#!/bin/sh
#
###########################################################################
#                                                                         #
# hosts2ipset   v0.0.1   Script to convert hosts.deny to ipset blacklists #
#                                                                         #
# This file is part of the sshsentry software package.                    #
#                                                                         #
# Copyright (C) 2012 Andreas Stempfhuber <andi@afulinux.de>               #
#                                                                         #
# This program is free software: you can redistribute it and/or modify    #
# it under the terms of the GNU General Public License as published by    #
# the Free Software Foundation, either version 3 of the License, or       #
# (at your option) any later version.                                     #
#                                                                         #
# This program is distributed in the hope that it will be useful,         #
# but WITHOUT ANY WARRANTY; without even the implied warranty of          #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the           #
# GNU General Public License for more details.                            #
#                                                                         #
# You should have received a copy of the GNU General Public License       #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.   #
#                                                                         #
###########################################################################

hosts=/etc/hosts.deny					# hosts.deny file
sentry="(SENTRY|sshsentry|loginsentry)"	# regex to match all sshsentry lines
temporary="SENTRY.*expires"				# regex to match only temporary lines
ipset=`which ipset` || exit 1			# ipset command
blacklist_temporary=blacklist_temporary	# name of temporary ipset blacklist
blacklist_permanent=blacklist_permanent	# name of permanent ipset blacklist

echo
if [ -e "$hosts.bak" ]; then
	echo "The backup file $hosts.bak already exists."
	echo "Delete or rename it and try again."
	echo
	exit 1
fi

echo "Creating IP sets"
sshsentry -r

nr=0
retval=0
echo
while read -a line; do
	nr=$(($nr+1))
	if echo "${line[*]}" | egrep -q "$sentry"; then
		# line with blacklisted IP
		if echo "${line[*]}" | egrep -vq "$temporary"; then
			# permanent
			echo "Adding ${line[2]} to $blacklist_permanent"
			if ! $ipset -A $blacklist_permanent ${line[2]}; then
				echo "* Error in $hosts line $nr: Unable to add ${line[2]}"
				retval=$(($retval+1))
			fi
		else
			duration=$((${line[5]}-`date +%s`))
			if [ $duration -gt 60 ]; then
				# temporary
				echo "Adding ${line[2]} to $blacklist_temporary (expires in $(($duration/60)) minutes)"
				if ! $ipset -A $blacklist_temporary ${line[2]},$duration; then
					echo "* Error in $hosts line $nr: Unable to add ${line[2]}"
					retval=$(($retval+1))
				fi
			fi
		fi
	fi
done < "$hosts"

echo
echo "Calling sshsentry to save updated ipset session"
killall -USR1 sshsentry	

echo
if [ $retval -ne 0 ]; then
	echo "Unable to convert $retval IP addresses, see errors above."
	echo "Please fix the issues manually and remove all sshsentry related"
	echo "lines from the $hosts file."
	echo
	exit 2
fi

echo "Removing entries from $hosts (backup available at $hosts.bak)"
cp -p "$hosts" "$hosts.bak"
cat "$hosts.bak" | egrep -v "$sentry" | egrep -v "$temporary" > "$hosts"

echo
echo "$hosts have been successfully converted to ipset blacklists"
echo

# vim:ts=4:sw=4:
