#!/usr/local/bin/bash # # process-check script # # checks for a multitude of lame activity and will kill processes based on these rules: # ------------------------------------------------------------------------------------- # 1) process isn't allowed # 2) process is using excessive IRC connections # 3) process is bound to all IP addresses as if it owned them all # 4) process is bound to a private IP address # 5) process is bound to main IP address and isn't owned by one of the specified users (this is disabled by default, read notes) # # # # crontab entry needed: # --------------------- # */5 * * * * /usr/local/sbin/process-check >/dev/null 2>&1 # # # Zoidial Incorporated # Eric Thern eric@zoidial.com # # # v0.1 11/03/2001 - initial release # v0.2 11/04/2001 - added egrep, multiple entries # v0.3 11/07/2001 - fixed second egrep checking connections - no more false positives # v0.4 04/11/2002 - added logging to standard error syslog # --- completely redid awks and egreps to rule out killing the wrong processes due to username matches # v0.5 04/16/2002 - added illegal process section # v0.6 06/18/2002 - added a whole different section that protects the main IP address from 'other' processes # --- basically it only accepts daemons running as users: root, nobody, bind, www, sshd, and "youruser" # v0.7 06/25/2002 - COMMENTED OUT PROTECTION OF MAIN IP SECTION -- # --- this section doesnt' work really well for a number of reasons - mainly because lots of user programs # --- (mainly ircd's) have to use the main IP for wierd purposes for proxy checks and such, so they bind # --- it temporarily, and end up DEAD. This is no good. So I don't use this anymore. # v0.8 07/23/2003 - added binding statements to check for IP addresses that bind to all IP addresses on TCP ports. # --- this will alleviate problems with IRCd's that bind ports on all addresses and make it impossible for # --- other customers to bind to that same port. I have it looking for other processes as well. # --- also added a protection area for certain IP addresses that are NOT main IP's, but stuff like: # --- webserver, nameservers, etc. where you don't want programs running on them. # --- I personally also use ipfw rules in order to fix this situation. # v0.9 07/25/2003 - added a comment and bit of code to the binding of all IP addresses statment in order to allow for # --- a given UID to be exempt from this. # v1.0 07/29/2003 - added more logging - it now logs 'ps' output for the specified processes (so you see what was actually # --- killed) I mean, this was needed since day one, but I suppose I never thought about it. # --- Version 1.0 - even if it has false positives, it has enough logging for an admin to figure things out. # # # BEFORE YOU USE THIS: # IT IS IMPORTANT THAT YOU LOOK THROUGH THESE THINGS AND EDIT APPROPRIATELY! # # if you don't know what this does, you better not run it! It works great for me, but may not for you! # # 1) edit all the process 'egrep' statments to suit your needs # 2) edit out IP addresses I use in here and add your own IP's (why would you use mine!?) # 3) make sure the script work right by copying them out of here and putting an "echo $i" instead of a "kill -9 $i" statment in each, # just to make sure things function the way you think they are. # 4) be mega-careful. # # ### # # checks for excessive IRC connections # # In this particular case, we are checking for anything using more than 2 connections. One connection is fine, two is ok, but three and above? death. # This is what you should edit to change this: # # if ( $1 > 2 ) -- the '2' here is what you change, if you want to allow three connections, change this to '3'. it's that easy. # # for i in `sockstat | awk '{ print $2 "\t" $3 "\t" $7 }' | egrep '(bnc|psybnc|ezbnc|muh|ez|mech|emech|[Mm]irkforce|iroffer|xdcc|sc_serv)' |egrep '(:666|:7000|:7777|:8000|:8080)' | awk '{ print $1 "\t" $2 }' | uniq -c | awk '{ if ( $1 > 2 ) print $3 }'`; do echo "`ps -uwwx -p $i | logger`" && kill -9 $i && echo "killed process $i for using excessive IRC connections" | logger; done ### # # checks for illegal processes # for i in `sockstat | awk '{ print $2 "\t" $3 }' | egrep '(ventrilo|icecast|mirkforce|Mirkforce|iroffer|xdcc|sc_serv)' |uniq -c | awk '{print $3}'`; do echo "`ps -uwwx -p $i | logger`" && kill -9 $i && echo "killed process $i for being an illegal process" | logger; done ### # # checks for certain processes that bind to all IP addresses on TCP ports, and promptly kills them. # # the area of code "if ($1 != "20009")" is for User ID '20009'. This allows for this user to be exempt from this check. # # #for i in `sockstat | grep tcp | awk '{if ($1 != "20009") print $1 "\t" $2 "\t" $3 "\t" $5 "\t" $6 }' | grep tcp | grep "\*:" | egrep '(egg|[Ii][Rr][Cc]|bnc|psybnc|ezbnc|muh|ez|mech|emech|[Mm]irkforce|iroffer|xdcc|sc_serv|ventrilo)' | awk '{print $3}' | sort | uniq`; do echo "`ps -uwwx -p $i | logger`" && kill -9 $i && echo "killed process $i for binding to all IP addresses improperly" | logger; done ### # # checks for processes bound to certain IP addresses we won't allow and kills them. # #for i in `sockstat | grep tcp | awk '{print $2 "\t" $3 "\t" $6}`' | egrep '(216.218.235.64:|216.218.235.67:|64.71.191)' | egrep '(egg|[Ii][Rr][Cc]|bnc|psybnc|ezbnc|muh|ez|mech|emech|[Mm]irkforce|iroffer|xdcc|sc_serv)' | awk '{print $2}' | sort | uniq` ; do echo "`ps -uwwx -p $i | logger`" && kill -9 $i && echo "killed process $i for binding to a banned IP address" | logger ; done ### # # protects the main IP from rogue user daemons !!! BE CAREFUL DOES NOT REALLY WORK PROPERLY !!! (check notes in changelog above) # #for i in `sockstat | awk '{print $1 "\t" $3 "\t" $6}' | grep YOUR_MAIN_IP_HERE | awk '{if ($1 != "root") print $1 "\t" $2}' | awk '{if ($1 != "nobody") print $1 "\t" $2}' | awk '{if ($1 != "bind") print $1 "\t" $2}'| awk '{if ($1 != "sshd") print $1 "\t" $2}'| awk '{if ($1 != "www") print $1 "\t" $2}' | awk '{if ($1 != "youruser") print $2}' | uniq` ; do echo "`ps -uwwx -p $i | logger`" && kill -9 $i && echo "killed process $i -- user daemon running on IP YOUR_MAIN_IP_HERE" | logger; done