weeheavy/scripts
1
0
Fork 0
Code Pull requests Activity

Merge branch 'master' of https://dev.lugh.ch/git/oli/scripts

Browse source
This commit is contained in:
Oliver Ladner 2018-12-12 22:16:37 +01:00
commit cc8122b00e
10 changed files with 64 additions and 223 deletions
Download patch file Download diff file Expand all files Collapse all files

18
README
View file

@ -1,18 +0,0 @@
What's that all about?
----------------------
This is a part of my scripts which might be useful to others. Scripts marked with "FIXME" need cleanup to get useful.
License: LGPL
cleanup-chaos-files.sh Deletes unneeded files like .DS_Store (for example on a NAS)
delicious_backup.sh Use delicious API to backup your bookmarks to an XML file
find_big_files.sh (FIXME) Just finds files bigger than n MB and displays them
helmet.sh (FIXME) Future Debian system security analyzer
iptables.sh Basic iptables script
libssl-restart-daemons.sh Shows daemons affected by an OpenSSL upgrade needing a restart
lighttpd_restart_oom.sh A temporary workaround for lighttpd OOM events
openssl-chk-crt.sh Recursively searches for OpenSSL certificates and shows validity
policyd-550.sh Grep the mail.log for e-mails rejected by policyd-weight and score
rblcheck.sh Check if your server is listed on an DNSBL
tls_stats.sh If you own a mailserver sending e-mails via TLS, show stats of peers
www-perms.sh Analyze your $documentroot for files writable by www user/group
getiface.sh Shows which interface would be used to connect to a specific host/IP

16
README.md Normal file
View file

@ -0,0 +1,16 @@
What's that all about?
----------------------
This is a part of my scripts which might be useful to others. Scripts marked with "FIXME" need cleanup to get useful.
License: LGPL
* `cleanup-chaos-files.sh`: Deletes unneeded files like .DS_Store (for example on a NAS)
* `delicious_backup.sh`: Use delicious API to backup your bookmarks to an XML file
* `find_big_files.sh`: (FIXME) Just finds files bigger than n MB and displays them
* `iptables.sh`: Basic iptables boilerplate
* `libssl-restart-daemons.sh`: Shows daemons affected by an OpenSSL upgrade needing a restart
* `openssl-chk-crt.sh`: Recursively searches for OpenSSL certificates and shows validity
* `policyd-550.sh`: Grep the mail.log for e-mails rejected by policyd-weight and score
* `rblcheck.sh`: Check if your server is listed on an DNSBL
* `tls_stats.sh`: If you own a mailserver sending e-mails via TLS, show stats of peers
* `www-perms.sh`: Analyze your $documentroot for files writable by www user/group
* `getiface.sh`: Shows which interface would be used to connect to a specific host/IP

28
backupmx_getusers.sh
View file

@ -1,28 +0,0 @@
#!/usr/bin/env bash
#
# Fetches all users and aliases from MySQL
# For import in other backup MX config.
#
# Requires a .my.cnf with this content:
# [client]
# password=foo
BACKUPMX_USER=/home/backupmx
MAIL_ADDR=$(mysql -sN -u root mailserver -e "SELECT email
FROM virtual_users
UNION
SELECT source
FROM virtual_aliases;" | sort | uniq)
FILE_SUFFIX=$(cat /etc/mailname)
# Makes a list of all mail addresses (be it real or aliases)
for i in $MAIL_ADDR; do
echo -e "$i\tOK"
done > $BACKUPMX_USER/relay_recipients_$FILE_SUFFIX
# Generates list of all domains
for i in $MAIL_ADDR; do
echo $i | cut -d'@' -f2
done | sort | uniq > $BACKUPMX_USER/domains_$FILE_SUFFIX
scp -i /root/.ssh/linode $BACKUPMX_USER/*_$FILE_SUFFIX backupmx@mx.lugh.ch:

0
foo
View file

19
git-repostate.py Normal file
View file

@ -0,0 +1,19 @@
#!/usr/bin/env python3
import os
curr_pwd = os.getcwd()
cont_dir = os.scandir(curr_pwd)
with os.scandir(curr_pwd) as it:
for entry in it:
if not entry.name.startswith('.') and entry.is_dir():
# check if directory contains a .git subdirectory
with os.scandir(entry.name) as folder:
#print(folder)
for foobar in folder:
print("debug: " + foobar.name)
#print(entry.name)
# chdir(path)

121
helmet.sh
View file

@ -1,121 +0,0 @@
#!/usr/bin/env bash
# Author: Oliver Ladner <oli@lugh.ch>
# License: LGPL
#
# This tool scans a Debian-based system for threats in programs,
# configurations, permissions etc. and calculates a score to
# compare different systems.
#
# This script runs noninteractive, so you can rely on these return
# codes:
# 0 script run ok, nothing serious found
# 1 OS detection failed/wrong distribution
# 2 script run ok, critical stuff found
#
# Requirements:
# -
H_VERSION="0.0.1"
showhelp() {
cat << EOF
Usage: $(basename $0) [OPTION]...
-h|--help This information
-m|--no-md5 Don't check MD5 sums of packages
-s|--no-ssh No SSH-related checks
-v|--verbose Be verbose
-V|--version Show version
--force-debian If OS detection fails, assume Debian
--force-ubuntu If OS detection fails, assume Ubuntu
EOF
}
# Argument handling
while [ $# -gt 0 ]; do
case $1 in
-h|--help) showhelp; exit; shift 1 ;;
-V|--version) echo $(basename $0) $H_VERSION; exit; shift 1 ;;
-v|--verbose) verb=true; shift 1 ;;
-m|--no-md5) md5=false; shift 1 ;;
-s|--no-ssh) ssh=false; shift 1 ;;
*) showhelp; exit ;;
esac
done
DEBIANCODES=([3]=woody/sarge [4]=etch [5]=lenny [6]=squeeze [7]=wheezy)
# Debian is missing lsb_release command
if [[ $(which lsb_release) ]]; then
H_DISTRO=$(lsb_release -s -i)
H_RELEASE=$(lsb_release -s -r)
H_CODE=$(lsb_release -s -c)
# FIXME probably a strange check for Debian
elif [[ $(grep -c '^[[:digit:]]' /etc/debian_version) > 0 ]]; then
H_DISTRO=$(awk -F': ' '/Vendor:/ {print $2}' /etc/dpkg/origins/debian)
H_RELEASE=$(cat /etc/debian_version)
H_CODE=${DEBIANCODES[$(echo $H_RELEASE | cut -b1)]}
else
echo "Not a Debian-based distribution, please install the package lsb-release and send" .
" the output of 'lsb_release -a' to info@lugh.ch."
exit 1
fi
H_KERNEL=$(uname -r)
H_ARCH=$(uname -m)
msg() {
if [[ "$verb" ]]; then
echo $1
fi
}
check_md5() {
# http://kemovitra.blogspot.com/2010/07/checking-integrity-of-debianubuntu.html
if [ $md5 ]; then
echo "not run"
else
msg "Copying /var/lib/dpkg/info/*.md5sums to temporary file..."
TEMPMD5=$(mktemp -t)
cat /var/lib/dpkg/info/*.md5sums | sort > $TEMPMD5 && cd /
msg "Running md5sum, searching for 'FAILED' files..."
md5sum -c $TEMPMD5 2>&1 | grep ': FAILED' | awk -F':' {'print "/"$1'} && rm $TEMPMD5
fi
}
check_ssh() {
ssh_config_regex="/etc/ssh/ssh*conf*"
if [ $ssh ]; then
SSHD="not run"
else
msg "Searching files $ssh_config_regex for PermitRootLogin yes..."
if [[ $(grep -i -c 'PermitRootLogin.*yes' $ssh_config_regex) > 0 ]]; then
echo "Root login enabled!"
else
echo "root login disabled"
fi
fi
}
#check_dummy() {
# echo "this is a dummy check"
# msg "debug text of dummy_check..."
#}
#column -t -s':' -c 80 << EOF
echo "Distribution: $H_DISTRO"
echo "Release/Codename: $H_RELEASE ($H_CODE)"
echo "Kernel/Architecture: $H_KERNEL ($H_ARCH)"
echo -n "md5 check: "
check_md5
echo -n "SSH check: "
check_ssh
# /usr/bin/printf "\u00A9 2010 Oliver Ladner\n" #unicode ausgabe
# Define default return code
exit 0
# vim: ts=3:sw=3

