Created
December 9, 2015 13:05
-
-
Save Dih5/ed189c3d445d7d8b91cb to your computer and use it in GitHub Desktop.
Script to whitelist hosts in hosts.allow using the feed of a gmail account
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Script to whitelist hosts for remote access using gmail's https atom feed. | |
# Update the vars defined below and chmod 700 root:root, since the password is in clear text. | |
# Use cron to run it periodically. | |
# | |
# To add a host to the whitelist send an email to the GMAILUSER account with a subject like: "allow 13.13.13.13" (whithout quotes) using any of the accounts in ALLOWED | |
# To remove a host from whitelist read or delete the corresponding email. Note the feed shows only unread mail. | |
# | |
# The script works by updating hosts.allow. It checks the feed for mails like those described above. | |
# The whitelist stored in hosts.allow, between 2 markers (START FEEDSCRIPT, END FEEDSCRIPT), which should not be removed | |
# Other entries in hosts.allow will not be affected. | |
# | |
# Acknowledgement: This script is heavily based on the one posted by silvik in: | |
# https://bbs.archlinux.org/viewtopic.php?id=114828 | |
#The account used to administrate the list | |
GMAILUSER="" | |
GMAILPASSWD="" | |
#Accounts that are allowed to change the file using this script, separated by "|". | |
ALLOWED="$GMAILUSER@gmail.com|anotherUser@gmail.com" | |
#Token of the daemon to be allowed (e.g., sshd or ALL) | |
ALLOWTOKEN="ALL" | |
#pattern matching valid IPs (only IPv4 here) | |
IPPATTERN="(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" | |
#path to the hosts.allow file | |
FILE="/etc/hosts.allow" | |
#remove old whitelist | |
perl -ni -e 'print unless(/START FEEDSCRIPT/../END FEEDSCRIPT/)' $FILE | |
echo "#START FEEDSCRIPT" >> $FILE | |
echo "#IPs allowed by the gmail feed script" >> $FILE | |
echo "#Do not remove these markers" >> $FILE | |
curl -u $GMAILUSER:$GMAILPASSWD --silent "https://mail.google.com/mail/feed/atom" | tr -d '\n' | \ | |
awk -F '<entry>' '{for (i=2; i<=NF; i++) {print $i}}' | sed -n "s/<title>\(.*\)<\/title.*email>\(.*\)<\/email>.*/\2 - \1/p" | \ | |
grep -Ei "^($ALLOWED) - allow $IPPATTERN$" | cut -d- -f2 | sed "s/ allow/$ALLOWTOKEN :/g" >> $FILE | |
echo "#END FEEDSCRIPT" >> $FILE |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment