≡ Menu

shell script

Protect Your Network from spamming, scanning, harvesting and dDoS attacks with DROP List

DROP (Don't Route Or Peer) is an advisory "drop all traffic" list, consisting of stolen 'zombie' netblocks and netblocks controlled entirely by professional spammers. DROP is a tiny sub-set of the SBL designed for use by firewalls and routing equipment.

DROP is currently available as a simple text list, but will also be available shortly as BGP with routes of listed IPs announced via an AS# allowing networks to then null those routes as being IPs that they do not wish to route traffic for.

The DROP list will NEVER include any IP space "owned" by any legitimate network and reassigned - even if reassigned to the "spammers from hell". It will ONLY include IP space totally controlled by spammers or 100% spam hosting operations. These are "direct allocations" from ARIN, RIPE, APNIC, LACNIC, and others to known spammers, and the troubling run of "hijacked zombie" IP blocks that have been snatched away from their original owners (which in most cases are long dead corporations) and are now controlled by spammers or netblock thieves who resell the space to spammers.

When implemented at a network or ISP's 'core routers', DROP will protect all the network's users from spamming, scanning, harvesting and dDoS attacks originating on rogue netblocks.

Shell script to apply DROP

Here is a shell script, you need to run on Linux based firewall / router / dedicated Linux web / mail server:

echo ""
echo -n "Applying DROP list to existing firewall..."
[ -f $FILE ] && /bin/rm -f $FILE || :
cd /tmp
wget $URL
blocks=$(cat $FILE  | egrep -v '^;' | awk '{ print $1}')
iptables -N droplist
for ipblock in $blocks
 iptables -A droplist -s $ipblock -j LOG --log-prefix "DROP List Block"
 iptables -A droplist -s $ipblock -j DROP
iptables -I INPUT -j droplist
iptables -I OUTPUT -j droplist
iptables -I FORWARD -j droplist
echo "...Done"
/bin/rm -f $FILE

Call above script from existing firewall script every 24 hrs to update and block list. Every time it's run by crontab it will download the list and reapply the changes. You may need to modify above script to delete droplist chain before applying list. Please note that if you are using Cicso routers, use this script for the same purpose. You can also use CISCO 'null route' command:

ip route <network> <mask> null0

If you don't want to play with iptables, null route all bad ips using following route command under Linux syntax:
# route add <IP> gw lo
# route add -net <IP/mask> gw lo

Try this and you will surprise to see how much spam and other bad stuff can be blocked.

SSH: Rotate backup shell script to remove directories (old backup files)

Most time you have a limited space on the remote SFTP/ SSH backup server. Here is the script that periodically cleanup old backup files from the server i.e it will remove old directories.


Script will automatically calculate date from today's date. By default it will keep only last 7 days backup on server. You can easily increase / decrease this limit. In order to run script you must meet the following criteria:

  • Remote SSH server with rm command execution permission
  • SSH Keys for password less login (see how to setup RSA / DSA keys for password less login)
  • Accurate date and time on local system (see how to synchronize clock using ntpdate ntp client)
  • Remote backup directory must be in dd-mm-yyyy or mm-dd-yyyy format. For example daily mysql backup should be stored in /mysql/mm-dd-yyyy format.

Sample Script Usage

Run the script as follows:
./rot.backup.sh 7 /mysql "rm -rf"

  • 7 : Remove last 7 days files
  • /mysql : Base directory to clean up. If todays date is 9/Oct/2007, it will remove last 7 days directory /mysql/02-10-2007, /mysql/01-10-2007, .... /mysql/26-09-2007, /mysql/25-09-2007. It means script will only keep last 7 days backup on remote sftp / ssh server.
  • rm -rf : Command to run on directory structure

Sample Shell Script

Install following script:

if [ "$#" == "0" ];then
  echo "$0 upper-limit path {command}"
  exit 1
### SSH Server setup ###
DIR_FORMAT="%d-%m-%Y" # DD-MM-YYYY format
#DIR_FORMAT="%m-%d-%Y" #MM-DD-YYYY format
## do not edit below ##
LIMIT=$( expr $START + $1 )
## default CMD ##
[ "$3" != "" ] && CMD="$3" || :
[ "$2" != "" ] && SSH_PATH="$2" || :
DAYS=$(for d in $(seq $START $LIMIT);do date --date="$d days ago" +"${DIR_FORMAT}"; done)
for d in $DAYS
  ssh ${SSH_USER}@${SSH_SERVER} ${CMD} ${SSH_PATH}/$d

Run above script via cron tab (cronjob):
@daily /path/to/rot.ssh.script 7 "/html" "rm -rf"
@daily /path/to/rot.ssh.script 7 "/mysql" "rm -rf"

Linux / UNIX: Find out if your configuration files / security settings changed or not

How do you find out that somebody has accessed your system and changed your configuration or security settings? How do you verify file content? There is no simple answer to these questions. Personally, I use specialized tool such as tripwire and combination of perl / shell script, UNIX command line utilities.

