Gecko [ touzafair.com ]

Name	Size	Permission
authorized_users.list	143 B	-rw-r-----
check-autobackup.sh	6.68 KB	-rwxr-xr-x
check-cagefs-status.sh	2.04 KB	-rwxr-xr-x
check-cpanel-update.sh	1.85 KB	-rwxr-xr-x
check-litespeed-version.sh	2.87 KB	-rwxr-xr-x
check-lscache-version.sh	3.84 KB	-rwxr-xr-x
check-mail-filter-avlb.sh	2.18 KB	-rwxr-xr-x
check-outmailip-rbl.py	3.99 KB	-rwxr-xr-x
check-rpmdb-integrity.sh	1.63 KB	-rwxr-xr-x
check-unexpected-systemd-servi...	8.07 KB	-rwxr-xr-x
check_backup.sh	6.35 KB	-rwxr-xr-x
check_cl_license	950 B	-rwxr-xr-x
check_cplicense.sh	268 B	-rwxr-xr-x
check_cpshell	949 B	-rwxr-xr-x
check_csf	3.72 KB	-rwxr-xr-x
check_cwaf.sh	2.44 KB	-rwxr-xr-x
check_execve_filter.list	370 B	-rw-r-----
check_execve_privileges.sh	2.51 KB	-rwxr-x---
check_eximq.sh	3.16 KB	-rwxr-xr-x
check_extra_accts.py	4.18 KB	-rwxr-xr-x
check_http_full_stack.conf	144 B	-rw-r--r--
check_http_full_stack.py	4.3 KB	-rwxr-xr-x
check_if_ips.py	4.15 KB	-rwxr-xr-x
check_if_ips_tcp.py	4.71 KB	-rwxr-xr-x
check_ip_update_log.sh	540 B	-rwxr-xr-x
check_ip_usage.py	6.67 KB	-rwxr-xr-x
check_kernelcare.sh	2.13 KB	-rwxr-xr-x
check_lfd_logs.conf	471 B	-rw-r--r--
check_logfiles.conf	595 B	-rw-r--r--
check_logfiles.pl	206.82 KB	-rwxr-xr-x
check_logfiles_innodbcounter.c...	1002 B	-rw-r--r--
check_mailip.py	3.83 KB	-rwxr-xr-x
check_mem.pl	12.85 KB	-rwxr-xr-x
check_mysqld_msize.sh	666 B	-rwxr-xr-x
check_nc_cp_backup_process.sh	8.75 KB	-rwxr-xr-x
check_ncsslplugin.py	1.89 KB	-rwxr-xr-x
check_ntp_client	11.78 KB	-rwxr-xr-x
check_openport.sh	7.59 KB	-rwxr-xr-x
check_pem_worker.pl	929 B	-rwxr-xr-x
check_pgactivity	294.21 KB	-rwxr-xr-x
check_plans.py	7.59 KB	-rwxr-xr-x
check_puppet	16.14 KB	-rwxr-xr-x
check_quota_on.sh	902 B	-rwxr-xr-x
check_ro_fs.py	3.43 KB	-rwxr-xr-x
check_service.sh	9.34 KB	-rwxr-xr-x
check_software_updates	31.68 KB	-rwxr-xr-x
check_spamd	6.7 KB	-rwxr-xr-x
check_stalled_procs.py	4.42 KB	-rwxr-xr-x
check_suid_status.sh	295 B	-rwxr-xr-x
check_suspicious_files_status....	1.42 KB	-rwxr-xr-x
check_unauthorized_user.sh	17.16 KB	-rwxr-xr-x
replcheck_param.pl	5.48 KB	-rwxr-xr-x
systemd_scopes_whitelist	10 B	-rw-r--r--
systemd_services_folders	70 B	-rw-r--r--
systemd_services_whitelist	6.67 KB	-rw-r-----
systemd_targets_whitelist	12 B	-rw-r--r--
test.eml	3.26 KB	-rwxr-xr-x

Code Editor : check_openport.sh

#!/bin/bash
################################
# check iptables for open port #
#                              #
# Created by Bogdan Kukharskiy #
#          Namecheap           #
################################
# This script is for testing IPTABLES if the specified port is open (with the possibility to exclude users)
#
# Usage: "check_openport.sh [-x eXclude users(can be as a list separated by ',')] -p Port to check"
#
# Returns the Nagios native status codes:
# Nagios Status
#  0 = OK (Specified port is NOT open or opened only for users from excluded list)
#  1 = WARNING NO Warning states 
#  2 = CRITICAL (Specified port is OPENED, additionally shows users list OR specified port is not closed globally)
#  3 = UNKNOWN (Wrong usage)
#
# Speed optimized version

# Declaring arrays
DEFAULT_EXCLUDE_ARRAY=('root' 'cpanel' 'mailman' 'mailnull')
EXCLUDE_ARRAY=()
PORTS_ARRAY=()
OPEN_PORTS=()
UNPRIV_PORTS=()

## USAGE MESSAGE
usage() {
cat << EOF
usage: $0 options

This script is for testing IPTABLES if the specified port(s) is(are) open (with the possibility to exclude users).
Default excluded users:  ${DEFAULT_EXCLUDE_ARRAY[@]}
OPTIONS:
   -h Show this message
   -x eXclude users (optional, string (can be as a list separated by ',')
   -p Ports to check, integer number (can be as a list separated by ','), mandatory parameter

