Edit File: shrink_modsec_ip_database
#!/usr/local/cpanel/3rdparty/bin/perl # cpanel - shrink_modsec_ip_database Copyright 2016 cPanel, Inc. # All rights Reserved. # copyright@cpanel.net http://cpanel.net # This code is subject to the cPanel license. Unauthorized copying is prohibited package scripts::shrink_modsec_ip_database; use strict; use warnings; use File::Copy (); use Cpanel::Logger (); use Cpanel::PwCache (); our $_MODSEC_SDBM_UTIL = q{/usr/sbin/modsec-sdbm-util}; our $_IP_PAG = q{/var/cpanel/secdatadir/ip.pag}; our $_IP_DIR = q{/var/cpanel/secdatadir/ip.dir}; our $_SECDATADIR = q{/var/cpanel/secdatadir}; our $_NEW_IP_PAG = qq{$_SECDATADIR/new_db.pag}; our $_NEW_IP_DIR = qq{$_SECDATADIR/new_db.dir}; our $logger; sub new { my $pkg = shift; my $self = {}; bless $self, $pkg; return $self; } sub as_script { my $self = shift; $logger //= Cpanel::Logger->new(); if ( not $ARGV[0] or $ARGV[0] ne q{-x} ) { my $msg = qq{To execute, use the -x flag.}; $logger->die($msg); } $self->run(); return 1; } sub run { my $self = shift; return 0 if not( $self->_bin_check and $self->_file_check and $self->_call_modsec_sdbm_util and $self->purge_and_swap ); return 1; } sub _file_check { my $self = shift; $logger //= Cpanel::Logger->new(); if ( not -e $_IP_PAG or not -e $_IP_DIR ) { $logger->info(qq{Can't locate $_IP_PAG or $_IP_DIR.}); return; } return 1; } sub _bin_check { my $self = shift; # be silent about not finding it as not to spam the error log return 0 if not -e $_MODSEC_SDBM_UTIL; return 1; } sub _call_modsec_sdbm_util { my $self = shift; $logger //= Cpanel::Logger->new(); # create new ip.pag my $output = `$_MODSEC_SDBM_UTIL -D $_SECDATADIR -v -n $_IP_PAG`; my $status = $? >> 8; if ( $status != 0 ) { $logger->warn(qq{$_MODSEC_SDBM_UTIL exited with a non-zero status: $status.}); # clean up unlink $_NEW_IP_PAG, $_NEW_IP_DIR; return 0; } return 1; } sub purge_and_swap { my $self = shift; $logger //= Cpanel::Logger->new(); # swap old ip.pag with new ip.pag if ( -e $_NEW_IP_PAG and -e $_NEW_IP_DIR ) { unlink $_IP_PAG, $_IP_DIR; File::Copy::move( $_NEW_IP_PAG, $_IP_PAG ); File::Copy::move( $_NEW_IP_DIR, $_IP_DIR ); # Files should be writable by nobody my ( $nobody_uid, $nobody_gid ) = ( Cpanel::PwCache::getpwnam('nobody') )[ 2, 3 ]; chown $nobody_uid, $nobody_gid, $_IP_PAG, $_IP_DIR; } else { $logger->die(qq{Could not find expected new database files, $_NEW_IP_PAG or $_NEW_IP_DIR}); return 0; } return 1; } if ( not caller() ) { my $shrink = scripts::shrink_modsec_ip_database->new(); $shrink->as_script; exit 0; } 1; __END__ =head1 NAME /scripts/shrink_modsec_ip_database =head1 USAGE AS A SCRIPT /scripts/shrink_modsec_ip_database -x =head2 AS A LIBRARY This script is internally as a modulino, which means it can be C<require>'d: use strict; require q{/scripts/shrink_modsec_ip_database}; my $shrink = scripts::shrink_modsec_ip_database->new(); $shrink->run(); =head1 REQUIRED ARGUMENTS None =head1 OPTIONS =over 4 =item -x Use this option to actually run the script, otherwise it will warn and return without doing anything. =back =head1 DESCRIPTION This script is called by C<scripts/maintenance>, and its purpose is to shrink the ModSecurity ip.[pag,dir] files by removing expired entries. =head1 DIAGNOSTICS None =head1 EXIT STATUS Exit status is 0 (success) unless an unexpected error occurs. =head1 DEPENDENCIES This script relies on C</usr/sbin/modsec-sdbm-util> to be installed, and in order to be useful, C<ModSecurity> must be installed and be enabled. =head1 INCOMPATIBILITIES None =head1 BUGS AND LIMITATIONS None =head1 LICENSE AND COPYRIGHT Copyright 2016 cPanel, Inc.