#!/usr/bin/perl
# $Date: 2000/07/16 12:00:00 $
# $Id: deny_cmds,v 1.1.5.1 2000/07/16 12:00:00 root Exp root $
#
# File: etc/deny_cmds
# Desc: extract IP-traffic into two files
#
# Author : Jens Friedrich
# 
#   This program is free software; you can redistribute it and/or modify
#   it under the terms of the GNU General Public License as published by
#   the Free Software Foundation; either version 2, or (at your option)
#   any later version.
#
#   This program is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#   GNU General Public License for more details.
#
# (c) Copyright 1998 Jens Friedrich
#
# $Log: deny_cmds,v $
# Revision 1.1.5.1  2000/07/16 12:00:00  root
# FCT
#
# Revision 1.1.4.2  2000/07/15 19:01:23  jens
# Rev.
#
# Revision 1.1.4.1  1999/08/01 21:44:53  jens
# .
#
# Revision 1.1  1999/08/01 21:44:53  jens
# Initial revision
#
# Revision 1.1.0.1  1998/11/02 09:36:28  jens
# .
#
# Revision 1.1  1998/11/02 09:35:47  jens
# Initial revision
#
# Revision 1.1  1998/11/02 09:33:26  jens
# Initial revision
#
# Revision 1.0.9.1  1998/06/01 19:35:04  jens
# initial ci -r 1.0.9
#
# Revision 1.0  1998/06/01 19:32:43  jens
# initial ci -r 1.0
#
#

# searchstring for starting $cmds[]
# (fits ipchains syntax)
@find = ( 'TCP.*(\d+\.){3}\d+:\d+\s(\d+\.){3}\d+:23'          # telnet      tcp/23
         ,'TCP.*(\d+\.){3}\d+:\d+\s(\d+\.){3}\d+:79'          # finger      tcp/79
         ,'TCP.*(\d+\.){3}\d+:\d+\s(\d+\.){3}\d+:113'         # ident       tcp/113
         ,'.*(\d+\.){3}\d+:\d+\s(\d+\.){3}\d+:\d+'            # all others
        );

# command started on $port[]
@cmds = ( "fct_mail -s 'DENY: telnet' root"                      # telnet
         ,"fct_mail -s 'DENY: finger' root"                      # finger
         ,"logger -t FCT DENIED: ident "                         # ident
         ,"fct_spy mailx root"                                   # all others
        );

sub cmd_wrap
{
	my $shost, $sport;
	my $dhost, $dport;
	my $cmd = $_[2];

	if ($_[0] =~ /(.*):(.*)/) {
		$shost = $1; $sport = $2;
	}
	if ($_[1] =~ /(.*):(.*)/) {
		$dhost = $1; $dport = $2;
	}

	for ($cmd) {

		/^fct_mail/ and do {
			$args = $';
			my $subject, $recip;
			if ($args = /\s/) {
				$subject = $`;
				$recip   = $';
				open (CMD, "| mailx -s '$subject' '$recip'");
				printf CMD "%-15s %-15s %5s -> %s", $shost, $dhost, $sport, $dport;
				close (CMD) if CMD;
			}
			last;
		};

		/^fct_spy/ and do {
			$args = $';
			my $arg1, $arg2;
			if ($args = /\s/) {
				$arg1 = $`;
				$arg2 = $';
				$cmd = "finger \@$dhost | mailx -s 'FCT: spy' '$arg2'";
				system ($cmd) == 0 or print STDERR "'$cmd': $!\n";
			}
			last;
		};
		system ($cmd) == 0 or print STDERR "'$cmd': $!\n";
	}
}

# unbuffered output
$|=1;

# get iplog-PIPE location from /etc/syslog.conf
open (FH, "/etc/syslog.conf");
while (<FH>) {
	next until /\/.*iplog.pipe/;
	$PIPE = $&;
        last;
}
close (FH);
unless ( $PIPE =~ /iplog.pipe/ ) { die "Error: Cant get 'iplog.pipe' from /etc/syslog.conf"; }

# open deny-pipe
$DENY = $PIPE;
$DENY =~ s/iplog/denylog/;
unless (-p $DENY) {
	unlink $DENY;
	system ('mknod', $DENY, 'p') && die "cant mknod $DENY: $!";
}
open (DENY, "$DENY") or die "can't read $DENY: $!";

# get denied IP pakets and do something
DENY: while (<DENY>) {
	/(\d+\.\d+\.\d+\.\d+:\d+)\s(\d+\.\d+\.\d+\.\d+:\d+)/;
        $source = $1;
        $dest   = $2;
	for ($i = 0; $i <= $#cmds; $i++) {
		if (/$find[$i]/ ) {
			cmd_wrap "$source", "$dest", $cmds[$i];
			next DENY;
		};
	}
}
close (DENY);
