Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
script which filters infected ip's and blocks them
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
dreamer
Apprentice
Apprentice


Joined: 16 Aug 2003
Posts: 236

PostPosted: Wed Mar 03, 2004 6:31 pm    Post subject: script which filters infected ip's and blocks them Reply with quote

Hi,

After running a small webserver for +/- 6 months, i became quite annoyed by all the infected ip's that showed up in my logs. So i decided to write a script which filters those ip's from the apache logfiles and add them to an iptables rule. Whenever it finds a new infected adress it'll send a mail to a specified user. This mail contains a timestamp, infected ip-adress and the "crime" it committed. This behaviour makes it perfect for cronjobs.
Some may find the filteringrules too aggressive, just comment what you don't like.
I hope it's obvious the script won't do much without iptables installed :P

Hope you find it usefull..
Code:

#!/bin/bash
#written by dreamer     02-03-2004
#quick'n dirty script to filter infected ipadresses from apache logs and
#block them with help of iptables.
#If manager is a valid emailadres ( or local user ) an email is send to
#this user every time a new ipadress is added to the firewall.
#This makes it ideal for a daily cronjob or so...
#enjoy! :-)
#
 
#global settings
#where email is send.. ( leave empty if you don't want any mail )
manager=
#temp dir
temp_dir=/var/tmp
#iptables Chain to append the rule to
chain=INPUT
#action to take after a rule matches
action=DROP
 
#some pre-running stuff
if [ ! -f .blocklist ]
then
        touch .blocklist
fi
 
#compile a list of infected ip's
#this wil get most of the shit, i'm not sure if it wil catch ALL....
grep error /var/log/apache2/error_log | cut -d' ' -f8 | cut -d] -f1 >> $temp_dir/blocklist_chaos.tmp
grep script /var/log/apache2/access_log | cut -d' ' -f1  >>  $temp_dir/blocklist_chaos.tmp
grep exe /var/log/apache2/access_log | cut -d' ' -f1  >>  $temp_dir/blocklist_chaos.tmp
grep dll /var/log/apache2/access_log | cut -d' ' -f1  >>  $temp_dir/blocklist_chaos.tmp
grep exe  /var/log/apache2/ssl_access_log | cut -d' ' -f1  >>  $temp_dir/blocklist_chaos.tmp
 
#sort these ip's and remove duplicates, afterwards remove blocklist_chaos.tmp
cat  $temp_dir/blocklist_chaos.tmp | sort | uniq >  $temp_dir/blocklist.tmp
rm  $temp_dir/blocklist_chaos.tmp
 
#see if there are any new ip's since last run
new_ip=( $(diff .blocklist $temp_dir/blocklist.tmp | grep '>' | cut -d' ' -f2) )
 
#remove LAN ip's (192.168.0.0/24 ) from the blocklist.
#Comment if you don't trust your own LAN ;-)
new_ip=( $(echo ${new_ip[@]##192.168.0.*}) )
 
#if there is at least one new infected ip....
if (( $((${#new_ip[@]})) > 0 ))
then
        #make tempfile the new permanent blocklist
        mv  $temp_dir/blocklist.tmp .blocklist
 
        # add new ip's with iptables
        for element in $(seq 0  $((${#new_ip[@]} - 1)))
        do
                /sbin/iptables -A $chain -s "${new_ip[$element]}" -j $action
 
                #for proper display in mail
                new_ip[$element]=$(echo ${new_ip[$element]}"\t\t(" $(grep "${new_ip[$element]}" /var/log/apache2/access_log |tail -1| cut -d] -f2)")\n")        done
 
        #mail new ip's to manager
        if [[ $manager != "" ]]
        then
                echo -e "At" $(date +%A' '%d' '%b' '%T) "those infected ip's where added to the firewall:\n "${new_ip[@]}        \
                | /usr/sbin/sendmail -F CHAIN_BLOK $manager
        fi
else
        rm  $temp_dir/blocklist.tmp
fi
Back to top
View user's profile Send private message
garn
Tux's lil' helper
Tux's lil' helper


Joined: 10 Sep 2003
Posts: 131

PostPosted: Wed Mar 03, 2004 6:38 pm    Post subject: Reply with quote

I'd say too agressive. What if you have putty.exe in your htdocs and download it? You might want it so it checks for cmd.exe or winnt or %255c..

(And yes I know you said if we find it to agressive change it, I just figured I'd share)

Nice script, good work.
Back to top
View user's profile Send private message
dreamer
Apprentice
Apprentice


Joined: 16 Aug 2003
Posts: 236

PostPosted: Wed Mar 03, 2004 6:55 pm    Post subject: Reply with quote

garn wrote:
I'd say too agressive. What if you have putty.exe in your htdocs and download it? You might want it so it checks for cmd.exe or winnt or %255c..

Good point, i'm so linux-minded i didn't even think of the possibility someone's using .exe files :P
Consider these filters ( quite restrictive ) templates and change them to suit your needs. As long as they output ip's it'd be fine.

garn wrote:
Nice script, good work.

Thanks :D
Back to top
View user's profile Send private message
Gentoo Server
Apprentice
Apprentice


Joined: 21 Jul 2003
Posts: 279

PostPosted: Thu Mar 04, 2004 1:07 am    Post subject: Reply with quote

i like that sctipt to autodefence for havoc ips but one question what is an infected ip ???
Back to top
View user's profile Send private message
dvc5
Guru
Guru


Joined: 06 Dec 2003
Posts: 433
Location: Sunnyvale, California

PostPosted: Thu Mar 04, 2004 4:59 am    Post subject: Reply with quote

I believe an "infected" ip is one that has a Windows virus, hence the code red and Nimda web-server attacks. See the grepping lines and what they're looking for. great script dreamer btw, works perfectly!
_________________
#define NULL rand() /*heh heh heh */

Green Is Good
Back to top
View user's profile Send private message
schism39401
Tux's lil' helper
Tux's lil' helper


Joined: 13 Mar 2003
Posts: 130

PostPosted: Wed Mar 31, 2004 5:43 pm    Post subject: Reply with quote

great script dreamer...I found it on another thread

https://forums.gentoo.org/viewtopic.php?t=155713&highlight=

dropped it in and it works great...

Thanks!!

Jake
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum