#!/bin/sh
#
###########################################################################
#                                                                         #
# ipset2hosts   v0.0.1   Script to convert ipset blacklists to hosts.deny #
#                                                                         #
# This file is part of the sshsentry software package.                    #
#                                                                         #
# Copyright (C) 2012 Andreas Stempfhuber <andi@afulinux.de>               #
#                                                                         #
# This program is free software: you can redistribute it and/or modify    #
# it under the terms of the GNU General Public License as published by    #
# the Free Software Foundation, either version 3 of the License, or       #
# (at your option) any later version.                                     #
#                                                                         #
# This program is distributed in the hope that it will be useful,         #
# but WITHOUT ANY WARRANTY; without even the implied warranty of          #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the           #
# GNU General Public License for more details.                            #
#                                                                         #
# You should have received a copy of the GNU General Public License       #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.   #
#                                                                         #
###########################################################################

hosts=/etc/hosts.deny					# hosts.deny file
sentry=SENTRY							# text string to mark hosts.deny lines
ipset=`which ipset` || exit 1			# ipset command
blacklist_temporary=blacklist_temporary	# name of temporary ipset blacklist
blacklist_permanent=blacklist_permanent	# name of permanent ipset blacklist
sshsentry_libdir=/var/lib/sshsentry		# sshsentry library directory

echo
if [ -e "$hosts.bak" ]; then
	echo "The hosts.deny backup file $hosts.bak already exists."
	echo "Delete or rename it and try again."
	echo
	ex=1
fi
session_temporary="$sshsentry_libdir/ipset-$blacklist_temporary.dat"
if [ -e "$session_temporary.bak" ]; then
	echo "The ipset session backup file"
	echo "$session_temporary.bak already exists."
	echo "Delete or rename it and try again."
	echo
	ex=1
fi
session_permanent="$sshsentry_libdir/ipset-$blacklist_permanent.dat"
if [ -e "$session_permanent.bak" ]; then
	echo "The ipset session backup file"
	echo "$session_permanent.bak already exists."
	echo "Delete or rename it and try again."
	echo
	ex=1
fi
[ "$ex" ] && exit 1

echo "Creating backup files"
cp -p "$hosts" "$hosts.bak"
if [ -e "$session_temporary" ]; then
	cp -p "$session_temporary" "$session_temporary.bak"
fi
if [ -e "$session_permanent" ]; then
	cp -p "$session_permanent" "$session_permanent.bak"
fi

echo
"$ipset" -L "$blacklist_permanent" | egrep "^[0-9.]+$" | while read ip; do
	echo "Adding $ip from $blacklist_permanent"
	printf "ALL : %-16s # %s permanently blocked (%s %s)\n" \
			"$ip" "$sentry" "`date +%Y-%m-%d`" "${0##*/}" >> "$hosts"
done
"$ipset" -F "$blacklist_permanent"	# first flush it in case destroying fails

echo
"$ipset" -L "$blacklist_temporary" | egrep "^[0-9.,]+$" | while read line; do
	ip=`echo "$line" | cut -d , -f 1`
	duration=`echo "$line" | cut -d , -f 2`
	minutes=$(($duration/60))
	unix_duration=$((`date +%s`+$duration))
	date_expires=`date +"%Y-%m-%d %H.%M.%S" -d \
		"\`LANG=C date -u -d \"1970-01-01 $unix_duration seconds\"\`"`
	echo "Adding $ip from $blacklist_temporary (expires in $minutes minutes)"
	printf "ALL : %-16s # %s %s (expires %s)\n" \
			"$ip" "$sentry" "$unix_duration" "$date_expires" >> "$hosts"
done
"$ipset" -F "$blacklist_temporary"	# first flush it in case destroying fails

echo
echo "Calling sshsentry to save updated ipset session"
killall -USR1 sshsentry	

echo
echo "Destroy IP sets (may fail if still in use)"
"$ipset" -X "$blacklist_permanent"
"$ipset" -X "$blacklist_temporary"

echo
echo "IP sets have been successfully converted to $hosts"
echo

# vim:ts=4:sw=4:
