diff options
Diffstat (limited to 'utils')
| -rwxr-xr-x | utils/filtron.sh | 283 | ||||
| -rwxr-xr-x | utils/lib.sh | 354 | ||||
| -rw-r--r-- | utils/templates/etc/filtron/rules.json | 119 | ||||
| -rw-r--r-- | utils/templates/lib/systemd/system/filtron.service | 29 |
4 files changed, 785 insertions, 0 deletions
diff --git a/utils/filtron.sh b/utils/filtron.sh new file mode 100755 index 000000000..5c8a738b0 --- /dev/null +++ b/utils/filtron.sh @@ -0,0 +1,283 @@ +#!/usr/bin/env bash +# -*- coding: utf-8; mode: sh -*- +# shellcheck disable=SC2119 + +# shellcheck source=utils/lib.sh +source "$(dirname "${BASH_SOURCE[0]}")/lib.sh" + +# ---------------------------------------------------------------------------- +# config +# ---------------------------------------------------------------------------- + +FILTRON_ETC="/etc/filtron" + +FILTRON_RULES="$FILTRON_ETC/rules.json" + +# shellcheck disable=SC2034 +FILTRON_API="127.0.0.1:4005" +# shellcheck disable=SC2034 +FILTRON_LISTEN="127.0.0.1:4004" +# shellcheck disable=SC2034 +FILTRON_TARGET="127.0.0.1:8888" + +SERVICE_NAME="filtron" +SERVICE_USER="${SERVICE_NAME}" +SERVICE_HOME="/home/${SERVICE_USER}" +SERVICE_SYSTEMD_UNIT="${SYSTEMD_UNITS}/${SERVICE_NAME}.service" + +# shellcheck disable=SC2034 +SERVICE_GROUP="${SERVICE_USER}" + +GO_ENV="${SERVICE_HOME}/.go_env" +GO_PKG_URL="https://dl.google.com/go/go1.13.5.linux-amd64.tar.gz" +GO_TAR=$(basename "$GO_PKG_URL") + +# shellcheck disable=SC2034 +CONFIG_FILES=( + "${FILTRON_RULES}" + "${SERVICE_SYSTEMD_UNIT}" +) + +# ---------------------------------------------------------------------------- +usage(){ +# ---------------------------------------------------------------------------- + + # shellcheck disable=SC1117 + cat <<EOF + +usage: + + $(basename "$0") shell + $(basename "$0") install [all|user] + $(basename "$0") update [filtron] + $(basename "$0") remove [all] + $(basename "$0") activate [service] + $(basename "$0") deactivate [service] + $(basename "$0") show [service] + +shell + start interactive shell from user ${SERVICE_USER} +install / remove all + complete setup of filtron service +update filtron + Update filtron installation of user ${SERVICE_USER} +activate + activate and start service daemon (systemd unit) +deactivate service + stop and deactivate service daemon (systemd unit) +install user + add service user '$SERVICE_USER' at $SERVICE_HOME +show service + show service status and log +EOF + [ ! -z ${1+x} ] && echo -e "$1" +} + +main(){ + rst_title "$SERVICE_NAME" part + + local _usage="ERROR: unknown or missing $1 command $2" + + case $1 in + --source-only) ;; + -h|--help) usage; exit 0;; + + shell) + sudo_or_exit + interactive_shell + ;; + show) + case $2 in + service) + sudo_or_exit + show_service + ;; + *) usage "$_usage"; exit 42;; + esac ;; + install) + sudo_or_exit + case $2 in + all) install_all ;; + user) assert_user ;; + *) usage "$_usage"; exit 42;; + esac ;; + update) + sudo_or_exit + case $2 in + filtron) update_filtron ;; + *) usage "$_usage"; exit 42;; + esac ;; + remove) + sudo_or_exit + case $2 in + all) remove_all;; + user) remove_user ;; + *) usage "$_usage"; exit 42;; + esac ;; + activate) + sudo_or_exit + case $2 in + service) activate_service ;; + *) usage "$_usage"; exit 42;; + esac ;; + deactivate) + sudo_or_exit + case $2 in + service) deactivate_service ;; + *) usage "$_usage"; exit 42;; + esac ;; + *) usage "ERROR: unknown or missing command $1"; exit 42;; + esac +} + +install_all() { + rst_title "Install $SERVICE_NAME (service)" + assert_user + wait_key + install_go + wait_key + install_filtron + wait_key + install_service + wait_key +} + +remove_all() { + rst_title "De-Install $SERVICE_NAME (service)" + remove_service + wait_key + remove_user + rm -r "$FILTRON_ETC" 2>&1 | prefix_stdout + wait_key +} + +install_service() { + rst_title "Install System-D Unit ${SERVICE_NAME}.service" section + echo + install_template ${SERVICE_SYSTEMD_UNIT} root root 644 + wait_key + activate_service +} + +remove_service() { + if ! ask_yn "Do you really want to deinstall $SERVICE_NAME?"; then + return + fi + deactivate_service + rm "${SERVICE_SYSTEMD_UNIT}" 2>&1 | prefix_stdout +} + +activate_service () { + rst_title "Activate $SERVICE_NAME (service)" section + echo + tee_stderr <<EOF | bash 2>&1 | prefix_stdout +systemctl enable $SERVICE_NAME.service +systemctl restart $SERVICE_NAME.service +EOF + tee_stderr <<EOF | bash 2>&1 | prefix_stdout +systemctl status $SERVICE_NAME.service +EOF +} + +deactivate_service () { + rst_title "De-Activate $SERVICE_NAME (service)" section + echo + tee_stderr <<EOF | bash 2>&1 | prefix_stdout +systemctl stop $SERVICE_NAME.service +systemctl disable $SERVICE_NAME.service +EOF +} + +assert_user() { + rst_title "user $SERVICE_USER" section + echo + tee_stderr 1 <<EOF | bash | prefix_stdout +sudo -H adduser --shell /bin/bash --system --home $SERVICE_HOME --group --gecos 'Filtron' $SERVICE_USER +sudo -H usermod -a -G shadow $SERVICE_USER +groups $SERVICE_USER +EOF + SERVICE_HOME="$(sudo -i -u "$SERVICE_USER" echo \$HOME)" + export SERVICE_HOME + echo "export SERVICE_HOME=$SERVICE_HOME" + + cat > "$GO_ENV" <<EOF +export GOPATH=\$HOME/go-apps +export PATH=\$PATH:\$HOME/local/go/bin:\$GOPATH/bin +EOF + echo "Environment $GO_ENV has been setup." + + tee_stderr <<EOF | sudo -i -u $SERVICE_USER +grep -qFs -- 'source $GO_ENV' ~/.profile || echo 'source $GO_ENV' >> ~/.profile +EOF +} + +remove_user() { + rst_title "Drop $SERVICE_USER HOME" section + if ask_yn "Do you really want to drop $SERVICE_USER home folder?"; then + userdel -r -f "$SERVICE_USER" 2>&1 | prefix_stdout + else + rst_para "Leave HOME folder $(du -sh "$SERVICE_HOME") unchanged." + fi +} + +interactive_shell(){ + echo "// exit with CTRL-D" + sudo -H -u ${SERVICE_USER} -i +} + +_service_prefix=" |$SERVICE_USER| " + +install_go(){ + rst_title "Install Go in user's HOME" section + + rst_para "download and install go binary .." + cache_download "${GO_PKG_URL}" "${GO_TAR}" + + tee_stderr 0.1 <<EOF | sudo -i -u "$SERVICE_USER" | prefix_stdout "$_service_prefix" +echo \$PATH +echo \$GOPATH +mkdir -p \$HOME/local +rm -rf \$HOME/local/go +tar -C \$HOME/local -xzf ${CACHE}/${GO_TAR} +EOF + echo + sudo -i -u "$SERVICE_USER" <<EOF | prefix_stdout +! which go >/dev/null && echo "Go Installation not found in PATH!?!" +which go >/dev/null && go version && echo "congratulations -- Go installation OK :)" +EOF +} + +install_filtron() { + rst_title "Install filtron in user's ~/go-apps" section + echo + tee_stderr <<EOF | sudo -i -u "$SERVICE_USER" 2>&1 | prefix_stdout "$_service_prefix" +go get -v -u github.com/asciimoo/filtron +EOF + install_template --no-eval "$FILTRON_RULES" root root 644 +} + +update_filtron() { + rst_title "Update filtron" section + echo + tee_stderr <<EOF | sudo -i -u "$SERVICE_USER" 2>&1 | prefix_stdout "$_service_prefix" +go get -v -u github.com/asciimoo/filtron +EOF +} + +show_service () { + rst_title "service status & log" + echo + systemctl status filtron.service + echo + read -r -s -n1 -t 5 -p "// use CTRL-C to stop monitoring the log" + echo + while true; do + trap break 2 + journalctl -f -u filtron + done + return 0 +} + +# ---------------------------------------------------------------------------- +main "$@" +# ---------------------------------------------------------------------------- diff --git a/utils/lib.sh b/utils/lib.sh new file mode 100755 index 000000000..fd6b92129 --- /dev/null +++ b/utils/lib.sh @@ -0,0 +1,354 @@ +#!/usr/bin/env bash +# -*- coding: utf-8; mode: sh -*- +# shellcheck disable=SC2059,SC1117,SC2162,SC2004 + +if [[ -z "${REPO_ROOT}" ]]; then + REPO_ROOT=$(dirname "${BASH_SOURCE[0]}") + while [ -h "${REPO_ROOT}" ] ; do + REPO_ROOT=$(readlink "${REPO_ROOT}") + done + REPO_ROOT=$(cd "${REPO_ROOT}/.." && pwd -P ) +fi + +if [[ -z ${TEMPLATES} ]]; then + TEMPLATES="${REPO_ROOT}/utils/templates" +fi + +if [[ -z "$CACHE" ]]; then + CACHE="${REPO_ROOT}/cache" +fi + +if [[ -z "$SYSTEMD_UNITS" ]]; then + SYSTEMD_UNITS="/lib/systemd/system" +fi + +if [[ -z ${DIFF_CMD} ]]; then + DIFF_CMD="diff -u" + if command -v colordiff >/dev/null; then + DIFF_CMD="colordiff -u" + fi +fi + +sudo_or_exit() { + # usage: sudo_or_exit + + if [ ! "$(id -u)" -eq 0 ]; then + err_msg "this command requires root (sudo) privilege!" >&2 + exit 42 + fi +} + +rst_title() { + # usage: rst_title <header-text> [part|chapter|section] + + case ${2-chapter} in + part) printf "\n${1//?/=}\n$1\n${1//?/=}\n";; + chapter) printf "\n${1}\n${1//?/=}\n";; + section) printf "\n${1}\n${1//?/-}\n";; + *) + err_msg "invalid argument '${2}' in line $(caller)" + return 42 + ;; + esac +} + +if command -v fmt >/dev/null; then + export FMT="fmt -u" +else + export FMT="cat" +fi + +rst_para() { + # usage: RST_INDENT=1 rst_para "lorem ipsum ..." + local prefix='' + if ! [[ -z $RST_INDENT ]] && [[ $RST_INDENT -gt 0 ]]; then + prefix="$(for i in $(seq 1 "$RST_INDENT"); do printf " "; done)" + echo -en "\n$*\n" | $FMT | prefix_stdout "$prefix" + else + echo -en "\n$*\n" | $FMT + fi +} + +err_msg() { echo -e "ERROR: $*" >&2; } +warn_msg() { echo -e "WARN: $*" >&2; } +info_msg() { echo -e "INFO: $*"; } + +clean_stdin() { + if [[ $(uname -s) != 'Darwin' ]]; then + while read -n1 -t 0.1; do : ; done + fi +} + +wait_key(){ + # usage: waitKEY [<timeout in sec>] + + clean_stdin + local _t=$1 + [[ ! -z $FORCE_TIMEOUT ]] && _t=$FORCE_TIMEOUT + [[ ! -z $_t ]] && _t="-t $_t" + # shellcheck disable=SC2086 + read -s -n1 $_t -p "** press any [KEY] to continue **" + echo + clean_stdin +} + +ask_yn() { + # usage: ask_yn <prompt-text> [Ny|Yn] [<timeout in sec>] + + local EXIT_YES=0 # exit status 0 --> successful + local EXIT_NO=1 # exit status 1 --> error code + + local _t=$3 + [[ ! -z $FORCE_TIMEOUT ]] && _t=$FORCE_TIMEOUT + [[ ! -z $_t ]] && _t="-t $_t" + case "${2}" in + Yn) + local exit_val=${EXIT_YES} + local choice="[YES/no]" + local default="Yes" + ;; + *) + local exit_val=${EXIT_NO} + local choice="[NO/yes]" + local default="No" + ;; + esac + echo + while true; do + clean_stdin + printf "$1 ${choice} " + # shellcheck disable=SC2086 + read -n1 $_t + if [[ -z $REPLY ]]; then + printf "$default\n"; break + elif [[ $REPLY =~ ^[Yy]$ ]]; then + exit_val=${EXIT_YES} + printf "\n" + break + elif [[ $REPLY =~ ^[Nn]$ ]]; then + exit_val=${EXIT_NO} + printf "\n" + break + fi + _t="" + err_msg "invalid choice" + done + clean_stdin + return $exit_val +} + +tee_stderr () { + + # usage:: + # tee_stderr 1 <<EOF | python -i + # print("hello") + # EOF + # ... + # >>> print("hello") + # hello + + local _t="0"; + if [[ ! -z $1 ]] ; then _t="$1"; fi + + (while read line; do + # shellcheck disable=SC2086 + sleep $_t + echo -e "$line" >&2 + echo "$line" + done) +} + +prefix_stdout () { + # usage: <cmd> | prefix_stdout [prefix] + + local prefix=" | " + + if [[ ! -z $1 ]] ; then prefix="$1"; fi + + (while IFS= read line; do + echo -e "${prefix}$line" + done) +} + +append_line() { + + # usage: append_line <line> <file> + # + # Append line if not exists, create file if not exists. E.g:: + # + # append_line 'source ~/.foo' ~/bashrc + + local LINE=$1 + local FILE=$2 + grep -qFs -- "$LINE" "$FILE" || echo "$LINE" >> "$FILE" +} + +cache_download() { + + # usage: cache_download <url> <local-filename> + + local exit_value=0 + + if [[ ! -z ${SUDO_USER} ]]; then + sudo -u "${SUDO_USER}" mkdir -p "${CACHE}" + else + mkdir -p "${CACHE}" + fi + + if [[ -f "${CACHE}/$2" ]] ; then + info_msg "already cached: $1" + info_msg " --> ${CACHE}/$2" + fi + + if [[ ! -f "${CACHE}/$2" ]]; then + info_msg "caching: $1" + info_msg " --> ${CACHE}/$2" + if [[ ! -z ${SUDO_USER} ]]; then + sudo -u "${SUDO_USER}" wget --progress=bar -O "${CACHE}/$2" "$1" ; exit_value=$? + else + wget --progress=bar -O "${CACHE}/$2" "$1" ; exit_value=$? + fi + if $exit_value; then + err_msg "failed to download: $1" + fi + fi +} + +choose_one() { + + # usage: + # + # DEFAULT_SELECT= 2 \ + # choose_one <name> "your selection?" "Coffee" "Coffee with milk" + + local default=${DEFAULT_SELECT-1} + local REPLY + local