27
lighttpd_restart_oom.sh
View file

@ -1,27 +0,0 @@
#!/usr/bin/env bash
# Author: Oliver Ladner <oli@lugh.ch>
# License: LGPL
#
# Monitors if lighttpd uses too much mem, and if so, restarts it
# 100MB
MAXRAM=200000
while true; do
CHECK=$(ps auxww | grep 'lighttpd -f' | grep -v grep | awk '{print $6}')
sleep 5
if [ $CHECK -gt $MAXRAM ]; then
logger "lighttpd OOM ($CHECK KB used)"
/etc/init.d/lighttpd stop
sleep 15
/etc/init.d/lighttpd start
sleep 5
elif [ -z $CHECK ]; then
logger "lighttpd not running, starting"
/etc/init.d/lighttpd start
sleep 15
else
logger "lighttpd normal ($CHECK KB used)"
fi
done

21
rbl_expire.sh
View file

@ -4,21 +4,20 @@
listtype=$1 listtype=$1
if ! [[ "$listtype" =~ ^[4,6]+$ ]]; then if ! [[ "$listtype" =~ ^[4,6]+$ ]]; then
echo "first parameter is mandatory and must be either 4 or 6." echo "first parameter is mandatory and must be either 4 or 6."
exit 1 exit 1
fi fi
rblfile="/var/lib/rbldns/listv$listtype" rblfile="/var/lib/rbldns/listv$listtype"
maxage=96 # in hours maxage=168 # in hours
if [ $listtype -eq 4 ]; then if [ $listtype -eq 4 ]; then
egrep '^[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}' $rblfile | while read -r ip delimiter timestamp foo; do egrep '^[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}' $rblfile | while read -r ip delimiter timestamp foo; do
if [ "$timestamp" -gt "0" ]; then if [ "$timestamp" -gt "0" ]; then
expiration=$(echo "$(date +%s)-$timestamp" | bc) expiration=$(echo "$(date +%s)-$timestamp" | bc)
if [ "$expiration" -gt "$(($maxage * 3600))" ]; then
if [ "$expiration" -gt "$(($maxage * 3600))" ]; then #echo "DEBUG: entry $ip older than $maxage hours (expired $(($expiration / 3600)) hours ago)"
#echo "DEBUG: entry $ip older than $maxage hours (expired $(($expiration / 3600)) hours ago)" sed -i "/^$ip.*# $timestamp.*$/d" $rblfile || echo "Error while deleting $ip: $?"
sed -i "/^$ip.*# $timestamp.*$/d" $rblfile || echo "Error while deleting $ip: $?" fi
fi
fi fi
done done
fi fi
@ -27,3 +26,5 @@ fi
if [ $listtype -eq 6 ]; then if [ $listtype -eq 6 ]; then
: :
fi fi
# vim: tabstop=4 expandtab shiftwidth=4 softtabstop=4

