diff --git a/README b/README deleted file mode 100644 index e74e8a7..0000000 --- a/README +++ /dev/null @@ -1,18 +0,0 @@ -What's that all about? ----------------------- -This is a part of my scripts which might be useful to others. Scripts marked with "FIXME" need cleanup to get useful. -License: LGPL - -cleanup-chaos-files.sh Deletes unneeded files like .DS_Store (for example on a NAS) -delicious_backup.sh Use delicious API to backup your bookmarks to an XML file -find_big_files.sh (FIXME) Just finds files bigger than n MB and displays them -helmet.sh (FIXME) Future Debian system security analyzer -iptables.sh Basic iptables script -libssl-restart-daemons.sh Shows daemons affected by an OpenSSL upgrade needing a restart -lighttpd_restart_oom.sh A temporary workaround for lighttpd OOM events -openssl-chk-crt.sh Recursively searches for OpenSSL certificates and shows validity -policyd-550.sh Grep the mail.log for e-mails rejected by policyd-weight and score -rblcheck.sh Check if your server is listed on an DNSBL -tls_stats.sh If you own a mailserver sending e-mails via TLS, show stats of peers -www-perms.sh Analyze your $documentroot for files writable by www user/group -getiface.sh Shows which interface would be used to connect to a specific host/IP diff --git a/README.md b/README.md new file mode 100644 index 0000000..28a4623 --- /dev/null +++ b/README.md @@ -0,0 +1,16 @@ +What's that all about? +---------------------- +This is a part of my scripts which might be useful to others. Scripts marked with "FIXME" need cleanup to get useful. +License: LGPL + +* `cleanup-chaos-files.sh`: Deletes unneeded files like .DS_Store (for example on a NAS) +* `delicious_backup.sh`: Use delicious API to backup your bookmarks to an XML file +* `find_big_files.sh`: (FIXME) Just finds files bigger than n MB and displays them +* `iptables.sh`: Basic iptables boilerplate +* `libssl-restart-daemons.sh`: Shows daemons affected by an OpenSSL upgrade needing a restart +* `openssl-chk-crt.sh`: Recursively searches for OpenSSL certificates and shows validity +* `policyd-550.sh`: Grep the mail.log for e-mails rejected by policyd-weight and score +* `rblcheck.sh`: Check if your server is listed on an DNSBL +* `tls_stats.sh`: If you own a mailserver sending e-mails via TLS, show stats of peers +* `www-perms.sh`: Analyze your $documentroot for files writable by www user/group +* `getiface.sh`: Shows which interface would be used to connect to a specific host/IP diff --git a/backupmx_getusers.sh b/backupmx_getusers.sh deleted file mode 100755 index 4295bba..0000000 --- a/backupmx_getusers.