[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ossec-list] Active response: Hosts left in hosts.deny?

Subject: [Ossec-list] Active response: Hosts left in hosts.deny?
From: daniel.cid at gmail.com (Daniel Cid)
Date: Mon, 17 Apr 2006 17:22:17 -0300

Hi Kayvan,

Thanks for the patch. I used it as a base for fixing the host-deny response.
However (just for the record), you should never use a file as a lock
between two process. The process of checking for the file and
creating it is not atomic and if you have a bad luck of two
processes being executed too fast, you may get some errors.

The best way is using directories. If "mkdir lock" succeeds, than
the lock is created atomically. If it fails, the lock is not created
(mkdir returns 0 when it was able to create the dir).

" simple example:"

while [ 1 ] ; do
 mkdir $LOCK;
 if [ $? = 0 ]; then
   # lock ok
   break;
 fi
 # lock not ok
 sleep 1;
done

I have attached here a new hosts-deny.sh. If you (or anyone) is
interested of using it, it would be great. Let me know of any problem.

Thanks,

--
Daniel B. Cid
dcid @ ( at ) ossec.net
http://www.ossec.net


On 4/10/06, Kayvan A. Sylvan <kayvan at sylvan.com> wrote:
> Hi Daniel,
>
> Thanks for the quick response.
>
> On Mon, Apr 10, 2006 at 05:10:41PM -0300, Daniel Cid wrote:
> >
> > Regarding the host-deny, you are right. We may have some race
> > conditions in there. I will add some file locks in there to make sure
> > we don't have this problem anymore.
> >
>
> Great. Meanwhile, this rudimentary patch seems to have fixed my issue:
>
> --- host-deny.sh        2006-04-10 16:29:31.000000000 -0400
> +++ host-deny.sh.new    2006-04-10 16:44:20.000000000 -0400
> @@ -17,17 +17,43 @@
>     exit 1;
>  fi
>
> +# Rudimentary locking
> +lock()
> +{
> +    DIR=/var/ossec/active-response/locks
> +    FILE=$DIR/hosts-deny
> +    TIMEOUT=30
> +    TIMES=10
> +
> +    if [ ! -d $DIR ]; then rm -f $DIR; mkdir -p $DIR; fi
> +    ntime=0
> +    while [ $ntime -lt $TIMES -a -r $FILE ]; do
> +        sleep $TIMEOUT
> +        ntime=`expr $ntime + 1`
> +    done
> +    touch $FILE
> +}
> +unlock()
> +{
> +    DIR=/var/ossec/active-response/locks
> +    FILE=$DIR/hosts-deny
> +    rm -f $FILE
> +}
>
>  # Adding the ip to hosts.deny
>  if [ "x${ACTION}" = "xadd" ]; then
> +   lock
>     echo "ALL:${IP}" >> /etc/hosts.deny
> +   unlock
>     exit 0;
>
>
>  # Deleting from hosts.deny
>  elif [ "x${ACTION}" = "xdelete" ]; then
> +   lock
>     cat /etc/hosts.deny | grep -v "ALL:${IP}"> /tmp/hosts.deny.$$
>     mv /tmp/hosts.deny.$$ /etc/hosts.deny
> +   unlock
>     exit 0;
>
>
> --
> Kayvan A. Sylvan          | Proud husband of       | Father to my kids:
> Sylvan Associates, Inc.   | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
> http://sylvan.com/~kayvan | my beautiful Queen.    | Robin Gregory (2/28/92)
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: host-deny.sh
Type: application/x-sh
Size: 1928 bytes
Desc: not available
Url : http://mailman.underlinux.com.br/pipermail/ossec-list/attachments/20060417/2a20d4e5/attachment.sh

References:
- [Ossec-list] Active response: Hosts left in hosts.deny?
  - From: Kayvan A. Sylvan
- [Ossec-list] Active response: Hosts left in hosts.deny?
  - From: Ahmet Ozturk
- [Ossec-list] Active response: Hosts left in hosts.deny?
  - From: Kayvan A. Sylvan
- [Ossec-list] Active response: Hosts left in hosts.deny?
  - From: Daniel Cid
- [Ossec-list] Active response: Hosts left in hosts.deny?
  - From: Kayvan A. Sylvan

Prev by Date: [Ossec-list] RE : Local logs on agents ?
Next by Date: [Ossec-list] OSSEC seems to die occasionally
Previous by thread: [Ossec-list] Active response: Hosts left in hosts.deny?
Next by thread: [Ossec-list] Projects news
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.