env_name=$1 && shift + local choice=$1; + local max="${#@}" + local _t + [[ ! -z $FORCE_TIMEOUT ]] && _t=$FORCE_TIMEOUT + [[ ! -z $_t ]] && _t="-t $_t" + + list=("$@") + echo -e "Menu::" + for ((i=1; i<= $(($max -1)); i++)); do + if [[ "$i" == "$default" ]]; then + echo -e " $i.) ${list[$i]} [default]" + else + echo -e " $i.) ${list[$i]}" + fi + done + while true; do + clean_stdin + printf "$1 [$default] " + + if (( 10 > $max )); then + # shellcheck disable=SC2086 + read -n1 $_t + else + # shellcheck disable=SC2086,SC2229 + read $_t + fi + # selection fits + [[ $REPLY =~ ^-?[0-9]+$ ]] && (( $REPLY > 0 )) && (( $REPLY < $max )) && break + + # take default + [[ -z $REPLY ]] && REPLY=$default && break + + _t="" + err_msg "invalid choice" + done + echo + clean_stdin + eval "$env_name"='${list[${REPLY}]}' +} + +install_template() { + + # usage: + # + # install_template [--no-eval] {file} [{owner} [{group} [{chmod}]]] + # + # install_template --no-eval /etc/updatedb.conf root root 644 + + local do_eval=1 + if [[ "$1" == "--no-eval" ]]; then + do_eval=0; shift + fi + local dst="${1}" + local owner=${2-$(id -un)} + local group=${3-$(id -gn)} + local chmod=${4-644} + local _reply="" + + info_msg "install: ${dst}" + + if [[ ! -f "${TEMPLATES}${dst}" ]] ; then + err_msg "${TEMPLATES}${dst} does not exists" + err_msg "... can't install $dst / exit installation with error 42" + wait_key 30 + return 42 + fi + + local template_file="${TEMPLATES}${dst}" + if [[ "$do_eval" == "1" ]]; then + info_msg "BUILD template ${template_file}" + if [[ -f "${TEMPLATES}${dst}" ]] ; then + template_file="${CACHE}${dst}" + mkdir -p "$(dirname "${template_file}")" + # shellcheck disable=SC2086 + eval "echo \"$(cat ${TEMPLATES}${dst})\"" > "${template_file}" + else + err_msg "failed ${template_file}" + return 42 + fi + fi + + mkdir -p "$(dirname "${dst}")" + + if [[ ! -f "${dst}" ]]; then + info_msg "install: ${template_file}" + sudo -H install -v -o "${owner}" -g "${group}" -m "${chmod}" \ + "${template_file}" "${dst}" | prefix_stdout + return $? + fi + + if [[ -f "${dst}" ]] && cmp --silent "${template_file}" "${dst}" ; then + info_msg "file ${dst} allready installed" + return 0 + fi + + info_msg "file ${dst} allready exists on this host" + + while true; do + choose_one _reply "choose next step with file $dst" \ + "replace file" \ + "leave file unchanged" \ + "interactiv shell" \ + "diff files" + + case $_reply in + "replace file") + info_msg "install: ${template_file}" + sudo -H install -v -o "${owner}" -g "${group}" -m "${chmod}" \ + "${template_file}" "${dst}" | prefix_stdout + break + ;; + "leave file unchanged") + break + ;; + "interactiv shell") + echo "// edit ${dst} to your needs" + echo "// exit with CTRL-D" + sudo -H -u "${owner}" -i + $DIFF_CMD "${dst}" "${template_file}" + if ask_yn "did you edit ${template_file} to your needs?"; then + break + fi + ;; + "diff files") + $DIFF_CMD "${dst}" "${template_file}" | prefix_stdout + esac + done +} diff --git