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/usr/bin/env bash -# -# Fetches all users and aliases from MySQL -# For import in other backup MX config. -# -# Requires a .my.cnf with this content: -# [client] -# password=foo - -BACKUPMX_USER=/home/backupmx -MAIL_ADDR=$(mysql -sN -u root mailserver -e "SELECT email - FROM virtual_users - UNION - SELECT source - FROM virtual_aliases;" | sort | uniq) -FILE_SUFFIX=$(cat /etc/mailname) - -# Makes a list of all mail addresses (be it real or aliases) -for i in $MAIL_ADDR; do - echo -e "$i\tOK" -done > $BACKUPMX_USER/relay_recipients_$FILE_SUFFIX - -# Generates list of all domains -for i in $MAIL_ADDR; do - echo $i | cut -d'@' -f2 -done | sort | uniq > $BACKUPMX_USER/domains_$FILE_SUFFIX - -scp -i /root/.ssh/linode $BACKUPMX_USER/*_$FILE_SUFFIX backupmx@mx.lugh.ch: diff --git a/foo b/foo deleted file mode 100644 index e69de29..0000000 diff --git a/git-repostate.py b/git-repostate.py new file mode 100644 index 0000000..245c5d1 --- /dev/null +++ b/git-repostate.py @@ -0,0 +1,19 @@ +#!/usr/bin/env python3 + +import os + +curr_pwd = os.getcwd() +cont_dir = os.scandir(curr_pwd) + +with os.scandir(curr_pwd) as it: + for entry in it: + if not entry.name.startswith('.') and entry.is_dir(): + # check if directory contains a .git subdirectory + with os.scandir(entry.name) as folder: + #print(folder) + for foobar in folder: + print("debug: " + foobar.name) + + #print(entry.name) + +# chdir(path) diff --git a/helmet.sh b/helmet.sh deleted file mode 100755 index efa5512..0000000 --- a/helmet.sh +++ /dev/null @@ -1,121 +0,0 @@ -#!/usr/bin/env bash -# Author: Oliver Ladner -# License: LGPL -# -# This tool scans a Debian-based system for threats in programs, -# configurations, permissions etc. and calculates a score to -# compare different systems. -# -# This script runs noninteractive, so you can rely on these return -# codes: -# 0 script run ok, nothing serious found -# 1 OS detection failed/wrong distribution -# 2 script run ok, critical stuff found -# -# Requirements: -# - - -H_VERSION="0.0.1" - -showhelp() { -cat << EOF -Usage: $(basename $0) [OPTION]... - - -h|--help This information - -m|--no-md5 Don't check MD5 sums of packages - -s|--no-ssh No SSH-related checks - -v|--verbose Be verbose - -V|--version Show version - --force-debian If OS detection fails, assume Debian - --force-ubuntu If OS detection fails, assume Ubuntu -EOF -} - -# Argument handling -while [ $# -gt 0 ]; do - case $1 in - -h|--help) showhelp; exit; shift 1 ;; - -V|--version) echo $(basename $0) $H_VERSION; exit; shift 1 ;; - -v|--verbose) verb=true; shift 1 ;; - -m|--no-md5) md5=false; shift 1 ;; - -s|--no-ssh) ssh=false; shift 1 ;; - *) showhelp; exit ;; - esac -done - -DEBIANCODES=([3]=woody/sarge [4]=etch [5]=lenny [6]=squeeze [7]=wheezy) - -# Debian is missing lsb_release command -if [[ $(which lsb_release) ]]; then - H_DISTRO=$(lsb_release -s -i) - H_RELEASE=$(lsb_release -s -r) - H_CODE=$(lsb_release -s -c) -# FIXME probably a strange check for Debian -elif [[ $(grep -c '^[[:digit:]]' /etc/debian_version) > 0 ]]; then - H_DISTRO=$(awk -F': ' '/Vendor:/ {print $2}' /etc/dpkg/origins/debian) - H_RELEASE=$(cat /etc/debian_version) - H_CODE=${DEBIANCODES[$(echo $H_RELEASE | cut -b1)]} -else - echo "Not a Debian-based distribution, please install the package lsb-release and send" . - " the output of 'lsb_release -a' to info@lugh.ch." - exit 1 -fi - -H_KERNEL=$(uname -r) -H_ARCH=$(uname -m) - -msg() { -if [[ "$verb" ]]; then - echo $1 -fi -} - -check_md5() { - # http://kemovitra.blogspot.com/2010/07/checking-integrity-of-debianubuntu.html - if [ $md5 ]; then - echo "not run" - else - msg "Copying /var/lib/dpkg/info/*.md5sums to temporary file..." - TEMPMD5=$(mktemp -t) - cat /var/lib/dpkg/info/*.md5sums | sort > $TEMPMD5 && cd / - msg "Running md5sum, searching for 'FAILED' files..." - md5sum -c $TEMPMD5 2>&1 | grep ': FAILED' | awk -F':' {'print "/"$1'} && rm $TEMPMD5 - fi -} - -check_ssh() { - ssh_config_regex="/etc/ssh/ssh*conf*" - if [ $ssh ]; then - SSHD="not run" - else - msg "Searching files $ssh_config_regex for PermitRootLogin yes..." - if [[ $(grep -i -c 'PermitRootLogin.*yes' $ssh_config_regex) > 0 ]]; then - echo "Root login enabled!" - else - echo "root login disabled" - fi - fi -} - -#check_dummy() { -# echo "this is a dummy check" -# msg "debug text of dummy_check..." -#} - - -#column -t -s':' -c 80 << EOF -echo "Distribution: $H_DISTRO" -echo "Release/Codename: $H_RELEASE ($H_CODE)" -echo "Kernel/Architecture: $H_KERNEL ($H_ARCH)" - -echo -n "md5 check: " -check_md5 -echo -n "SSH check: " -check_ssh - -# /usr/bin/printf "\u00A9 2010 Oliver Ladner\n" #unicode ausgabe - -# Define default return code -exit 0 - -# vim: ts=3:sw=3 diff --git a/lighttpd_restart_oom.sh b/lighttpd_restart_oom.sh deleted file mode 100755 index e4f09ef..0000000 --- a/lighttpd_restart_oom.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env bash -# Author: Oliver Ladner -# License: LGPL -# -# Monitors if lighttpd uses too much mem, and if so, restarts it - -# 100MB -MAXRAM=200000 - -while true; do -CHECK=$(ps auxww | grep 'lighttpd -f' | grep -v grep | awk '{print $6}') -sleep 5 - - if [ $CHECK -gt $MAXRAM ]; then - logger "lighttpd OOM ($CHECK KB used)" - /etc/init.d/lighttpd stop - sleep 15 - /etc/init.d/lighttpd start - sleep 5 - elif [ -z $CHECK ]; then - logger "lighttpd not running, starting" - /etc/init.d/lighttpd start - sleep 15 - else - logger "lighttpd normal ($CHECK KB used)" - fi -done diff --git a/rbl_expire.sh b/rbl_expire.sh index d3f784b..6f99b1f 100755 --- a/rbl_expire.sh +++ b/rbl_expire.sh @@ -4,21 +4,20 @@ listtype=$1 if ! [[ "$listtype" =~ ^[4,6]+$ ]]; then - echo "first parameter is mandatory and must be either 4 or 6." - exit 1 + echo "first parameter is mandatory and must be either 4 or 6." + exit 1 fi rblfile="/var/lib/rbldns/listv$listtype" -maxage=96 # in hours +maxage=168 # in hours if [ $listtype -eq 4 ]; then egrep '^[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}' $rblfile | while read -r ip delimiter timestamp foo; do - if [ "$timestamp" -gt "0" ]; then - expiration=$(echo "$(date +%s)-$timestamp" | bc) - - if [ "$expiration" -gt "$(($maxage * 3600))" ]; then - #echo "DEBUG: entry $ip older than $maxage hours (expired $(($expiration / 3600)) hours ago)" - sed -i "/^$ip.*# $timestamp.*$/d" $rblfile || echo "Error while deleting $ip: $?" - fi + if [ "$timestamp" -gt "0" ]; then + expiration=$(echo "$(date +%s)-$timestamp" | bc) + if [ "$expiration" -gt "$(($maxage * 3600))" ]; then + #echo "DEBUG: entry $ip older than $maxage hours (expired $(($expiration / 3600)) hours ago)" + sed -i "/^$ip.