ $listtype == "4" ]; then
-		echo "$(dig +short $1)"
-	elif [ $listtype == "6" ]; then
-		echo "$(dig +short AAAA $1)"
-	else
-		echo "unknown, fix it"
+	if [ $listtype == "4" ]; then echo "$(dig +short $1)"
+	elif [ $listtype == "6" ]; then echo "$(dig +short AAAA $1)"
+	else echo "unknown, fix it"
 	fi	
 }
 
@@ -28,7 +25,6 @@ $(dnsq lugh.ch)
 $(dnsq ipv6.lugh.ch)
 $(dnsq oxi.ch)
 $(dnsq mail.zephry.ch)
-$(dnsq moni-und-oli.ch)
 )
 static_black=(
 $(dnsq www.uceprotect.net)
@@ -36,20 +32,13 @@ $(dnsq rsync-mirrors.uceprotect.net)
 $(dnsq www.backscatterer.org)
 $(dnsq unimatrix.admins.ws)
 )
-fail2ban_chains=(
-fail2ban-dovecot
-fail2ban-sasl
-fail2ban-ssh
-fail2ban-ssh-ddos
-fail2ban-tumgreyspf
-fail2ban-apache-digest
-)
+fail2ban_chains=$(/sbin/iptables -nL | grep ^f2b | awk {'print $1'})
 ban_ip=()
 
 # Get currently banned IPs from fail2ban chains
 iptables_banned=(
-$(for chain in ${fail2ban_chains[@]}; do
-	/sbin/iptables -nL $chain | grep '^DROP' | awk {'print $4'} | grep -v '0.0.0.0/0'
+$(for chain in $fail2ban_chains; do
+	/sbin/iptables -w 1 -nL "$chain" | grep '^REJECT' | awk {'print $4'} | grep -v '0.0.0.0/0'
 done | sort | uniq)
 )
 
@@ -71,7 +60,7 @@ cat << HEREDOC > $rblfile
 # Test entry http://www.ietf.org/rfc/rfc5782.txt
 $testentry
 
-:127.0.0.2:$ is listed because of misbehaviour. See http://lugh.ch/dnsbl.html for details
+:127.0.0.2:$ is listed because of misbehaviour. See https://lugh.ch/dnsbl.html for details
 # Whitelist
 $(printf "!%s # 0\n" "${static_white[@]}")
 
@@ -124,4 +113,9 @@ for timestamp in $(grep -e '^[0-9]' /var/www/virtsrv/lugh.ch/listv$listtype.txt
 done
 
 # Concatenate IPv4 and IPv6 lists together
-cat /var/www/virtsrv/lugh.ch/listv4.txt $(grep -e '^[0-9]' /var/www/virtsrv/lugh.ch/listv6.txt) > /var/www/virtsrv/lugh.ch/list.txt
+echo -e "IP\t\tDate listed\t\t\tCause\t\t\t\t\tCountry" > /var/www/virtsrv/lugh.ch/list.txt
+echo -e "--\t\t-----------\t\t\t-----\t\t\t\t\t-------" >> /var/www/virtsrv/lugh.ch/list.txt
+tail -n+3 /var/www/virtsrv/lugh.ch/listv4.txt >> /var/www/virtsrv/lugh.ch/list.txt
+tail -n+3 /var/www/virtsrv/lugh.ch/listv6.txt >> /var/www/virtsrv/lugh.ch/list.txt
+
+# vim: tabstop=4 expandtab shiftwidth=4 softtabstop=4

varnish_ban.sh

@@ -1,3 +1,8 @@
 #!/usr/bin/env bash
 # Ban (purge) all on localhost
+
+# Varnish 4
 varnishadm -T localhost:6082 -S /etc/varnish/secret "ban req.http.host ~ $1"
+
+# Varnish 5
+varnishadm -T localhost:6082 -S /etc/varnish/secret ban req.http.host == $1