Looping Through a List

by mike on December 22, 2011

When you write scripts for administrative purposes, often you may want to evaluate a list and then take actions based on the list.  This script is an example of that process and is designed to be a script used by a Nagios server to monitor and respond to web site attacks.

The heart of the script is this loop which compares each signature in a list to log files looking for a match.

for i in $(awk '{print}' < "$attacksig" )
do
tail -n5 $logfile | grep $i| uniq|wc -l >> /tmp/attack
done

This script is a simple example of creating a script that monitors a number of attack signatures focused on a web site.   Once the attack has been recognized the script is designed to respond to the attack by blocking the attacker IP Address , notifying administrators and then resetting the check ready for the next attack, thus MRNR (Monitor, Respond, Notify, Reset).

#!/bin/bash
cfg="/usr/local/nagios/etc/send_nsca.cfg"
logfile="/var/log/httpd/access_log"
attacksig=attacksig.txt
badip="/etc/banned"
rm -f /tmp/attack
for i in $(awk '{print}' < "$attacksig" )
do
tail -n5 $logfile | grep $i| uniq|wc -l >> /tmp/attack
done
x=$(egrep "1|2" /tmp/attack | wc -l)
if [ $x -eq 0 ]
then
cmd="bash;Pass-WebMultAttack;0;All Systems Look OK"
else
cmd="bash;Pass-WebMultAttack;2;ATTACK UNDER WAY: DEFENSIVE ACTIONS BEING TAKEN"
fi
grep $attacksig $logfile | awk '{ print $1 }' >> /etc/banned
# THIS SECTION COMMENTED TO STOP BLOCKING IN DEMO
banned=$( grep -v -E "^#" $badip )
for ip in $banned
do
iptables -I INPUT -p tcp -s $ip -j DROP
done
/bin/echo $cmd | /usr/local/nagios/bin/send_nsca -H 192.168.5.163 -d ';' -c $cfg
exit $stateid

Understanding the Script
cfg="/usr/local/nagios/etc/send_nsca.cfg"
This line points to the configuration file that contains the password and encryption method for connection to the Nagios server.

logfile="/var/log/httpd/access_log"
The variable “logfile” is created to be used later in the script.  Note: in order for nagios to read this log you must change the group permissions of the log.
ls -la /var/log/httpd/access_log
-rw-r–r– 1 root nagios 98760 Dec  9 17:08 /var/log/httpd/access_log

attacksig=attacksig.txt
The attacksig.txt is a variable that points to a text file which can contain the attack signatures you want to focus on.  Each signature is placed on a separate line.  Seethe information below on how to set this file up.

badip="/etc/banned"
The “badip” variable will be used to collect attacker IP Addresses and then put them in a file which will in tern mean they will be blocked from accessing the site as a defense response.

rm -f /tmp/attack
In order to make sure the script is not pulling information from a previous check the first thing it does is remove the previous results.

for i in $(awk '{print}' < "$attacksig" )
do
tail -n5 $logfile | grep $i| uniq|wc -l >> /tmp/attack
done

This section of the script works through each line in the attacksig.txt and compares it with the last file line of the logfile to see if there is a match and then appends that information to a temporary file.  It should be noted here that the number of lines you check in the log is related to how often the check is performed.

attacker=$(tail -5 $logfile | grep $attacksig | awk '{ print $1 }')
This is a variable that is created from a command substitution.  The goal is to look at the last five lines of the access_log to determine recent attacks.  These IP Addresses will then be captured and be used in the variable.

x=$(egrep "1|2" /tmp/attack | wc -l)
if [ $x -eq 0 ]
then
cmd="bash;Pass-WebMultAttack;0;All Systems Look OK"
else
cmd="bash;Pass-WebMultAttack;2;ATTACK UNDER WAY: DEFENSIVE ACTIONS BEING TAKEN"
fi

If attacks are underway a CRITICAL state will be sent to the Nagios server using the  last five lines of access_log, and send a message to the administrator.    The string egrep “1|2″ is checking the temporary file which may have  1 or 2 instances. The command “wc -l” determines a integer that can be used in the test.  The test “$x -eq 0” determines if any attacks are underway.  If there are none, the response to Nagios is and OK state, “statedid=0”.  If there is an attack a CRITICAL state is sent instead.

grep $attacksig $logfile | awk '{ print $1 }' >> /etc/banned

This line captures the attacker IP Address and appends it to a file so that they can be blocked.

banned=$( grep -v -E "^#" $badip )
for ip in $banned
do
iptables -I INPUT -p tcp -s $ip -j DROP
done

This section of the script should be tested completely before you use it on a production machine.  It will create an entry in iptables to block an IP Address that is listed.

exit $stateid

The exit state is what is reflected in the color of the state.

Creating the Signature File
The signature file can list those attack signatures that you gather from your logs or you can do research and collect signatures that are common problems.  The signatures need to be listed on one line at a time.  Here is some basic information about the signatures that are included as an example.

Path Traversal
This is the process where a directory backreference is used in a web server path to gain access to a file located in a parent folder.

Attempt to gain access to the /etc/passwd file.

http://example.com/index.php?filename=../../etc/passwd

Attempt to list the contents of the /etc directory.

http://example.com/index.php?page=../../../../bin/ls%20-al%20/etc|

The use of “%00″, which is the hex value of a null byte, trys to fool the web server that a legitimate file with a legitimate extension has been requested.

http://example.com/index.php?page=../../../../etc/passwd%00html

The hex value of a blank space, “%20″, is used to to attempt to execute commands.

http://example.com/index.php?page=ls%20-al|

attacksig.txt
page=ls%20-al|
%20
%00
environ%00

Comments on this entry are closed.

Previous post:

Next post: