check_smb_idle.sh integrated
This commit is contained in:
parent
e5a36943ce
commit
4930d1d3fe
|
@ -0,0 +1 @@
|
||||||
|
* * * * * root /usr/lib/cryptobox/check_smb_idle.sh
|
|
@ -22,6 +22,7 @@ MAKE_CERT_SCRIPT=/usr/lib/cryptobox/make_stunnel_cert.sh
|
||||||
LOG_FILE=/var/log/cryptobox.log
|
LOG_FILE=/var/log/cryptobox.log
|
||||||
CERT_FILE=/mnt/cb-etc/stunnel.pem
|
CERT_FILE=/mnt/cb-etc/stunnel.pem
|
||||||
OPENSSL_CONF_FILE=/etc/cryptobox/openssl.cnf
|
OPENSSL_CONF_FILE=/etc/cryptobox/openssl.cnf
|
||||||
|
IDLE_COUNTER_FILE=/tmp/cbox-idle-counter
|
||||||
|
|
||||||
# crypto settings
|
# crypto settings
|
||||||
HASH=sha512
|
HASH=sha512
|
||||||
|
|
|
@ -19,7 +19,7 @@ CERT_TEMP=/tmp/stunnel.pem
|
||||||
|
|
||||||
#####
|
#####
|
||||||
|
|
||||||
log_msg()
|
function log_msg()
|
||||||
{
|
{
|
||||||
# the log file is not writable during boot - try before writing ...
|
# the log file is not writable during boot - try before writing ...
|
||||||
[ -w "$LOG_FILE" ] || return 0
|
[ -w "$LOG_FILE" ] || return 0
|
||||||
|
|
|
@ -1,22 +1,21 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
#
|
#
|
||||||
# a simple script to check, if there was smb traffic since the last test
|
# a simple script to check, if there was no smb traffic for the specified
|
||||||
|
# number of minutes - then it unmounts the crypto partition
|
||||||
#
|
#
|
||||||
# you may want to adjust the function "filter_ipt_rules" according to your setup
|
# you may want to adjust the function "filter_ipt_rules" according to
|
||||||
|
# your setup
|
||||||
#
|
#
|
||||||
# any Parameter are ignored
|
# any Parameter are ignored
|
||||||
#
|
#
|
||||||
# this script has to run as root - as it invokes iptables
|
# this script has to run as root - as it invokes iptables
|
||||||
#
|
#
|
||||||
# possible deployment in crontab:
|
# the iptables rules to detect smb traffic could look like the following:
|
||||||
# smb_timeout.sh && (/etc/init.d/samba stop; umount /mnt/crypto)
|
|
||||||
#
|
|
||||||
# the iptables rules you need to detect smb traffic could look like the following:
|
|
||||||
# iptables -A INPUT -i eth0 -p udp --dport 138 -j ACCEPT
|
# iptables -A INPUT -i eth0 -p udp --dport 138 -j ACCEPT
|
||||||
# iptables -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT
|
# iptables -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT
|
||||||
#
|
#
|
||||||
# called by:
|
# called by:
|
||||||
# - TODO: this script is not in use, yet
|
# - cron (/etc/cron.d/cryptobox
|
||||||
#
|
#
|
||||||
|
|
||||||
set -eu
|
set -eu
|
||||||
|
@ -25,6 +24,8 @@ set -eu
|
||||||
. /etc/cryptobox/cryptobox.conf
|
. /etc/cryptobox/cryptobox.conf
|
||||||
|
|
||||||
|
|
||||||
|
############# some functions ##################
|
||||||
|
|
||||||
filter_ipt_rules()
|
filter_ipt_rules()
|
||||||
# get the input rules for smb datagram traffic
|
# get the input rules for smb datagram traffic
|
||||||
{
|
{
|
||||||
|
@ -46,9 +47,28 @@ function count_traffic()
|
||||||
iptables -Z INPUT
|
iptables -Z INPUT
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
################### main ######################
|
||||||
|
|
||||||
|
# break, if crypto partition is not mounted
|
||||||
|
"$CB_SCRIPT" is_crypto_mounted || exit 0
|
||||||
|
|
||||||
|
# break, if idle timer is turned off
|
||||||
|
MAX_IDLE_COUNTER=$("$CB_SCRIPT" get_config timeout)
|
||||||
|
[ "$MAX_IDLE_COUNTER" -eq 0 ] && exit 0
|
||||||
|
|
||||||
# config test
|
# config test
|
||||||
[ -z "`filter_ipt_rules`" ] && echo "[`basename $0`]: Could not find a matching iptables rule!" >&2 && exit 1
|
[ -z "`filter_ipt_rules`" ] && echo "[`basename $0`]: Could not find a matching iptables rule!" >>"$LOG_FILE" && exit 1
|
||||||
|
|
||||||
|
# init idle_counter file, if it does not exist
|
||||||
|
[ ! -e "$IDLE_COUNTER_FILE" ] && echo "0" >"$IDLE_COUNTER_FILE"
|
||||||
|
|
||||||
# return true if it was idle
|
# return true if it was idle
|
||||||
test "`count_traffic`" -eq 0
|
if [ "$(count_traffic)" -eq 0 ]
|
||||||
exit $?
|
then echo "$(( $(<$IDLE_COUNTER_FILE) +1))"
|
||||||
|
else echo 0
|
||||||
|
fi >"$IDLE_COUNTER_FILE"
|
||||||
|
|
||||||
|
# unmount crypto partition, if the threshold was reached
|
||||||
|
[ "$(<$IDLE_COUNTER_FILE)" -ge "$MAX_IDLE_COUNTER" ] && \
|
||||||
|
"$CB_SCRIPT" crypto-umount >>"$LOG_FILE" 2>&1
|
||||||
|
|
Loading…
Reference in New Issue