File sshguard.init of Package sshguard
#!/bin/sh
#
### BEGIN INIT INFO
# Provides: sshguard
# Required-Start: $syslog $remote_fs
# Should-Start:
# Required-Stop: $syslog $remote_fs
# Should-Stop:
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Short-Description: SSHGUARD provides automatic attack blocking
# Description: Start SSHGUARD to protect certain services
# from brute force attacks noticed in system logging
### END INIT INFO
SSHGUARD_BIN=/usr/sbin/sshguard
test -x $SSHGUARD_BIN || { echo "$SSHGUARD_BIN not installed";
if [ "$1" = "stop" ]; then exit 0;
else exit 5; fi; }
test -x /usr/sbin/iptables || { echo "iptables not installed";
if [ "$1" = "stop" ]; then exit 0;
else exit 5; fi; }
# Check for existence of needed config file and read it
SSHGUARD_CONFIG=/etc/sysconfig/sshguard
test -r $SSHGUARD_CONFIG || { echo "$SSHGUARD_CONFIG not existing";
if [ "$1" = "stop" ]; then exit 0;
else exit 6; fi; }
# Read config
. $SSHGUARD_CONFIG
# setup commandline as required
setup_cmdline() {
cmdline=""
if [ "$1" != "stop" ]; then
test -n $MONITORED_LOGS || \
{ echo "At least one logfile must be defined in MONITORED_LOGS";
exit 6; }
fi
for _logs in $MONITORED_LOGS; do
cmdline="$cmdline -l $_logs"
done
# set defaults
test -z $PORTS && PORTS=22
test -n $ATTACK_ATTEMPTS && cmdline="$cmdline -a $ATTACK_ATTEMPTS"
test -n $RELEASE_TIMEOUT && cmdline="$cmdline -p $RELEASE_TIMEOUT"
test -n $FORGET_TIMEOUT && cmdline="$cmdline -s $FORGET_TIMEOUT"
test -n "$WHITELIST" && cmdline="$cmdline -w $WHITELIST"
test -n "$BLACKLIST" && cmdline="$cmdline -b $BLACKLIST"
}
iptables_start() {
/usr/sbin/iptables -N sshguard
/usr/sbin/ip6tables -N sshguard
/usr/sbin/iptables -I INPUT 1 -p tcp --dport $PORTS -j sshguard
/usr/sbin/ip6tables -I INPUT 1 -p tcp --dport $PORTS -j sshguard
}
iptables_stop() {
/usr/sbin/iptables -F sshguard
/usr/sbin/ip6tables -F sshguard
/usr/sbin/iptables -D INPUT -p tcp --dport $PORTS -j sshguard
/usr/sbin/ip6tables -D INPUT -p tcp --dport $PORTS -j sshguard
/usr/sbin/iptables -X sshguard
/usr/sbin/ip6tables -X sshguard
}
. /etc/rc.status
# Reset status of this service
rc_reset
case "$1" in
start)
echo -n "Starting SSHGUARD "
iptables_start
setup_cmdline
/sbin/startproc -q $SSHGUARD_BIN $cmdline
rc_status -v
;;
stop)
echo -n "Shutting down SSHGUARD "
/sbin/killproc -q -TERM $SSHGUARD_BIN
iptables_stop
rc_status -v
;;
try-restart|condrestart)
if test "$1" = "condrestart"; then
echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}"
fi
$0 status
if test $? = 0; then
$0 restart
else
rc_reset # Not running is not a failure.
fi
rc_status
;;
restart)
$0 stop
$0 start
rc_status
;;
force-reload)
echo -n "Reload service SSHGUARD "
$0 try-restart
rc_status
;;
reload)
echo -n "Reload service SSHGUARD "
rc_failed 3
rc_status -v
;;
status)
echo -n "Checking for service SSHGUARD "
/sbin/checkproc $SSHGUARD_BIN
rc_status -v
;;
probe)
test $SSHGUARD_CONFIG -nt /var/run/sshguard.pid && echo reload
;;
*)
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
exit 1
;;
esac
rc_exit