32
rbl_generate.sh
View file

@ -14,12 +14,9 @@ fi
rblfile="/var/lib/rbldns/listv$listtype" rblfile="/var/lib/rbldns/listv$listtype"
function dnsq { function dnsq {
if [ $listtype == "4" ]; then if [ $listtype == "4" ]; then echo "$(dig +short $1)"
echo "$(dig +short $1)" elif [ $listtype == "6" ]; then echo "$(dig +short AAAA $1)"
elif [ $listtype == "6" ]; then else echo "unknown, fix it"
echo "$(dig +short AAAA $1)"
else
echo "unknown, fix it"
fi fi
} }
@ -28,7 +25,6 @@ $(dnsq lugh.ch)
$(dnsq ipv6.lugh.ch) $(dnsq ipv6.lugh.ch)
$(dnsq oxi.ch) $(dnsq oxi.ch)
$(dnsq mail.zephry.ch) $(dnsq mail.zephry.ch)
$(dnsq moni-und-oli.ch)
) )
static_black=( static_black=(
$(dnsq www.uceprotect.net) $(dnsq www.uceprotect.net)
@ -36,20 +32,13 @@ $(dnsq rsync-mirrors.uceprotect.net)
$(dnsq www.backscatterer.org) $(dnsq www.backscatterer.org)
$(dnsq unimatrix.admins.ws) $(dnsq unimatrix.admins.ws)
) )
fail2ban_chains=( fail2ban_chains=$(/sbin/iptables -nL | grep ^f2b | awk {'print $1'})
fail2ban-dovecot
fail2ban-sasl
fail2ban-ssh
fail2ban-ssh-ddos
fail2ban-tumgreyspf
fail2ban-apache-digest
)
ban_ip=() ban_ip=()
# Get currently banned IPs from fail2ban chains # Get currently banned IPs from fail2ban chains
iptables_banned=( iptables_banned=(
$(for chain in ${fail2ban_chains[@]}; do $(for chain in $fail2ban_chains; do
/sbin/iptables -nL $chain | grep '^DROP' | awk {'print $4'} | grep -v '0.0.0.0/0' /sbin/iptables -w 1 -nL "$chain" | grep '^REJECT' | awk {'print $4'} | grep -v '0.0.0.0/0'
done | sort | uniq) done | sort | uniq)
) )
@ -71,7 +60,7 @@ cat << HEREDOC > $rblfile
# Test entry http://www.ietf.org/rfc/rfc5782.txt # Test entry http://www.ietf.org/rfc/rfc5782.txt
$testentry $testentry
:127.0.0.2:$ is listed because of misbehaviour. See http://lugh.ch/dnsbl.html for details :127.0.0.2:$ is listed because of misbehaviour. See https://lugh.ch/dnsbl.html for details
# Whitelist # Whitelist
$(printf "!%s # 0\n" "${static_white[@]}") $(printf "!%s # 0\n" "${static_white[@]}")
@ -124,4 +113,9 @@ for timestamp in $(grep -e '^[0-9]' /var/www/virtsrv/lugh.ch/listv$listtype.txt
done done
# Concatenate IPv4 and IPv6 lists together # Concatenate IPv4 and IPv6 lists together
cat /var/www/virtsrv/lugh.ch/listv4.txt $(grep -e '^[0-9]' /var/www/virtsrv/lugh.ch/listv6.txt) > /var/www/virtsrv/lugh.ch/list.txt echo -e "IP\t\tDate listed\t\t\tCause\t\t\t\t\tCountry" > /var/www/virtsrv/lugh.ch/list.txt
echo -e "--\t\t-----------\t\t\t-----\t\t\t\t\t-------" >> /var/www/virtsrv/lugh.ch/list.txt
tail -n+3 /var/www/virtsrv/lugh.ch/listv4.txt >> /var/www/virtsrv/lugh.ch/list.txt
tail -n+3 /var/www/virtsrv/lugh.ch/listv6.txt >> /var/www/virtsrv/lugh.ch/list.txt
# vim: tabstop=4 expandtab shiftwidth=4 softtabstop=4

5
varnish_ban.sh
View file

@ -1,3 +1,8 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# Ban (purge) all on localhost # Ban (purge) all on localhost
# Varnish 4
varnishadm -T localhost:6082 -S /etc/varnish/secret "ban req.http.host ~ $1" varnishadm -T localhost:6082 -S /etc/varnish/secret "ban req.http.host ~ $1"
# Varnish 5
varnishadm -T localhost:6082 -S /etc/varnish/secret ban req.http.host == $1