EOF
}

# Generate a mapping of UID to username
declare -A UID_TO_USERNAME
while IFS=: read -r uid username; do
    UID_TO_USERNAME["$uid"]="$username"
done < <(getent passwd)

if [[ ${IS_ACCEPT} -eq 1 ]]; then
        return 5
    fi

# let's check if the requested port is closed totally (in REJECTED dest)
    for REJECTSTR in "${REJECTSTR_ARRAY[@]}"; do
        #PORTSTR=$(echo "$REJECTSTR" | awk '{split($0,array,"--dports|--dport")} END{print array[2]}' | awk '{print$1}')
        IFS=' ' read -ra rarray <<< "${REJECTSTR}" unset IFS
        array_index=0
        PORTSTR=""
        for a in "${rarray[@]}"; do
            if [[ ${a} =~ "--dport" ]]; then
                PORTSTR=${rarray[array_index+1]}
                break
            else
                array_index=$((array_index+1))
            fi
        done
        if [[ ${PORTSTR} == *":"* ]]; then   #result contains ":" what means we have to check the range of ports
            RANGESTART=$(echo "${REJECTSTR}" | cut -d":" -f1)
            RANGEEND=$(echo "${REJECTSTR}" | cut -d":" -f2)
            if ((PORT >= RANGESTART && PORT <= RANGEEND)); then
                #OK, the port is blocked globally (at least in the REJECTed range ${REJECTSTR})
                return 0
            fi;
        elif [[ ${PORTSTR}  =~ ${RX} ]]; then
                #OK, the port is blocked globally (at least in the REJECTed array ${RESULTSTR})
            return 0
        fi
    done

return 1
}

## FETCH ARGUMENTS
while getopts ":hx:p:" OPTION; do
        case "${OPTION}" in
                h)
                        usage
                        exit 3
                        ;;
                x)
                        IFS=, read -r -a EXCLUDE_ARRAY <<< "$OPTARG" unset IFS
                        ;;
                p)
                        IFS=, read -r -a PORTS_ARRAY <<< "$OPTARG" unset IFS
                        ;;
                ?)
                        usage
                        exit 3
                        ;;
                *)      echo "No reasonable options found!"
                        exit 3
                        ;;
        esac
done

## CHECK ARGUMENTS
if ! [[ ${#PORTS_ARRAY[@]} -eq 0 ]]; then
    for PORT in "${PORTS_ARRAY[@]}"; do
        if [ -z "${PORT}" ] || ! [[ ${PORT} =~ ^[0-9]+$ ]] ; then
                usage
                exit 3
        fi
    done
else
    usage
    exit 3
fi

## MAIN ROUTINE

EXCLUDE_ARRAY=("${DEFAULT_EXCLUDE_ARRAY[@]}" "${EXCLUDE_ARRAY[@]}") #combine default exclude array with readed
IPTABLES_OUTPUT=$(iptables -S)

RESULTSTR=$(echo "${IPTABLES_OUTPUT}" |grep -i "\-j REJECT")
if [ -z "${RESULTSTR}" ]; then
        echo "No REJECTs were found in IPTABLES"
        exit 2
fi

RESULTSTR=$(echo "${IPTABLES_OUTPUT}" |grep -i "\-j ACCEPT")
if [ -z "${RESULTSTR}" ]; then
        echo "No ACCEPTs were found in IPTABLES"
        exit 2
fi

REJECTSTR_ARRAY=()
ACCSTR_ARRAY=()

# Loop through the iptables output and filter relevant rules
while read -r line; do
    if [[ $line == *"-j REJECT"* && $line == *"dport"* ]]; then
        REJECTSTR_ARRAY+=("$line")
    elif [[ $line == *"-j ACCEPT"* && $line == *"dport"* ]]; then
        ACCSTR_ARRAY+=("$line")
    fi
done <<< "${IPTABLES_OUTPUT}"

if [[ ${#REJECTSTR_ARRAY[@]} -eq 0 ]]; then
        echo "No destination ports in REJECTs were found in IPTABLES"
        exit 2
elif [[ ${#ACCSTR_ARRAY[@]} -eq 0 ]]; then
    echo "No destination ports in ACCEPTs were found in IPTABLES"
    exit 2
fi

UNPRIV_DATA="CRITICAL! Unprivileged users with opened: "
for PORT in "${PORTS_ARRAY[@]}"; do
    ALLOWED_ARRAY=()
    RX="^${PORT}$|^${PORT},|,${PORT}$|,${PORT},"
    check_open_ports "${PORT}"
    RESULT=$?
    if [[ "${RESULT}" -eq 1 ]]; then
        OPEN_PORTS+=("${PORT}")
    elif [[ "${RESULT}" -eq 5 ]]; then
        UNPRIV_PORTS+=("${PORT}")
        USERS=$(echo "${ALLOWED_ARRAY[@]}" | tr ' ' ,)
        UNPRIV_DATA+="port: ${PORT} - ${USERS}. "
        unset ALLOWED_ARRAY
    fi
done

if ! [[ "${#UNPRIV_PORTS[@]}" -eq 0 ]]; then
        echo "${UNPRIV_DATA}"
        exit 2
elif ! [[ ${#OPEN_PORTS[@]} -eq 0 ]]; then   #some ports are not blocked globally (not in any of REJECTs)
        echo "CRITICAL! Ports ${OPEN_PORTS[*]} are NOT blocked globally (not in any of REJECTs)"
        exit 2
else            #there are no common users who have specified port opened and port is blocked globally
        echo "OK! Ports ${PORTS_ARRAY[*]} are closed globally and opened only for privileged users:"
        echo "${EXCLUDE_ARRAY[@]}"
        exit 0
fi

${this.title}

Code Editor : check_openport.sh