Date: Fri, 20 Apr 2001 17:10:11 +0200 From: Dirk Froemberg <dirk@freebsd.org> To: cvs-committers@freebsd.org, cvs-all@freebsd.org Subject: Re: cvs commit: src/etc security Message-ID: <20010420171010.A39220@physik.TU-Berlin.DE> In-Reply-To: <20010416145433.A22338@physik.TU-Berlin.DE>; from dirk@freebsd.org on Mon, Apr 16, 2001 at 02:54:33PM %2B0200 References: <200104141345.f3EDj8007137@freefall.freebsd.org> <20010414175237.B18559@sunbay.com> <20010416145433.A22338@physik.TU-Berlin.DE>
next in thread | previous in thread | raw e-mail | index | archive | help
--NzB8fVQJ5HfG6fxh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi! On Mon, Apr 16, 2001 at 02:54:33PM +0200, Dirk Froemberg wrote: > On Sat, Apr 14, 2001 at 05:52:37PM +0300, Ruslan Ermilov wrote: > > On Sat, Apr 14, 2001 at 06:45:08AM -0700, Dirk Froemberg wrote: > > > dirk 2001/04/14 06:45:08 PDT > > > > > > Modified files: (Branch: RELENG_4) > > > etc security > > > Log: > > > MFC: Log denied IXFR. > > > > > > Approved by: jkh > > > > > > Revision Changes Path > > > 1.36.2.13 +2 -2 src/etc/security > > > > > Could we please calm down these to the named_enable="YES" case? > > This would require sourcing rc.conf's by /etc/security. > > I'd rather add an extra daily periodic file (e. g. 470.status-named) > and do some aggregation (i. e. list attempts from hosts for zones > only once) instead of listing every line from /var/log/messages. > I'm not quite sure if it belongs to security, anyway. > > This extra file could be disabled via /etc/periodic.conf. The attached script generates some like: [...] Checking for denied zone transfers (AXFR and IXFR): 478 0.168.192.in-addr.arpa from 192.168.0.55 3 gibtesnicht.de from 23.35.234.2 (hupsala.dumdidum.de) [...] The lines daily_status_named_enable="YES" daily_status_named_logs=3 have to be added to /etc/defaults/periodic.conf. Any objections to committing this? Regards Dirk -- Dirk Froemberg FreeBSD: The Power to Serve! http://www.FreeBSD.org/ --NzB8fVQJ5HfG6fxh Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="470.status-named" #!/bin/sh # # $FreeBSD$ # # If there is a global system configuration file, suck it in. # if [ -r /etc/defaults/periodic.conf ] then . /etc/defaults/periodic.conf source_periodic_confs fi case "$daily_status_named_enable" in [Yy][Ee][Ss]) if [ "$daily_status_named_logs" -le 0 ] then echo '$daily_status_named_enable is set but ' \ '$daily_status_named_logs is not greater than zero' rc=2 else echo echo 'Checking for denied zone transfers (AXFR and IXFR):' start=`date -v-1d '+%b %d' | sed 's/0\(.\)$/ \1/'` n=$(($daily_status_named_logs - 2)) rc=$({ while [ $n -ge 0 ] do if [ -f /var/log/messages.$n ] then cat /var/log/messages.$n elif [ -f /var/log/messages.$n.gz ] then zcat -fc /var/log/messages.$n.gz fi n=$(($n - 1)) done cat /var/log/messages } | perl -ne 'print "$2 from $1\n" if (/$start.*named\[\d+\]: denied [AI]XFR from \[(.*)\]\.\d+ for "(.*)"/);' | sort -f | uniq -ic | perl -e ' use Socket; while (<>) { if (/^.*from (.*)$/) { chomp; ($host) = gethostbyaddr(inet_aton($1), AF_INET); if ($host) { print "$_ ($host)\n"; } else { print "$_\n"; } } } ' | tee /dev/stderr | wc -l) [ $rc -gt 0 ] && rc=1 fi;; *) rc=0;; esac exit $rc --NzB8fVQJ5HfG6fxh-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010420171010.A39220>