#!/bin/sh
# Name:          cleanup.sh
# Author:        Dominic J. Eidson
# Last modified: Mon Nov  1 16:10:32 CST 1999
# Description:   This script is to run from at(1) and/or manually from the
#                commandline. It takes care of cleaning up the various
#                files that get touched by attack.sh, such as
#                /etc/rc.d/rc.firewall, /etc/hosts and at(1) jobs in
#                (/var/spool/at).
# Arguments:     -a for running from at(1), -h for help, $1 contains the
#                attacker IP.

# Init time
FROM_AT="no"					# Are we running from at(1)?

# Various locations
PORTSENTRY_DIR="/usr/local/psionic/portsentry"  # Directory portsentry lives in
AT_DIR="/var/spool/atjobs"			# at(1) spool directory.
FWALL_SCR="/etc/rc.d/rc.firewall"		# rc.firewall script to clean

# Program locations
IPCHAINS="/usr/sbin/ipchains"
IPTABLES="/usr/sbin/iptables"

# run through getopt(1) to get arguments.
set -- `getopt ah $* 2>/dev/null`
if [ $? -ne 0 ]
then
  echo "USAGE: `basename ${0}` [-a] [-h] ipaddress"
  exit 1
fi
for i
do
  case "$i"
  in
    -a)
      FROM_AT="yes"; shift;;
    -h)
      HELP="yes"; shift;;
  esac
done

# Get rid of "--"
shift

if [ "${HELP}" = "yes" ] ; then
  cat << EOF
USAGE: `basename ${0}` [-a] [-h] ipaddress

Options:
        -h      This screen.
	-a	To be used when ran from at(1) - does not remove the files
                in ${AT_DIR}.

                                        Copyright 1999, Dominic J. Eidson
EOF
  exit 1
fi

# Do we have enough arguments?
if [ $# -lt 1 ]
then
  echo "USAGE: `basename ${0}` [-a] [-h] ipaddress"
  exit 1
fi

# Remove firewall block
# This is tricky, since I have a new table, "DROPANDLOG, which consists of 
# one logging rule, and one dropping rule. packets are sent to this from 
# the INPUT chain if they are bad bad people.

$IPTABLES -D INPUT -j DROPANDLOG -s $1 2> /dev/null

# Uncomment below for "normal" behaviour
# $IPTABLES -D INPUT -j DROP -s $1 2> /dev/null

# Remove from /etc/rc.d/rc.firewall
# /etc/rc.d/rc.firewall is automatically created by attack.sh and is run
# from rc.local upon startup to re-instate the firewall rules.
grep -v "$1" $FWALL_SCR > $FWALL_SCR.$$
mv $FWALL_SCR.$$ $FWALL_SCR
chmod 755 $FWALL_SCR

# Remove from /etc/hosts.deny
grep -v "$1" /etc/hosts.deny > /etc/hosts.deny.$$ && mv /etc/hosts.deny.$$ /etc/hosts.deny && chmod 644 /etc/hosts.deny

# Now clean up at jobs - this only works if you can remove files from
# $AT_DIR w/o having to worry. It also assumes that there's nothing else
# in that directory matching $1 (the IP)

if [ "$FROM_AT" = "no" ] ; then
  for file in `ls ${AT_DIR}`; do
    grep "$1" ${AT_DIR}/$file > /dev/null 2>&1
    if [ $? -eq 0 ]; then
      rm -f $AT_DIR/$file
    fi
  done
fi

for FILE in `ls $PORTSENTRY_DIR/portsentry.blocked.*p`; do
  grep -v "$1" $FILE > $FILE.$$
  mv $FILE.$$ $FILE
done