*# $timestamp.*$/d" $rblfile || echo "Error while deleting $ip: $?" + fi fi done fi @@ -27,3 +26,5 @@ fi if [ $listtype -eq 6 ]; then : fi + +# vim: tabstop=4 expandtab shiftwidth=4 softtabstop=4 diff --git a/rbl_generate.sh b/rbl_generate.sh index 5bab221..c9a0808 100755 --- a/rbl_generate.sh +++ b/rbl_generate.sh @@ -14,12 +14,9 @@ fi rblfile="/var/lib/rbldns/listv$listtype" function dnsq { - if [ $listtype == "4" ]; then - echo "$(dig +short $1)" - elif [ $listtype == "6" ]; then - echo "$(dig +short AAAA $1)" - else - echo "unknown, fix it" + if [ $listtype == "4" ]; then echo "$(dig +short $1)" + elif [ $listtype == "6" ]; then echo "$(dig +short AAAA $1)" + else echo "unknown, fix it" fi } @@ -28,7 +25,6 @@ $(dnsq lugh.ch) $(dnsq ipv6.lugh.ch) $(dnsq oxi.ch) $(dnsq mail.zephry.ch) -$(dnsq moni-und-oli.ch) ) static_black=( $(dnsq www.uceprotect.net) @@ -36,20 +32,13 @@ $(dnsq rsync-mirrors.uceprotect.net) $(dnsq www.backscatterer.org) $(dnsq unimatrix.admins.ws) ) -fail2ban_chains=( -fail2ban-dovecot -fail2ban-sasl -fail2ban-ssh -fail2ban-ssh-ddos -fail2ban-tumgreyspf -fail2ban-apache-digest -) +fail2ban_chains=$(/sbin/iptables -nL | grep ^f2b | awk {'print $1'}) ban_ip=() # Get currently banned IPs from fail2ban chains iptables_banned=( -$(for chain in ${fail2ban_chains[@]}; do - /sbin/iptables -nL $chain | grep '^DROP' | awk {'print $4'} | grep -v '0.0.0.0/0' +$(for chain in $fail2ban_chains; do + /sbin/iptables -w 1 -nL "$chain" | grep '^REJECT' | awk {'print $4'} | grep -v '0.0.0.0/0' done | sort | uniq) ) @@ -71,7 +60,7 @@ cat << HEREDOC > $rblfile # Test entry http://www.ietf.org/rfc/rfc5782.txt $testentry -:127.0.0.2:$ is listed because of misbehaviour. See http://lugh.ch/dnsbl.html for details +:127.0.0.2:$ is listed because of misbehaviour. See https://lugh.ch/dnsbl.html for details # Whitelist $(printf "!%s # 0\n" "${static_white[@]}") @@ -124,4 +113,9 @@ for timestamp in $(grep -e '^[0-9]' /var/www/virtsrv/lugh.ch/listv$listtype.txt done # Concatenate IPv4 and IPv6 lists together -cat /var/www/virtsrv/lugh.ch/listv4.txt $(grep -e '^[0-9]' /var/www/virtsrv/lugh.ch/listv6.txt) > /var/www/virtsrv/lugh.ch/list.txt +echo -e "IP\t\tDate listed\t\t\tCause\t\t\t\t\tCountry" > /var/www/virtsrv/lugh.ch/list.txt +echo -e "--\t\t-----------\t\t\t-----\t\t\t\t\t-------" >> /var/www/virtsrv/lugh.ch/list.txt +tail -n+3 /var/www/virtsrv/lugh.ch/listv4.txt >> /var/www/virtsrv/lugh.ch/list.txt +tail -n+3 /var/www/virtsrv/lugh.ch/listv6.txt >> /var/www/virtsrv/lugh.ch/list.txt + +# vim: tabstop=4 expandtab shiftwidth=4 softtabstop=4 diff --git a/varnish_ban.sh b/varnish_ban.sh index 544b0ee..f92b2e2 100755 --- a/varnish_ban.sh +++ b/varnish_ban.sh @@ -1,3 +1,8 @@ #!/usr/bin/env bash # Ban (purge) all on localhost + +# Varnish 4 varnishadm -T localhost:6082 -S /etc/varnish/secret "ban req.http.host ~ $1" + +# Varnish 5 +varnishadm -T localhost:6082 -S /etc/varnish/secret ban req.http.host == $1