a/utils/templates/etc/filtron/rules.json b/utils/templates/etc/filtron/rules.json new file mode 100644 index 000000000..634f5f2d6 --- /dev/null +++ b/utils/templates/etc/filtron/rules.json @@ -0,0 +1,119 @@ +[{ + "name":"suspiciously frequent queries", + "filters":[ + "Param:q", + "Path=^(/|/search)$" + ], + "interval":120, + "limit":9, + "actions":[ + {"name":"log"} + ] + }, + { + "name":"search request", + "filters":[ + "Param:q", + "Path=^(/|/search)$" + ], + "interval":120, + "limit":19, + "actions":[ + { + "name":"block", + "params":{ + "message":"common rate limit exceeded" + } + } + ], + "subrules":[ + { + "name":"roboagent limit", + "interval":60, + "limit":3, + "filters":[ + "Header:User-Agent=(curl|cURL|Wget|python-requests|Scrapy|FeedFetcher|Go-http-client|Ruby)" + ], + "actions":[ + {"name":"log"}, + { + "name":"block", + "params":{ + "message":"rate limit exceeded" + } + } + ] + }, + { + "name":"botlimit", + "interval":60, + "limit":0, + "stop":true, + "filters":[ + "Header:User-Agent=(Googlebot|bingbot|Baiduspider|yacybot|YandexMobileBot|YandexBot|Yahoo! Slurp|MJ12bot|AhrefsBot|archive.org_bot|msnbot|MJ12bot|SeznamBot|linkdexbot|Netvibes|SMTBot|zgrab|James BOT)" + ], + "actions":[ + {"name":"log"}, + { + "name":"block", + "params":{ + "message":"rate limit exceeded" + } + } + ] + }, + { + "name":"IP limit", + "interval":60, + "limit":13, + "stop":true, + "aggregations":[ + "Header:X-Forwarded-For" + ], + "actions":[ + {"name":"log"}, + { + "name":"block", + "params":{ + "message":"rate limit exceeded" + } + } + ] + }, + { + "name":"rss/json limit", + "interval":60, + "limit":13, + "stop":true, + "filters":[ + "Param:format=(csv|json|rss)" + ], + "actions":[ + {"name":"log"}, + { + "name":"block", + "params":{ + "message":"rate limit exceeded" + } + } + ] + }, + { + "name":"useragent limit", + "interval":60, + "limit":13, + "aggregations":[ + "Header:User-Agent" + ], + "actions":[ + {"name":"log"}, + { + "name":"block", + "params":{ + "message":"rate limit exceeded" + } + } + ] + } + ] +}] diff --git a/utils/templates/lib/systemd/system/filtron.service b/utils/templates/lib/systemd/system/filtron.service new file mode 100644 index 000000000..3b0c6edcc --- /dev/null +++ b/utils/templates/lib/systemd/system/filtron.service @@ -0,0 +1,29 @@ +[Unit] + +Description=${SERVICE_NAME} +After=syslog.target +After=network.target + +[Service] + +Type=simple +User=${SERVICE_USER} +Group=${SERVICE_GROUP} +WorkingDirectory=${SERVICE_HOME} +ExecStart=${SERVICE_HOME}/go-apps/bin/filtron -api '${FILTRON_API}' -listen '${FILTRON_LISTEN}' -rules '${FILTRON_RULES}' -target '${FILTRON_TARGET}' + +Restart=always +Environment=USER=${SERVICE_USER} HOME=${SERVICE_HOME} + +# Some distributions may not support these hardening directives. If you cannot +# start the service due to an unknown option, comment out the ones not supported +# by your version of systemd. + +ProtectSystem=full +PrivateDevices=yes +PrivateTmp=yes +NoNewPrivileges=true + +[Install] + +WantedBy=multi-user.target |