Examine methods of storing and later checking the validity of your configuration files is one of the key task. This article provides some guideline. You will develop a script that you can use to generate information that checks the validity of a file or directory full of files. The recorded information includes the file path, a checksum of the file so that you can compare the file contents, and unique information about the file (inode, permissions, ownership information) so that you can identify differences should they occur:

The typical UNIX administrator has a key range of utilities, tricks, and systems he or she uses regularly to aid in the process of administration. There are key utilities, command-line chains, and scripts that are used to simplify different processes. Some of these tools come with the operating system, but a majority of the tricks come through years of experience and a desire to ease the system administrator's life. The focus of this series is on getting the most from the available tools across a range of different UNIX environments, including methods of simplifying administration in a heterogeneous environment.

=> Systems Administration Toolkit: Testing system validity

Fedora Linux add MP3, Java, DVD Playback and multimedia support

Copyright/IP laws prevent shipping multimedia and mp3 software(s) and technologies/plugins with Linux distribution. Fedora is no exception to this rule. All you have to do is add few repos and you are ready to go.

Fellow Linux blogger James has published an excellent shell script hack (Fedora Feather) that adds MP3 and multimedia support to Fedora Linux:

Tired of manually adding support for mp3, dvd and Java to your fresh Fedora installs? This script will automatically do all of that.

=> Download Fedora Feather

Book Review Shell Script Pearls

Shell Script Pearls is designed to provide information about shell scripting. The book is collection with all tips and code sample you need to learn about shell scripting. Author has clearly demonstrated unique tools and script samples that go beyond the level of basic scripting. The book is useful for geeks, hackers, sys admin and advanced users. The book doesn’t explain basic programming structure and syntax. If you are the beginner get some basic book or start with our own tutorial.

You will find lots of useful collection of a shell scripts and practical examples that can be used in day today life.

Chapter 1: Shell script Debugging - You learn about manual and automated shell scripting debug techniques.

Book Review: Shell Script Pearls

Chapter 2: Standard Functions Library - You will learn how to create a library for common task.

Chapter 3: Date and time Manipulation - Many administrative tasks such as backup heavily depends upon date and time. This chapter explains date and time calculations.

Chapter 4: Comparison and tests - Learn how to write and use the comparison and test using conditional statements and loops.

Chapter 5: Accepting Command Line Options and Parameters - Learn how to pass optional parameters to you script to provide more customization.

Chapter 6: Testing Variables and Assigning Defaults – Learn about setting default variables or input parameters for a script. This will help you write customized and configurable shell script.

Chapter 7: Indirect Reference Variables - Learn how create indirect variable names (ability to generate variable names on fly)

Chapter 8: Shell process tree - You will learn about creating a shell process tree script for the currently running or all process.

Chapter 9: Data Redirection - If you get confused with output redirection or I/O redirection, this chapter provides the better understanding about redirection.

Chapter 10: Piping Input to read - Learn about pipes and related gotcha that came across while writing a portable script.

Chapter 11: Math from the shell - Learn how to use expr, bc and other tools to perform mathematical calculations from a shell.

Chapter 12: Cron - Learn how to create complex cron jobs and schedule jobs.
Chapter 13: Self-Linked Scripts - This is one my favorite technique – for example a shell script called backup can be called in several different names to make a backup to ftp server, tape or another server.

Chapter 14: Throttling Parallel Processes - Learn how to run a shell script more efficiently in large multi-user environments.

Chapter 15: Command Line Editing and History - Learn how to set various command line editing mode to save time.

Chapter 16: Scripting from the command line - Learn how to write quick and dirty one liners from a command prompt.

Chapter 17: Automating User Input with expect - Learn how to provide password / username and other parameters using expect tool.

Chapter 18: User Input Timeout - Learn how to write more advanced scripts. If the user doesn’t provide input in a specified time the script should continue running with a default input.

