Re: [exim] Auth command used when not advertised

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MAdrian Zaugg at <-
M 
Delete this message
Reply to this message
Author: Dennis Davis
Date:  
To: exim-users
Subject: Re: [exim] Auth command used when not advertised
On Mon, 3 Dec 2018, Jan Ingvoldstad via Exim-users wrote:

> From: Jan Ingvoldstad via Exim-users <exim-users@???>
> To: exim-users@???
> Date: Mon, 3 Dec 2018 19:08:53
> Subject: Re: [exim] Auth command used when not advertised
> Reply-To: Jan Ingvoldstad <frettled@???>

...

> > The download link in the above messages no longer works. I'm
> > fairly sure I still have copies squirrelled away somewhere.
>
> The wayback machine has a copy :)
>
> http://web.archive.org/web/20080108232538/http://duncanthrax.net/timeban/timeban

But not, as far as I can tell, an archived copy of the "logexec"
perl script that Tom used for scanning logs. So, for completeness,
I've attached a copy.

...just goes to show that being an inveterate hoarder will
occasionally pay dividends :-)
--
Dennis Davis <dennisdavis@???>#!/usr/bin/perl -w

# logexec - Surfs logs and fires commands when regexes match.
# (c) Tom Kistner <tom@???>

use warnings;
use strict;
use POSIX qw(setsid);

my $logs =
{
  '/var/log/auth.log' => { 'Failed password for illegal user .+ from (.+) port' => '["/usr/local/bin/timeban","add",$1,"30","3","5"]',
                           'Failed password for [^ ]+ from (.+) port' => '["/usr/local/bin/timeban","add",$1,"30","3","5"]'
                         }
#  '/var/log/messages' => { 'pure\-ftpd\: \(.+\@(.+)\) \[WARNING\] Authentication failed for user' => '["/usr/local/bin/timeban","add",$1,"30","3","5"]'  
#                         }
};

# fork master process and get rid of the controlling terminal
my $rc = fork();
if (defined($rc)) {
  # parent returns
  if ($rc) {
    exit(0);
  };
}
else {
  print "Can't fork!\n";
  exit(255);
}

setsid();

# dup STDOUT/ERR
open(STDIN, "< /dev/null");
open(STDOUT, ">&LOG");
open(STDERR, ">&LOG");

foreach my $file (keys %{ $logs }) {
  if (-e $file) {
    # fork
    my $rc = fork();
    if (defined($rc)) {
      # parent returns
      if ($rc) {
        print "Spawned handler for: $file\n";
        next;
      }
    }
    else {
      print "Can't fork!\n";
      exit(255);
    }

    $0 = 'logexec ('.$file.')';
    
    open(LOGFILE,"< $file");
    seek(LOGFILE,0,2);
    my $curpos;
    my $fsize = (-s $file);
    for (;;) {
      for ($curpos = tell(LOGFILE);
           my $line = <LOGFILE>;
           $curpos = tell(LOGFILE)) {
        foreach my $regex (keys %{ $logs->{$file} }) {
          if ($line =~ /$regex/) {
            system(@{eval($logs->{$file}->{$regex})});
          }
        }
      }         
  
      seek(LOGFILE, $curpos, 0);
  
      # check if file has been rotated
      if (-e $file) {
        if ((-s $file) < $fsize) {
          # file is smaller than one second ago
          close(LOGFILE);
          open(LOGFILE,"< $file");
        }
        $fsize = (-s $file);
      }
  
      # be nice to the CPU
      sleep(1);
    }
  }
  else {
    print "No such file: $file\n"; 
  }
}

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Auth command used when not advertised[exim] Replies to mailer-daemon@->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)