### ### Additional, useful bash functions, Pizon style ### ### ### desc:lsfunc: List functions ### function lsfunc { PFUNC="$HOME/bin/pfunctions.sh" printf "%-16s %s\n" "Function" "Description" printf "%-16s %s\n" "--------" "-----------" grep desc ${PFUNC} | grep -v grep | awk -F ':' '{ printf "%-15s %s\n", $2, $3}' | sort -n } ### ### desc:chkdos: Check for possible DDoS attacks ### function chkdos { PORT="$1" if [[ "$PORT" == "" ]] then echo "Usage: chkdos " else netstat -ant | awk '$4 ~ /:'$1'$/ { print $5 | "cut -f1 -d: | sort | uniq -c | sort -n" }' fi } ### ### desc:qbak: Make a quick backup of a file with a timestamp ### function qbak { FILE="$1" DATE=$(date +%Y-%m-%d-%H-%M-%S) if [[ $FILE == "" ]] then echo "Usage: qbak " else cp $FILE $FILE.$DATE fi } ### ### desc:uconfdrv: Run urchin's uconf-driver to fix Urchin reporting ### function uconfdrv { if [ "$EUID" != "0" ] || [ "$USER" != "root" ] then echo "uconfdrv must be run as root." else UCTL="/usr/local/urchin/bin/urchinctl" UCONF="/usr/local/urchin/util/uconf-driver" PROFILE="$1" if [[ $PROFILE == "" ]] then echo "Usage: uconfdrv example.com" else $UCTL -s stop $UCONF action=set_parameter table=task name="$PROFILE" cr_runnow=0 $UCONF action=set_parameter table=task name="$PROFILE" ct_runstatus=2 $UCONF action=set_parameter table=task name="$PROFILE" ct_completed=0 $UCONF action=set_parameter table=task name="$PROFILE" ct_status=1 $UCONF action=set_parameter table=task name="$PROFILE" cd_lockid=0 $UCTL -s start fi fi } ### ### desc:chkaudit: Check selinux audit.log for violations ### function chkaudit { GETENFORCE="$(which getenforce)" if [ "$EUID" != "0" ] || [ "$USER" != "root" ] then echo "chkaudit must be run as root." else if [ -e "$GETENFORCE" ] then CHK="$($GETENFORCE)" if [[ $CHK == "Enforcing" ]] then AUDIT="$(locate audit.log | grep /audit.log$)" A2A="$(which audit2allow)" echo "Checking $AUDIT for violations..." $A2A < $AUDIT fi fi fi } ### ### desc:mkpolicy: Create selinux policy from selinux audit.log ### function mkpolicy { GETENFORCE="$(which getenforce)" if [ "$EUID" != "0" ] || [ "$USER" != "root" ] then echo "mkpolicy must be run as root." else if [ -e "$GETENFORCE" ] then CHK="$($GETENFORCE)" if [[ $CHK == "Enforcing" ]] then AUDIT="$(locate audit.log | grep /audit.log$)" A2A="$(which audit2allow)" echo "Updating SELinux policy..." $A2A -M local < $AUDIT fi fi fi } ### ### desc:mkjunk: Make junk files for testing file transfers ### function mkjunk { NUMBER="$1" SIZE="$2" if [[ $NUMBER == "" || $SIZE == "" ]] then echo "Usage: mkjunk " else x="1" BYTES="$(($SIZE * 1024))" echo "Creating $NUMBER files $BYTES bytes in size:" while [ $x -le $NUMBER ] do dd if=/dev/urandom count=1024 bs=$SIZE of=junkfile.$x >/dev/null 2>&1 x="$((x=$x+1))" done ls -lh junkfile.* fi } ### ### desc:lsusers: List users from /etc/passwd greater than a given user id ### function lsusers { NUMBER="$1" if [[ $NUMBER == "" ]] then echo "Usage: lsusers " else awk -F ':' '{ if ( $3 >= '$NUMBER' ) print $1 }' /etc/passwd fi } ### ### desc:elslar: Enhanced ls -lAR formatted report function elslar { printf "%-12s %-25s %-5s %s\n" "Type" "Name" "Size" "Number" printf "%-12s %-25s %-5s %s\n" "----" "----" "----" "------" LFS=$'\n' ls -A --color=no . | while read i do SIZE=$(du -sh $i | tail -1 | awk '{print $1}') LISTING=$(ls -lAR --color=no $i | wc -l | awk '{print $1}') if [ -d $i ] then printf "%-12s %-25s %-5s %s\n" "Directory:" $i $SIZE $LISTING elif [ -f $i ] then printf "%-12s %-25s %s\n" "File:" $i $SIZE fi done | sort } ### ### These next few functions are Plesk/qmail specific ### ### ### desc:plskchkpop: List of e-mail users and how many times they checked their mail ### function plskchkpop { if [ "$EUID" != "0" ] || [ "$USER" != "root" ] then echo "plskchkpop must be run as root." else if [ -f "/usr/local/psa/var/log/maillog" ] then MAILLOG="/usr/local/psa/var/log/maillog" elif [ -f "/var/log/maillog" ] then MAILLOG="/var/log/maillog" fi grep "pop3d.*user=" $MAILLOG | sed -e "s/^.