Chapter 19: Instant keyboard Response – Learn how to write a key press detection shell script. For example detect keys pressed by end user and take an action.

Chapter 20: Directory Copying - Learn how to copy all sort of files using various tools.

Chapter 21 and 22: A brief tour of the X Display environment – Learn basic usage of X windows system.

Chapter 23: Command line email attachments – Learn how to send emails from a command line.

Chapter 24: Text processing one – liners: Learn basic usage of common tools such as awk, expr, sed and many others.

Chapter 25: Editing Files in Place – Learn how to use ed to edit text file and perform search and replace operations.

Chapter 26 to 42 provides advanced code examples and techniques such as:

  • Reading variables from a flat text file
  • Automating ftp task
  • Automating email with procmail
  • Automating RCS
  • Writing a process management
  • Running process from inittab file
  • Password aging notification
  • System snapshots
  • Rotating log files etc


You will find shell man pages difficult to use and w/ examples. Ron has done good job explaining and providing valuable shell script code. You can use samples in your own projects. I recommend this book for every Linux / UNIX geek and System Administrator.

  • Book title: Shell Script Pearls (Paperback)
  • Author: Ron Peters
  • Publisher: 16 Ton Press
  • Pub Date: 11-May-2007
  • ISBN 10:0615141056
  • Pages: 320
  • Level of experience needed: Intermediate Linux / UNIX sys admin
  • Who will find useful: Linux/UNIX sys admin / Geeks
  • Additional goodies included (such as CDROM) ...? : No
  • Ratings : 4/5
  • Purchase online @ Amazon

Domain Expiration Check Shell Script

I've already written about a shell script to check / monitor domain renew / expiration date here. Now I’ve modified matt’s domain-check script to support additional C/TLDs .in, .biz, .org and .info domains. I've also added 5 seconds delay to avoid whois server rejecting query. This script checks to see if a domain has expired. It can be run in interactive and batch mode, and provides facilities to alarm if a domain is about to expire in advance.

Sample usage

Display expiration date and registrar for theos.in domain:
domain-check-2 -d {domain-name}

$ domain-check-2 -d theos.in

Domain                              Registrar         Status   Expires     Days Left
----------------------------------- ----------------- -------- ----------- ---------
theos.in                            et4India (R7-AFIN Valid    28-Oct-2009   799  

You can also get an email if theos.in going to expire in 30 days
$ domain-check-2 -a -d theos.in -q -x 30 -e vivek@nixcraft.com

However most killer feature is you can read list of domain names from a file such as mydomains.txt (list each domain on a new line):
$ domain-check-2 -a -f mydomains.txt -q -x 30 -e vivek@nixcraft.com
$ domain-check-2 -f mydomains.txt


Domain                              Registrar         Status   Expires     Days Left
----------------------------------- ----------------- -------- ----------- ---------
theos.in                            et4India (R7-AFIN Valid    28-Oct-2009   799
nixcraft.org                        oDaddy.com, Inc.  Valid    13-Aug-2009   723
vivekgite.com                       MONIKER ONLINE SE Valid    18-aug-2010   1093
cyberciti.biz                                         Valid    30-Jun-2009   679
nixcraft.info                       oDaddy.com Inc. ( Valid    26-Jun-2009   675
nixcraft.net                        GODADDY.COM, INC. Valid    11-dec-2009   843  


=> Download modified domain-check-2 script here.

Quick installation

Use wget command to download and install domain-check script:
$ wget http://www.cyberciti.biz/files/scripts/domain-check-2.txt
$ mv domain-check-2.txt domain-check
$ chmod +x domain-check
$ ./domain-check -d vivekgite.com

Make sure your run domain-check script using a cron job.

Howto Use SSH To Run Command On A Remote Machine

This article examined a simple, but powerful, method to run commands on a remote machine using combination of ssh and a shell script:

Use Secure Shell (SSH) to run commands on remote UNIX systems and, with some simple scripts, put together a system that enables you to manage many systems simultaneously from one machine without having to log in directly to the machines themselves. Also examine the basics of a distributed management system and some scripts and solutions using the technique.

I have already covered how to execute commands on multiple Linux or UNIX servers via a shell script. The disadvantage of shell script is commands do not run in parallel on all servers. However, several tools exist to automate this procedure in parallel. With the help of tool called tentakel (highly recommended) , you run distributed command execution. Also, you can execute commands on multiple Linux or UNIX servers using special tools such as multixterm from expect project.

=> Distributed administration using SSH