Compare commits

..

2 Commits

27 changed files with 1568 additions and 75 deletions

View File

@ -1,17 +1,17 @@
CROSS_COMPILE ?=
CC := $(CROSS_COMPILE)gcc
CFLAGS += -Os -g -Wall
LIB += -lcurl -lip4tc ./clamscan/clamscan.o ./clamscan/manager.o -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -lclamav ./clamscan/shared/libshared.a -lssl -lcrypto -lz -lpthread
LIB += -lcurl -lip4tc clamscan/clamscan.o clamscan/manager.o -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -lclamav ./clamscan/shared/libshared.a -lssl -lcrypto -lz -lpthread
IPTC_CFLAGS += -DHAVE_CONFIG_H -I./libiptc -D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 -D_REENTRANT
OBG = rhost
CL_CFLAGS += -Wall -Os -DHAVE_CONFIG_H -I./clamscan -I./clamscan/shared -I./clamscan/libclamav -I./clamscan/libclamunrar_iface -I/usr/include/json-c -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector-strong -Wall -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CLAMSCAN_CFLAGS += -Wall -Os -DHAVE_CONFIG_H -I./clamscan -I./clamscan/shared -I./clamscan/libclamav -I./clamscan/libclamunrar_iface -I/usr/include/json-c -Wdate-time -D_FORTIFY_SOURCE=2 -fstack-protector-strong -Wall -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
SHARED_CFLAGS += -Wall -Os -DHAVE_CONFIG_H -I./clamscan -I./clamscan/shared -I./clamscan/libclamav -I./clamscan/libclamunrar_iface -I/usr/include/json-c -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CFLAGS += -Os -g -Wall -DCRON_USE_LOCAL_TIME -DCRON_TEST_MALLOC
all: conf.o rhost.o libiptc.o
all: conf.o rhost.o libiptc.o ccronexpr.o
$(CC) $(SHARED_CFLAGS) -c ./clamscan/shared/actions.c -fPIC -DPIC -o ./clamscan/shared/actions.o
$(CC) $(SHARED_CFLAGS) -c ./clamscan/shared/cdiff.c -fPIC -DPIC -o ./clamscan/shared/cdiff.o
@ -26,8 +26,8 @@ all: conf.o rhost.o libiptc.o
$(CC) $(SHARED_CFLAGS) -c ./clamscan/shared/tar.c -fPIC -DPIC -o ./clamscan/shared/tar.o
$(CC) $(SHARED_CFLAGS) -c ./clamscan/shared/linux/cert_util_linux.c -fPIC -DPIC -o ./clamscan/shared/linux/cert_util_linux.o
ar cr ./clamscan/shared/libshared.a ./clamscan/shared/actions.o ./clamscan/shared/cdiff.o ./clamscan/shared/cert_util.o ./clamscan/shared/clamdcom.o ./clamscan/shared/getopt.o ./clamscan/shared/hostid.o ./clamscan/shared/idmef_logging.o ./clamscan/shared/misc.o ./clamscan/shared/optparser.o ./clamscan/shared/output.o ./clamscan/shared/tar.o ./clamscan/shared/linux/cert_util_linux.o
$(CC) $(CL_CFLAGS) -c clamscan/clamscan.c -o clamscan/clamscan.o
$(CC) $(CL_CFLAGS) -c clamscan/manager.c -o clamscan/manager.o
$(CC) $(CLAMSCAN_CFLAGS) -c clamscan/clamscan.c -o clamscan/clamscan.o
$(CC) $(CLAMSCAN_CFLAGS) -c clamscan/manager.c -o clamscan/manager.o
$(CC) $(CFLAGS) $^ -o $(OBG) $(LIB)
chmod +x $(OBG)
@ -40,6 +40,6 @@ static: conf.o rhost.o libiptc.o
clean:
rm -rf *.o
rm libiptc/*.o libiptc/*.a
rm clamscan/shared/*.o clamscan/shared/libshared.a clamscan/*.o
rm $(OBG)
rm -rf libiptc/*.o libiptc/*.a
rm -rf clamscan/shared/*.o clamscan/shared/libshared.a clamscan/*.o
rm -rf $(OBG)

View File

@ -1,5 +1,5 @@
# denyhosts
ssh防止暴力破解,适用Debian 8、9、11 Centos 7
拒绝主机&杀毒,适用Debian 8、9、11 Centos 7
支持钉钉告警和邮件告警
支持第三方QQ邮箱告警
支持一次运行检测、后台运行检测
@ -19,6 +19,7 @@ Centos 7系统请安装libcurl、iptables-devel、libclamav-devel
```
用法
cd /root
git clone https://git.aixiao.me/aixiao/denyhosts
cd denyhosts
@ -30,10 +31,11 @@ crontab 定时任务,像这样.