*user=//g" -e "s/,.*$//g" | sort | uniq -c | sort -nr fi } ### ### desc:plskmspd: List the number of mails sent from a domain ### function plskmspd { if [ "$EUID" != "0" ] || [ "$USER" != "root" ] then echo "plskmspd must be run as root." else if [ -f "/usr/local/psa/var/log/maillog" ] then MAILLOG="/usr/local/psa/var/log/maillog" elif [ -f "/var/log/maillog" ] then MAILLOG="/var/log/maillog" fi MAILDIR="/var/qmail/mailnames" for domain in $(find $MAILDIR -maxdepth 1 -type d | sed -e "s/^.*\///g") do echo -n "$domain: " grep "qmail: .* info msg .* from .*$domain" $MAILLOG | wc -l done fi } ### ### desc:plskmdpd: List the number of mails sent to a domain ### function plskmdpd { if [ "$EUID" != "0" ] || [ "$USER" != "root" ] then echo "uconfdrv must be run as root." else if [ -f "/usr/local/psa/var/log/maillog" ] then MAILLOG="/usr/local/psa/var/log/maillog" elif [ -f "/var/log/maillog" ] then MAILLOG="/var/log/maillog" fi grep "qmail: .* starting delivery .* to local" $MAILLOG | awk '{print $14}' | sed -e "s/^[0-9]*-.*@//g" | sort | uniq -c | sort -nr fi } ### ### desc:plskmailpass: Plesk e-mail password retriever ### function plskmailpass { PSA_USER="admin" PSA_PASS="$(cat /etc/psa/.psa.shadow)" PSA_DB="psa" mysql -u$PSA_USER -p$PSA_PASS $PSA_DB -e 'SELECT CONCAT(mail_name,"@",domains.name) AS "e-mail", password FROM domains LEFT JOIN mail ON domains.id=mail.dom_id LEFT JOIN accounts ON mail.account_id = accounts.id WHERE postbox="true";' } ### ### End of Plesk-related functions ### ### ### desc:safne: List of IPs that failed SMTP auth due to non-existent user ### function safne { FAILLOG="/var/log/messages" if [ "$EUID" != "0" ] || [ "$USER" != "root" ] then echo "safne must be run as root." else grep "smtp_auth: smtp_auth: FAILED: .* no such user" $FAILLOG | awk '{print $15}' | sed -e "s/\[//g" -e "s/\]//g" | sort -n | uniq -c | sort -nr fi } ### ### desc:safp: List of IPs that failed SMTP auth due to bad passwords ### function safp { FAILLOG="/var/log/messages" if [ "$EUID" != "0" ] || [ "$USER" != "root" ] then echo "safp must be run as root." else grep "smtp_auth: smtp_auth: FAILED: .* password incorrect" $FAILLOG | awk '{print $8"\t"$14}' | sed -e "s/\[//g" -e "s/\]//g" | sort -n | uniq -c | sort -nr fi } ### ### desc:safs: List of successful smtp auth logins ### function safs { AUTHLOG="/var/log/messages" if [ "$EUID" != "0" ] || [ "$USER" != "root" ] then echo "safs must be run as root." else grep "smtp_auth: smtp_auth: SMTP user " $AUTHLOG | grep "logged in from " | awk '{print $9"\t"$16}' | sed -e "s/\[//g" -e "s/\]//g" | sort -n | uniq -c | sort -nr fi } ### ### desc:safip: List of successful smtp auth logins, ip address only ### function safip { AUTHLOG="/var/log/messages" if [ "$EUID" != "0" ] || [ "$USER" != "root" ] then echo "safip must be run as root." else grep "smtp_auth: smtp_auth: SMTP user " $AUTHLOG | grep "logged in from " | awk '{print $16}' | sed -e "s/\[//g" -e "s/\]//g" | sort -n | uniq -c | sort -nr fi } ### ### desc:safipt: IPs and users with both success and more than one failure ### function safipt { AUTHLOG="/var/log/messages" if [ "$EUID" != "0" ] || [ "$USER" != "root" ] then echo "safipt must be run as root." else for fipt in $(grep "smtp_auth: smtp_auth: FAILED: .* password incorrect" $AUTHLOG | awk '{print $14}' | sed -e "s/\[//g" -e "s/\]//g" | sort -n | uniq -c | sort -nr | grep -v "^ *1 ") do fip=$(echo $fipt | awk '{print $2}') fipn=$(echo $fipt | awk '{print $1}') grep "smtp_auth: smtp_auth: SMTP user " $AUTHLOG | grep "logged in from " | awk '{print $16" with $fipn failures successfully logged in as: "$9}' | sed -e "s/\[//g" -e "s/\]//g" | sort -n | uniq | grep $fip done fi } ### ### desc:adoschk: Check for apache DoS ### function adoschk { ALOG="$1" LINES="$2" if [ "$EUID" != "0" ] || [ "$USER" != "root" ] then echo "adoschk must be run as root." else if [[ $ALOG == "" ]] || [[ $LINES == "" ]] then echo "Usage: ados " else tail -n $LINES $ALOG | awk '{ print $1 }' | sort | uniq -c | sort -n fi fi }