#!/bin/sh
#
# Script checking if a FTP-proxy user already exchanged 
# a lot a data during the current day
# Applied between 08:00 and 18:00 only
#
# Interesting lines in log:
#
#Sep 24 10:42:20 firewall netacl[8690]: permit host=internal/xxx service=in.ftpd execute=/usr/local/etc/ftp-gw.size
#Sep 24 10:42:20 firewall ftp-gw[8690]: permit host=internal/xxx use of gateway
#Sep 24 10:45:38 firewall ftp-gw[8690]: permit host=internal/xxx connect to wigner.physik.rwth-aachen.de
#$1  $2 $3       $4       $5            $6     $7                $8      $9 $10
#Sep 24 10:58:35 firewall ftp-gw[8690]: exit host=internal/xxx cmds=12 in=671 out=98566144 user=unauth duration=975
#$1  $2 $3       $4       $5            $6   $7                $8      $9     $10          $11         $12
#
# Interesting lines in netperm-table:
#
#ftp-gw:		sizelimit 104857600
#ftp-gw:		deny-hosts unknown
# CUT HERE -BEG- FOR AUTOMATICALLY ADDING DENY LINES
#ftp-gw:		hosts 160.103.*.* -dest { !137.226.31.204 *.*.*.* }
# CUT HERE -END- FOR AUTOMATICALLY ADDING DENY LINES
#
NETPERM="/usr/local/etc/netperm-table"
STOPFTPLIST="/usr/local/etc/report/stopftp.hosts"
#
# Get lock on netperm-table
#
while [ -f $NETPERM.lock ]; do
	sleep 10
done
touch $NETPERM.lock
#
rm -f /tmp/.ftp*
#
# get sizelimit value
#
SIZELIMIT=`grep "ftp\-gw:" $NETPERM | grep "sizelimit " | awk '{print $3;}'`
echo "SIZELIMIT $SIZELIMIT" > /tmp/.ftpsize
#
# check FTP logs: if more than 4 x sizelimit bytes sent to a 
# particular remote host, then list the remote host (/tmp/.ftpdenied)
#
/usr/local/etc/gm "ftp-gw" | grep "160.103" > /tmp/.ftplog
cat /tmp/.ftpsize /tmp/.ftplog | awk '
BEGIN {
	cumul[0]=0;
}
$1 == "SIZELIMIT" {
	maxday=$2*4;
}
$8 == "connect" {
	pid=substr($5,8,length($5)-9);
	dest=$10;
	destpid[pid]=dest;
}
$6 == "exit" {
	pid=substr($5,8,length($5)-9);
	hour=int(substr($3,1,2));
	if ((hour >= 8) && (hour < 18)) {
		outoct=substr($10,5,length($10)-4);
		dest=destpid[pid];
		cumul[dest]+=outoct;
	}
} 
END {
	for (d in cumul) {
		if (cumul[d] > maxday) { printf ("%s\n", d) >> "/tmp/.ftpdenied" ; }
	}
} '
#
# Exit if no new host to be denied (netperm-table unmodified)
#
if [ -f /tmp/.ftpdenied ]; then
	#
	# Split the netperm-table file into 2 parts
	# (/tmp/.ftpnetperm1, /tmp/.ftpnetperm2)
	# and forgot the previous deny directive if present
	#
	cat $NETPERM | awk '
	BEGIN { stop=0; }
	{
		if (($2 == "CUT") && ($3 == "HERE") && ($4 == "-BEG-"))  {
			print $0 >> "/tmp/.ftpnetperm1" ;
			stop=1;
		}
		else {
			if (!stop) print $0 >> "/tmp/.ftpnetperm1" ;
			else       print $0 >> "/tmp/.ftpnetperm2" ;
		}
	} '
	#
	# List new host for dayly report and for directive construction
	#
	cat /tmp/.ftpdenied >> $STOPFTPLIST
	#
	# Warning: set same denied host only once
	#
	sort -u $STOPFTPLIST > /tmp/.ftpdeniedu
	cp /tmp/.ftpdeniedu $STOPFTPLIST
	cat $STOPFTPLIST | awk '
	BEGIN {
		printf ("ftp-gw:		hosts 160.103.*.* -dest { ");
	}
	{
		printf ("!%s ", $1);
	}
	END {
		printf (" *.*.*.* }\n");
	} ' > /tmp/.ftpnetperm
	#
	# Warning: keep a clean version in netperm-table.clean (see health.sh)
	#
	cat /tmp/.ftpnetperm1 /tmp/.ftpnetperm2 > $NETPERM.clean
	cat /tmp/.ftpnetperm1 /tmp/.ftpnetperm /tmp/.ftpnetperm2 > $NETPERM
fi
rm -f /tmp/.ftp*
#
# release lock
#
/bin/rm -f $NETPERM.lock