示列:
./rhost -d -r / --exclude-dir="^/sys|^/dev|^/proc|^/opt/infected|^/root|^/home" --move=/opt/infected --max-filesize 1024M -l #后台运行并扫描病毒
./rhost -d -r / --exclude-dir="^/sys|^/dev|^/proc|^/opt/infected|^/root|^/home" --move=/opt/infected --max-filesize 1024M -l clamscan.log #后台运行并扫描病毒
./rhost # 只处理非法攻击
```
@ -51,37 +53,38 @@ update-alternatives --set ebtables /usr/sbin/ebtables-legacy
```
配置文件
global {
DAEMON = "off"; // on开启后台运行off不开启
TIME = "10"; // 睡眠时间
CLAMAV = 1; // clamav 是否扫描病毒
CLAMAV_TIME = "1726"; // clamav 扫描时间(小时分钟,默认每天运行)
DAEMON = "off"; // on开启后台运行,off不开启
TIME = "10"; // 睡眠时间(大于等于1,单位秒)
PUBLIC_IP = "http://inet-ip.info"; // 获取公网IP
IPV4_RESTRICTION = 1; // 是否启用IP白名单
IPV4_WHITE_LIST = "1.1.1.1 "; // IP白名单
REGION = 1; // 是否启用地域白名单
REGION_LIST = "河南 郑州"; // 地域列表
IS_BLOCKED = 1; // 是否封禁攻击IP
IS_BLOCKED = 1; // 是否封禁攻击IP(1开启,非1关闭)
REFUSE_NUMBER = 3; // 拒绝攻击次数
IS_MAIL = 0; // 开启邮件告警
CLAMAV = 1; // clamav 是否扫描病毒(测试阶段)(1开启,非1关闭)
CLAMAV_TIME = "* 22 21 * * *"; // clamav 扫描时间(Cron格式, 秒 分 时 天 月 周)
IS_DING_WEBHOOK = 0; // 开启叮叮告警
IPV4_RESTRICTION = 1; // 是否启用IP白名单(1开启,非1关闭)
IPV4_WHITE_LIST = "1.1.1.1 "; // IP白名单(空格隔开)
REGION = 1; // 是否启用地域白名单(1开启,非1关闭)
REGION_URL = "http://opendata.baidu.com/api.php?query=%s&co=&resource_id=6006&oe=utf8"; // 获取IP地域
REGION_LIST = "河南 郑州"; // 地域列表(空格隔开)
IS_MAIL = 0; // 开启邮件告警(1开启,非1关闭)
IS_DING_WEBHOOK = 0; // 开启叮叮告警(1开启,非1关闭)
PHONE = "15565979082"; // @的人手机号
DING_WEBHOOK = "https://oapi.dingtalk.com/robot/send?access_token=7f069c672cb878987aa6772cca336740eece4ce36bde12b51b45e9f440e0565a"; // 钉钉WEBHOOK
IS_QQMAIL = 0; // 开启QQ邮箱告警(默认使用gomailhttps://git.aixiao.me/aixiao/gomail.git)
IS_QQMAIL = 1; // 开启QQ邮箱告警(默认使用gomailhttps://git.aixiao.me/aixiao/gomail.git)(1开启,非1关闭)
RECV_MAIL = "1605227279@qq.com"; // 接收者QQ
}

1272
ccronexpr.c Normal file

File diff suppressed because it is too large Load Diff

95
ccronexpr.h Normal file
View File

@ -0,0 +1,95 @@
/*
* Copyright 2015, alex at staticlibs.net
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/*
* File: ccronexpr.h
* Author: alex
*
* Created on February 24, 2015, 9:35 AM
*/
#ifndef CCRONEXPR_H
#define CCRONEXPR_H
#if defined(__cplusplus) && !defined(CRON_COMPILE_AS_CXX)
extern "C" {
#endif
#ifndef ANDROID
#include <time.h>
#else /* ANDROID */
#include <time64.h>
#endif /* ANDROID */
#include <stdint.h> /*added for use if uint*_t data types*/
/**
* Parsed cron expression
*/
typedef struct {
uint8_t seconds[8];
uint8_t minutes[8];
uint8_t hours[3];
uint8_t days_of_week[1];
uint8_t days_of_month[4];
uint8_t months[2];
} cron_expr;
/**
* Parses specified cron expression.
*
* @param expression cron expression as nul-terminated string,
* should be no longer that 256 bytes
* @param pointer to cron expression structure, it's client code responsibility
* to free/destroy it afterwards
* @param error output error message, will be set to string literal
* error message in case of error. Will be set to NULL on success.
* The error message should NOT be freed by client.
*/
void cron_parse_expr(const char* expression, cron_expr* target, const char** error);
/**
* Uses the specified expression to calculate the next 'fire' date after
* the specified date. All dates are processed as UTC (GMT) dates
* without timezones information. To use local dates (current system timezone)
* instead of GMT compile with '-DCRON_USE_LOCAL_TIME'
*
* @param expr parsed cron expression to use in next date calculation
* @param date start date to start calculation from
* @return next 'fire' date in case of success, '((time_t) -1)' in case of error.
*/
time_t cron_next(cron_expr* expr, time_t date);
/**
* Uses the specified expression to calculate the previous 'fire' date after
* the specified date. All dates are processed as UTC (GMT) dates
* without timezones information. To use local dates (current system timezone)
* instead of GMT compile with '-DCRON_USE_LOCAL_TIME'
*
* @param expr parsed cron expression to use in previous date calculation
* @param date start date to start calculation from
* @return previous 'fire' date in case of success, '((time_t) -1)' in case of error.
*/
time_t cron_prev(cron_expr* expr, time_t date);
#if defined(__cplusplus) && !defined(CRON_COMPILE_AS_CXX)
} /* extern "C"*/
#endif
#endif /* CCRONEXPR_H */

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

17
conf.c
View File

@ -157,23 +157,27 @@ static void parse_global_module(char *content, conf * conf)
return;
}
// IP白名单
if (strcasecmp(var, "IPV4_RESTRICTION") == 0) {
val_begin_len = val_end - val_begin;
conf->IPV4_RESTRICTION = atoi(val_begin);
}
if (strcasecmp(var, "IPV4_WHITE_LIST") == 0) {
val_begin_len = val_end - val_begin;
if (copy_new_mem(val_begin, val_begin_len, &conf->IPV4_WHITE_LIST) != 0)
return;
}
// 地域白名单
if (strcasecmp(var, "REGION") == 0) {
val_begin_len = val_end - val_begin;
conf->REGION = atoi(val_begin);
}
if (strcasecmp(var, "REGION_URL") == 0) {
val_begin_len = val_end - val_begin;
if (copy_new_mem(val_begin, val_begin_len, &conf->REGION_URL) != 0)
return;
}
if (strcasecmp(var, "REGION_LIST") == 0) {
val_begin_len = val_end - val_begin;
if (copy_new_mem(val_begin, val_begin_len, &conf->REGION_LIST) != 0)
@ -184,7 +188,6 @@ static void parse_global_module(char *content, conf * conf)
val_begin_len = val_end - val_begin;
conf->CLAMAV = atoi(val_begin);
}
if (strcasecmp(var, "CLAMAV_TIME") == 0) {
val_begin_len = val_end - val_begin;
conf->CLAMAV_TIME_LEN = val_begin_len;
@ -272,6 +275,12 @@ void free_conf(conf * conf)
if (conf->REGION_LIST)
free(conf->REGION_LIST);
if (conf->REGION_URL)
free(conf->REGION_URL);
if (conf->CLAMAV_TIME)
free(conf->CLAMAV_TIME);
return;
}

1
conf.h
View File

@ -26,6 +26,7 @@ typedef struct CONF {
// 地域白名单
int REGION;
char *REGION_URL;
char *REGION_LIST;
// IPV4 白名单

BIN
conf.o

Binary file not shown.

BIN
libiptc.o

Binary file not shown.

BIN
rhost

Binary file not shown.

88
rhost.c
View File

@ -4,6 +4,8 @@
#include "libclamav.h"
#include "clamscan.h"
#include "ccronexpr.h"
// 存储公网IP
char *public_ip;
@ -373,7 +375,9 @@ int rule(conf * conf)
char URL[BUFFER + 70];
memset(URL, 0, BUFFER + 70);
sprintf(URL, "http://opendata.baidu.com/api.php?query=%s&co=&resource_id=6006&oe=utf8", buffer);
//sprintf(URL, "http://opendata.baidu.com/api.php?query=%s&co=&resource_id=6006&oe=utf8", buffer);
sprintf(URL, conf->REGION_URL, buffer);
printf("%s\n", URL);
location_json = GET_PUBLIC_IP(URL);
if (NULL == location_json) {
@ -490,6 +494,25 @@ int process_argv(int argc, char *argv[], char **argvs)
return 0;
}
int _crontab(struct tm **calnext, char *string)
{
const char *err = NULL;
time_t cur;
time_t datenext;
time(&cur);
cron_expr parsed;
cron_parse_expr(string, &parsed, &err);
datenext = cron_next(&parsed, cur);
*calnext = localtime(&datenext);
assert(*calnext);
return 0;
}
int main(int argc, char *argv[], char **env)
{
signal(SIGCHLD, sig_child); // 创建捕捉子进程退出信号
@ -500,10 +523,6 @@ int main(int argc, char *argv[], char **env)
head_argvs = &(argvs[0]); // head_argvs指向argvs[0]
int head_argc = argc - 1; // 改变argc数
time_t time_ptr;
struct tm *tm_ptr;
char tm_cache[BUFFER];
char path[BUFFER] = { 0 };
char executable_filename[BUFFER] = { 0 };
(void)get_executable_path(path, executable_filename, sizeof(path));
@ -514,11 +533,13 @@ int main(int argc, char *argv[], char **env)
read_conf(path, conf);
//ptintf_conf(conf);
now_next_time *t = (now_next_time *)malloc(sizeof(struct now_next_time));
memset(t, 0, sizeof(struct now_next_time));
// 获取公网IP
public_ip = GET_PUBLIC_IP(conf->PUBLIC_IP);
//printf("%s", public_ip);
time(&time_ptr);
if (0 == strcmp(conf->DAEMON, "on")) {
goto goto_daemon;
@ -534,52 +555,77 @@ goto_daemon:
}
while (1) {
// 获取当前时间
time(&time_ptr);
tm_ptr = localtime(&time_ptr);
memset(tm_cache, 0, BUFFER);
sprintf(tm_cache, "%d%d", tm_ptr->tm_hour, tm_ptr->tm_min);
// Cron
struct tm *calnext; //取得Cron规则时间
calnext = (struct tm *)malloc(sizeof(struct tm));
memset(calnext, 0, sizeof(struct tm));
_crontab(&calnext, conf->CLAMAV_TIME);
t->next_year = 1900 + calnext->tm_year;
t->next_mon = 1 + calnext->tm_mon;
t->next_day = calnext->tm_mday;
t->next_hour = calnext->tm_hour;
t->next_min = calnext->tm_min;
t->next_sec = calnext->tm_sec;
// 取得现在时间
time_t timep;
struct tm *p;
time(&timep);
p = localtime(&timep);
t->now_year = 1900 + p->tm_year;
t->now_mon = 1 + p->tm_mon;
t->now_day = p->tm_mday;
t->now_hour = p->tm_hour;
t->now_min = p->tm_min;
t->now_sec = p->tm_sec;
if (conf->CLAMAV_TIME_LEN >= 4)
{
;
}
// Clamav call
if (conf->CLAMAV == 1)
if (1 == conf->CLAMAV)
{
if (0 == strcmp(tm_cache, conf->CLAMAV_TIME)) {
if ( t->now_year == t->next_year && t->now_mon == t->next_mon && t->now_day == t->next_day && t->now_hour == t->next_hour && t->now_min == t->next_min )
{
//printf("%d%d%d %d:%d:%d\n", t->now_year, t->now_mon, t->now_day, t->now_hour, t->now_min, t->now_sec);
//printf("%d%d%d %d:%d:%d\n", t->next_year, t->next_mon, t->next_day, t->next_hour, t->next_min, t->next_sec);
pid_t pid;
pid = fork();
if (pid < 0) {
printf("fork error.\n");
return -1;
