====== authfilter ======
===== installation =====
==== @ dns ====
KEYUSER=wiki.fischglas.de
TMPDIR=$( mktemp -d /tmp/dnssec-keygen-XXXXXXXXXX )
KEY=$(
cd $TMPDIR
KN=$( dnssec-keygen -a HMAC-SHA512 -b 512 -n USER $KEYUSER-ddns )
awk '/^Key: / { print $2}' $KN.private
rm $KN.private $KN.key
)
rmdir $TMPDIR
cat << EOF > /etc/bind/k.ssh-rbl.$KEYUSER
key "k.ssh-rbl.$KEYUSER" {
algorithm hmac-sha512;
secret "$KEY";
};
EOF
vo -o /etc/bind/named.conf
sed -i '/^acl "update-ssh-rbl"/,/^};/{
/^}/i\\tkey k.ssh-rbl.'"$KEYUSER"';
}' /etc/bind/named.conf
rcsdiff -u /etc/bind/named.conf
vo -i /etc/bind/named.conf
tail -n0 -f /var/log/daemon.log & TAILPID=$!
rndc reconfig
sleep 10
kill $TAILPID
cat << EOF
# on '$KEYUSER' run:
echo "k.ssh-rbl.$KEYUSER $KEY" > /etc/authfilter.key
chmod 600 /etc/authfilter.key
EOF
==== @ client ====
import the k.ssh-rbl.* key to /etc/authfilter.key
as shown above
# UNIX::Syslog.pm
apt-get install libunix-syslog-perl ; apt-get clean
wget http://www.fischglas.de/software -O /usr/local/bin/authfilter
chmod 755 /usr/local/bin/authfilter
mknod -m 640 /dev/authfilter p
if [ -d /etc/rsyslog.d ]; then
touch /etc/rsyslog.d/authfilter.conf
mkdir -p /etc/rsyslog.d/RCS
vo -o /etc/rsyslog.d/authfilter.conf
echo -e "auth,authpriv.*\t|/dev/authfilter" >> /etc/rsyslog.d/authfilter.conf
vo -i /etc/rsyslog.d/authfilter.conf
/etc/init.d/rsyslog restart
fi
mkdir -p /etc/RCS
vo -o /etc/inittab
echo "AF:23:respawn:/usr/local/bin/authfilter /dev/authfilter" >> /etc/inittab
vo -i /etc/inittab
#kill -1 1
telinit q