How to remove permitted IPs from logwatch

spiffytech · 02-08-2006, 01:46 PM

In my webhosting company, we had users supply invalid passwords (accidentally), and consequently showed up in our daily logwatch. To prevent them from being seen, and consiquently blocked by mistake, we made ascript in /opt/scripts that went like this:

Quote:

#!/bin/bash

# This script will check your logwatch file to
# see if any IPs that tried to do anonymous FTP are allowed to,
# and make sure that they are not mistakenly blocked by removing
# them from the logwatch file.

# Make a tmp folder for ipblock
rm -rf /tmp/ipblock
TMP=/tmp/ipblock
mkdir $TMP
OPT=/opt/scripts

cd /opt/scripts
PERMUSERS=`cat $OPT/ipblock_permusers.txt`
PERMADD=`cat $OPT/ipblock_donotblock.txt`

# Take the permitted users from the logwatch file
grep -vf $OPT/ipblock_permusers.txt /tmp/logwatch > $TMP/step1

# Take the permitted IP addresses from the file
grep -vf $OPT/ipblock_donotblock.txt $TMP/step1 > $TMP/step2

#Mail it out to the sysadmins
mail -s "Logwatch Server 4" my_email_address < $TMP/step2

That will just strip out the IPs. However, if you want to add a little logic (and not have a permitted user list), you can use this:

Quote:

#!/bin/bash

# This script will check your logwatch file to
# see if any IPs that tried to do anonymous FTP are allowed to,
# and make sure that they are not mistakenly blocked by removing
# them from the logwatch file.

# Make a tmp folder for ipblock
rm -rf /tmp/ipblock
TMP=/tmp/ipblock
mkdir $TMP
OPT=/opt/scripts

cd /opt/scripts
PERMUSERS=`cat $OPT/ipblock_permusers.txt`
PERMADD=`cat $OPT/ipblock_donotblock.txt`

# Take the permitted users from the logwatch file
grep -vf $OPT/ipblock_permusers.txt /tmp/logwatch > $TMP/step1

# Take the permitted IP addresses from the file
grep -vf $OPT/ipblock_donotblock.txt $TMP/step1 > $TMP/step2

#Mail it out to the sysadmins
mail -s "Logwatch Server 6" my_email_address < $TMP/step2

exit

#Ignore everything after this. It no longer
#functions properly, and is here
#merely for reference purposes.
#I reconstructed it above once I realized
#I didn't need any logic to do this.

# Use a regular expression to find the violating IPs in the logwatch using rhost= as a unique i
dentifyer
# grep -Eo '(rhost=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} : [0-9]{1,4} Time$s$|rhost=
[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} user=ftp: [0-9]{1,4} Time$s$)' /tmp/logwatch
> $TMP/output

grep -Eo 'rhost=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' /tmp/logwatch > $TMP/output

# Use a regex to get just the IPs from that
grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' $TMP/output > $TMP/output2

# Compare the no-blocking list with the could-be FTP violators
# grep -f /opt/scripts/ipblock_donotblock.txt $TMP/output2 > $TMP/permitted

# Take out permitted usernames
grep -Eo 'user=[a-z]{1-22}:' $TMP/output > $TMP/output3
PERM=`cat /opt/scripts/ipblock_permusers.txt`
grep -vE "$PERM" /tmp/logwatch > $TMP/nopermip

#Take out the permitted IPs
PERMIP=`cat $TMP/output2`
grep -vE "$PERMIP" $TMP/nopermip > $TMP/final

grep -f $TMP/output3 /opt/scripts/ipblock_permusers.txt > $TMP/usernames
more $TMP/usernames >> permitted

mail -s "Logwatch Server 4" brian@newfangled.com > $TMP/final

# See if there were permitted users, and act accordingly.
if [ -s $TMP/permitted ]; then

# Put the permitted addresses file into a variable for grepping
PERM=`cat $TMP/permitted`

# Take the permitted ip addresses out of the logwatch file
grep -vE "$PERM" /tmp/logwatch > $TMP/nopermip

# Take out permitted usernames
PERMUSRS=`cat /opt/scripts/ipblock_permusers.txt`
# PERMUSRS=`more /opt/scripts/ipblock_permusers.txt`

grep -Ev "$PERMUSRS" /$TMP/nopermip > $TMP/final

# Send 'er out!
mail -s "Logwatch Server 4" my_email_address < $TMP/final;
else

echo -e "nowhere"

# No permitted ips, just send out logwatch as is
mail -s "Logwatch Server4" my_email_address < /tmp/logwatch;
fi

# Cleanup the mess
rm -r -f $TMP

I hope this helps somebody!