} else if (pid == 0) {
} else if (pid == 0) { // child process
int r = 0;
r = _clamscan(head_argc, head_argvs);
/*
if(t != NULL)
free(t);
*/
_exit(r);
} else {
int status = 0;
wait(&status); //wait the end of child process
if (WIFEXITED(status)) {
;
//printf("子进程返回 %d\n", WEXITSTATUS(status));
//printf("child process return %d\n", WEXITSTATUS(status));
}
//printf("这是父进程.\n");
sleep(60); // 跳过这一分钟
}
}
}
rule(conf);
sleep(conf->TIME);
}
} else {
rule(conf);
//_clamscan(argc, argv);
}
free(t);
free_conf(conf);
free(conf);
free(public_ip);

View File

@ -1,34 +1,35 @@
global {
DAEMON = "off"; // on开启后台运行off不开启
TIME = "10"; // 睡眠时间
CLAMAV = 1; // clamav 是否扫描病毒
CLAMAV_TIME = "1726"; // clamav 扫描时间(小时分钟,默认每天运行)
DAEMON = "off"; // on开启后台运行,off不开启
TIME = "10"; // 睡眠时间(大于等于1,单位秒)
PUBLIC_IP = "http://inet-ip.info"; // 获取公网IP
IPV4_RESTRICTION = 1; // 是否启用IP白名单
IPV4_WHITE_LIST = "1.1.1.1 "; // IP白名单
REGION = 1; // 是否启用地域白名单
REGION_LIST = "河南 郑州"; // 地域列表
IS_BLOCKED = 1; // 是否封禁攻击IP
IS_BLOCKED = 1; // 是否封禁攻击IP(1开启,非1关闭)
REFUSE_NUMBER = 3; // 拒绝攻击次数
IS_MAIL = 0; // 开启邮件告警
CLAMAV = 1; // clamav 是否扫描病毒(测试阶段)(1开启,非1关闭)
CLAMAV_TIME = "* 22 21 * * *"; // clamav 扫描时间(Cron格式, 秒 分 时 天 月 周)
IS_DING_WEBHOOK = 0; // 开启叮叮告警
IPV4_RESTRICTION = 1; // 是否启用IP白名单(1开启,非1关闭)
IPV4_WHITE_LIST = "1.1.1.1 "; // IP白名单(空格隔开)
REGION = 1; // 是否启用地域白名单(1开启,非1关闭)
REGION_URL = "http://opendata.baidu.com/api.php?query=%s&co=&resource_id=6006&oe=utf8"; // 获取IP地域
REGION_LIST = "河南 郑州"; // 地域列表(空格隔开)
IS_MAIL = 0; // 开启邮件告警(1开启,非1关闭)
IS_DING_WEBHOOK = 0; // 开启叮叮告警(1开启,非1关闭)
PHONE = "15565979082"; // @的人手机号
DING_WEBHOOK = "https://oapi.dingtalk.com/robot/send?access_token=7f069c672cb878987aa6772cca336740eece4ce36bde12b51b45e9f440e0565a"; // 钉钉WEBHOOK
IS_QQMAIL = 0; // 开启QQ邮箱告警(默认使用gomailhttps://git.aixiao.me/aixiao/gomail.git)
IS_QQMAIL = 1; // 开启QQ邮箱告警(默认使用gomailhttps://git.aixiao.me/aixiao/gomail.git)(1开启,非1关闭)
RECV_MAIL = "1605227279@qq.com"; // 接收者QQ
}

66
rhost.h
View File

@ -15,6 +15,72 @@
#include <time.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <assert.h>
typedef struct now_next_time {
int now_year;
int now_mon;
int now_day;
int now_hour;
int now_min;
int now_sec;
int now_week;
int next_year;
int next_mon;
int next_day;
int next_hour;
int next_min;
int next_sec;
int next_week;
} now_next_time;
#include <assert.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <limits.h>
#include "ccronexpr.h"
#define MAX_SECONDS 60
#define CRON_MAX_MINUTES 60
#define CRON_MAX_HOURS 24
#define CRON_MAX_DAYS_OF_WEEK 8
#define CRON_MAX_DAYS_OF_MONTH 32
#define CRON_MAX_MONTHS 12
#define INVALID_INSTANT ((time_t) -1)
#define DATE_FORMAT "%Y-%m-%d_%H:%M:%S"
#ifndef ARRAY_LEN
#define ARRAY_LEN(x) sizeof(x)/sizeof(x[0])
#endif
#ifdef CRON_TEST_MALLOC
static int cronAllocations = 0;
static int cronTotalAllocations = 0;
static int maxAlloc = 0;
void* cron_malloc(size_t n) {
cronAllocations++;
cronTotalAllocations++;
if (cronAllocations > maxAlloc) {
maxAlloc = cronAllocations;
}
return malloc(n);
}
void cron_free(void* p) {
cronAllocations--;
free(p);
}
#endif
#define CENTOS_SYSTEM 1
#define DEBISN_SYSTEM 2

BIN
rhost.o

Binary file not shown.