[Ossec-list] Active response: Hosts left in hosts.deny?

[kayvan at sylvan.com (Kayvan A. Sylvan)]

Hi Daniel,

Thanks for the quick response.

On Mon, Apr 10, 2006 at 05:10:41PM -0300, Daniel Cid wrote:
> 
> Regarding the host-deny, you are right. We may have some race
> conditions in there. I will add some file locks in there to make sure
> we don't have this problem anymore.
> 

Great. Meanwhile, this rudimentary patch seems to have fixed my issue:

--- host-deny.sh        2006-04-10 16:29:31.000000000 -0400
+++ host-deny.sh.new    2006-04-10 16:44:20.000000000 -0400
@@ -17,17 +17,43 @@
    exit 1;
 fi
 
+# Rudimentary locking
+lock()
+{
+    DIR=/var/ossec/active-response/locks
+    FILE=$DIR/hosts-deny
+    TIMEOUT=30
+    TIMES=10
+
+    if [ ! -d $DIR ]; then rm -f $DIR; mkdir -p $DIR; fi
+    ntime=0
+    while [ $ntime -lt $TIMES -a -r $FILE ]; do
+        sleep $TIMEOUT
+        ntime=`expr $ntime + 1`
+    done
+    touch $FILE
+}
+unlock()
+{
+    DIR=/var/ossec/active-response/locks
+    FILE=$DIR/hosts-deny
+    rm -f $FILE
+}
 
 # Adding the ip to hosts.deny
 if [ "x${ACTION}" = "xadd" ]; then
+   lock
    echo "ALL:${IP}" >> /etc/hosts.deny
+   unlock
    exit 0;
 
 
 # Deleting from hosts.deny   
 elif [ "x${ACTION}" = "xdelete" ]; then   
+   lock
    cat /etc/hosts.deny | grep -v "ALL:${IP}"> /tmp/hosts.deny.$$
    mv /tmp/hosts.deny.$$ /etc/hosts.deny
+   unlock
    exit 0;


-- 
Kayvan A. Sylvan          | Proud husband of       | Father to my kids:
Sylvan Associates, Inc.   | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
http://sylvan.com/~kayvan | my beautiful Queen.    | Robin Gregory (2/28/92)