asterisk_scripts/fail2ban_rule.c

#include<stdio.h>
#include<stdlib.h>
#include<strings.h>
#include<string.h>
#include<mysql/mysql.h>
#include<mysql/mysqld_error.h>
#include<stdarg.h>
#include<ctype.h>
#include<sys/types.h>  
#include<ifaddrs.h>  
#include<netinet/in.h>   
#include<arpa/inet.h>  
#include<net/if.h> 
#include <sys/ioctl.h> 
#include <sys/socket.h>
#include <fcntl.h>
#include <unistd.h>

#define CONFIG_FILE "/etc/fail2ban/jail.conf"
#define DBCONFIG "/etc/asterisk/exten_gen.ini"
#define NETCONFIG "/etc/rc.conf"
#define WEBCONFIG "/usr/local/rest-server/config/application.properties"
#define SIZE 256
#define SIZE_K 1024
/*该程序的功能是从数据库中读取fail2ban的配置信息然后写到fail2ban的配置文件中然后重启fail2ban服务使配置生效，界面配置fail2ban的时候调用，需要编译*/

int connect_mysql(MYSQL *conn)
{
	char dbserver[64];
	char dbuser[64];
	char dbpasswd[64];
	char dbname[64];
	unsigned int dbport = 3306;

	strcpy(dbserver,getenv("MYSQL"));
	strcpy(dbuser,getenv("MYSQL_USER"));
	strcpy(dbpasswd,getenv("MYSQL_PASSWORD"));
	strcpy(dbname,getenv("MYSQL_DATABASE"));

	conn = mysql_init(NULL);
	if(!mysql_real_connect(conn, dbserver, dbuser, dbpasswd, dbname,dbport,NULL,0)){
		printf("error:%s\n",mysql_error(conn));	
		return -1;
	}
	// 是否连接已经可用
	if (mysql_query(conn,"set names utf8")) // 如果失败
		return -1;
	return 0;
}

int netmask_str2len(char* mask)
{
    int netmask = 0;
    unsigned int mask_tmp;

    mask_tmp = ntohl((int)inet_addr(mask));
    while (mask_tmp & 0x80000000)
    {
        netmask++;
        mask_tmp = (mask_tmp << 1);
    }

    return netmask;    
}

char * get_addr(char *addr, int flag, char *dev)
{
    int sockfd = 0;  
    struct sockaddr_in *sin;
    struct ifreq ifr;

    if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
    {
        perror("socket error!\n");
        return NULL;
    }

    memset(&ifr, 0, sizeof(ifr));
    snprintf(ifr.ifr_name, (sizeof(ifr.ifr_name) - 1), "%s", dev);

    if(ioctl(sockfd, flag, &ifr) < 0 )
    {
        perror("ioctl error!\n");
        close(sockfd);
        return NULL;
    }
    close(sockfd);

    sin = (struct sockaddr_in *)&ifr.ifr_addr;
    snprintf((char *)addr, 32, "%s", inet_ntoa(sin->sin_addr));        

    return addr;
}

char *get_fb_config(char *buf)
{
	MYSQL *conn;
	MYSQL_RES *res;
	MYSQL_ROW row;
	MYSQL_RES *res1;
	MYSQL_ROW row1;
	char sql[SIZE] = {0};
	char tmp[SIZE_K*3] = {0};
	char ignored[SIZE_K*2] = {0};
	int len1 = 16, len2 = 16, len3 = 16,len4 = 16;
/*
	char wanip[32] = {0};
	char lanip[32] = {0};
	char virip[32] = {0};
	char virip_lan[32] = {0};
	char netmask_wan[32] = {0};
	char netmask_lan[32] = {0};
	char netmask_vir[32] = {0};
	char netmask_vir_lan[32] = {0};
	
	get_addr(wanip, SIOCGIFADDR,"eth0");
	get_addr(lanip, SIOCGIFADDR,"eth1");
	get_addr(virip, SIOCGIFADDR,"eth0:0");
	get_addr(virip_lan, SIOCGIFADDR,"eth1:0");
	get_addr(netmask_wan, SIOCGIFNETMASK,"eth0");
	get_addr(netmask_lan, SIOCGIFNETMASK,"eth1");
	get_addr(netmask_vir, SIOCGIFNETMASK,"eth0:0");
	get_addr(netmask_vir_lan, SIOCGIFNETMASK,"eth1:0");
	
	if(strlen(netmask_wan))
		len1 = netmask_str2len(netmask_wan);
	
	if(strlen(netmask_lan))
		len2 = netmask_str2len(netmask_lan);
	
	if(strlen(netmask_vir))
		len3 = netmask_str2len(netmask_vir);
	if(strlen(netmask_vir_lan))
		len4 = netmask_str2len(netmask_vir_lan);
*/
	/*set default rules
	strcat(buf,"[DEFAULT]\n");
	strcat(buf,"ignoreip = 127.0.0.1/32\n");
	strcat(buf,"bantime  = 3600\n");
	strcat(buf,"maxretry = 3\n");
	strcat(buf,"backend = auto\n");
	strcat(buf,"banaction = iptables-multiport\n");
	strcat(buf,"mta = mail\n");
	strcat(buf,"protocol = tcp\n");
	strcat(buf,"chain = INPUT\n");
	strcat(buf,"action_ = \%(banaction)s[name=\%(__name__)s, port=\"\%(port)s\", protocol=\"\%(protocol)s\", chain=\"\%(chain)s\"]\n");
	strcat(buf,"action_mw = \%(banaction)s[name=\%(__name__)s, port=\"\%(port)s\", protocol=\"\%(protocol)s\", chain=\"\%(chain)s\"]\n");
	strcat(buf,"action_mwl = \%(banaction)s[name=\%(__name__)s, port=\"\%(port)s\", protocol=\"\%(protocol)s\", chain=\"\%(chain)s\"]\n");
	strcat(buf,"action = \%(action_)s\n\n");
*/
	printf("connect mysql!\n");
	if(connect_mysql(conn))
		return 0;

	sprintf(sql, "select name,enable,max_retry,find_time,ban_time from t_pbx_fail2ban_basic");
	if(mysql_real_query(conn, sql, strlen(sql))){
		printf("select  data from table t_pbx_fail2ban_basic faild !\n");
		return 0;
	}
	printf("sql result for '%s'!\n", sql);
	res = mysql_store_result(conn);

	char in[10] = {0};

	while(row = mysql_fetch_row(res))
	{
		printf("datainfo %s,%s,%s,%s,%s !\n", row[0], row[1], row[2], row[3], row[4]);
		bzero(in, 10);
		bzero(tmp,strlen(tmp));
		bzero(ignored,strlen(ignored));
		if(!strcmp((const char *)row[1], "1"))
			strcpy(in, "true");
		else
			strcpy(in, "false");
		
		/*
		if(strlen(virip) && strlen(virip_lan))
			sprintf(ignored,"%s/%d %s/%d %s/%d %s/%d ",wanip,len1, lanip,len2,virip,len3,virip_lan,len4);
		else if(strlen(virip))
			sprintf(ignored,"%s/%d %s/%d %s/%d ",wanip,len1, lanip,len2,virip,len3);
		else if(strlen(virip_lan))
			sprintf(ignored,"%s/%d %s/%d %s/%d ",wanip,len1, lanip,len2,virip_lan,len4);
		else
			sprintf(ignored,"%s/%d %s/%d ",wanip,len1, lanip,len2);
		*/
		if(!strcmp((const char*)row[0], "sip")){
			bzero(sql,strlen(sql));
			sprintf(sql, "select ip,netmask_length from t_pbx_fail2ban_ignored where protocol_sip='1' and enable='1'");
			if(mysql_real_query(conn, sql, strlen(sql))){
				printf("select  data from table t_pbx_fail2ban_ignored faild !\n");
				return 0;
			}
			printf("sql result for '%s'!\n", sql);
			res1 = mysql_store_result(conn);
			while(row1 = mysql_fetch_row(res1))
			{
				strcat(ignored,(char *)row1[0]);
				strcat(ignored,"/");
				strcat(ignored,(char *)row1[1]);
				strcat(ignored," ");
			}
			
			sprintf(tmp,"[sip-iptables]\nenabled = %s\nignoreip = 127.0.0.1/32 %s \nfilter = sip\naction = iptables-allports[name=VOIP, protocol=all]\nlogpath = /var/log/asterisk/messages\nmaxretry = %s\nfindtime = %s\nbantime = %s\n\n", in, ignored, row[2], row[3], row[4]);
			mysql_free_result(res1);
		}
		else if(!strcmp((const char*)row[0], "ssh")){
			bzero(sql,strlen(sql));
			sprintf(sql, "select ip,netmask_length from t_fail2ban_ignored where protocol_ssh='1' and enable='1'");
			if(mysql_real_query(conn, sql, strlen(sql))){
				printf("select  data from table t_fail2ban_ignored faild !\n");
				return 0;
			}
			res1 = mysql_store_result(conn);
			while(row1 = mysql_fetch_row(res1))
			{
				strcat(ignored,(char *)row1[0]);
				strcat(ignored,"/");
				strcat(ignored,(char *)row1[1]);
				strcat(ignored," ");
			}
			sprintf(tmp,"[SSH]\nenabled = %s\nignoreip = 127.0.0.1/32 %s \nport = 22\nfilter = sshd\nlogpath = /var/log/auth.log\nmaxretry = %s\nfindtime = %s\nbantime = %s\n\n",in, ignored, row[2], row[3], row[4]);
			//sprintf(tmp,"[SSH]\nenabled = %s\nignoreip = 127.0.0.1/32 %s \nport = %s\nfilter = sshd\nlogpath = /var/log/auth.log\nmaxretry = %s\nfindtime = %s\nbantime = %s\n\n",in, ignored, sshport, row[2], row[3], row[4]);
			//free(sshport);
			mysql_free_result(res1);
		}
		strcat(buf,tmp);
	}
	
	mysql_free_result(res);
	mysql_close(conn);

	return buf;
}


int main(int argc, char *argv[])
{
	char buf[SIZE_K*8]={0};
	char cmd[SIZE] = {0};
	FILE *fp = NULL;

#if 1	
	get_fb_config(buf);
	printf("%s",buf);
	fp = fopen(CONFIG_FILE, "w");
	if(strlen(buf))
		fputs(buf, fp);
	fclose(fp);
	
	sprintf(cmd,"echo \"\" > /var/log/auth.log;echo \"\" > /var/log/fail2ban.log ;echo \"\" >/var/log/invalid_web_visit.log;echo \"\" > /var/log/asterisk/messages;asterisk -rx \"logger reload\";service fail2ban restart");

	system(cmd);
#endif
	return 0;
}