Difference between revisions of "Botstop.sh"

Latest revision as of 15:27, 28 July 2017

Botstop is an aggressive little defender that aims to reduce the impact of botnets on a host. It does this by looking through log files for the IP addresses of hosts that are behaving badly, and then blocking them using iptables.

It's motivation is:

Block known baddies
Detect baddies within a couple of minute or so
Reduce the impact on my log files
Record new addresses as they are blocked
Record addresses as they become unblocked

Bad behaviour is defined as:

Anyone who has failed login during SMTP
- this is perhaps a little harsh
Anyone attempting to SSH as 'root'
- That account should never be accessible directly over SSH
Anyone attempting to SSH as 'support' - an unknown user on most systems
- Commonly used usernames that don't exist are indicators of a brute force attack from a bot
Anyone attempting to access jmx-console over HTTP - it's a well-known attack vector used by many bots
- Who really uses that anyway? Bots, that's who. Fuck them.

It reads the current log and the previous log, but no more. This means that IP addresses will eventually be allowed back in, and the time will depend on the log-rotation.

Installation

Copy the file and save as /root/bin/botstop.sh
Configure root's crontab to run the script every few minutes.

Output

Logging of blocks (and unblocks) is recorded in /var/log/botstop.log

Script

#/bin/bash

RECENT_FILE=/root/bin/.botstop.recent
WORK_FILE=/root/bin/.botstop.work
HISTORY_FILE=/var/log/botstop.log
NOW=$(date)
IPT=/sbin/iptables
OUTPUT=DROP

function scanForBadBehaviour() {
        grep LOGIN /var/log/mail.log /var/log/mail.log.1 | grep failed | sed -r "s/.*\[([0-9\.]*).*/\1/g" | sort -u
        grep "Failed password for root" /var/log/auth.log /var/log/auth.log.1 | sed "s/.*from.\([0-9\.]*\).*$/\1/g" | sort --u
        grep "Failed password for invalid user support" /var/log/auth.log /var/log/auth.log.1 | sed "s/.*from.\([0-9\.]*\).*$/\1/g" | sort --u
        grep "Failed password for invalid user admin" /var/log/auth.log /var/log/auth.log.1 | sed "s/.*from.\([0-9\.]*\).*$/\1/g" | sort --u
        grep "jmx-console" /var/log/apache2/*.log /var/log/apache2/*.log.1 | sed "s/.* \([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\) .*$/\1/g" | sort --u
}

function blockBaddies() {
        $IPT -F
        $IPT -X LOGDROP
        $IPT -N LOGDROP
        $IPT -A LOGDROP -j LOG
        $IPT -A LOGDROP -j DROP

        $IPT -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
        $IPT -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent  --update --seconds 60 --hitcount 4 -j $OUTPUT

        $IPT -A INPUT -s 58.218.0.0/16 -j $OUTPUT
        $IPT -A INPUT -s 91.200.12.0/24 -j $OUTPUT
        $IPT -A INPUT -s 91.200.13.0/24 -j $OUTPUT
        $IPT -A INPUT -s 140.115.110.0/24 -j $OUTPUT
        $IPT -A INPUT -s 168.215.58.40 -j $OUTPUT
        $IPT -A INPUT -s 45.76.0.0/16 -j $OUTPUT
        $IPT -A INPUT -s 116.31.116.0/24 -j $OUTPUT
        $IPT -A INPUT -s 222.59.162.0/24 -j $OUTPUT
        $IPT -A INPUT -s 221.194.47.0/24 -j $OUTPUT
        $IPT -A INPUT -s 46.148.27.0/24 -j $OUTPUT

        for IP in `cat $WORK_FILE`; do
                $IPT -A INPUT -s $IP/32 -j $OUTPUT
        done
}

scanForBadBehaviour | sort -u > $WORK_FILE

blockBaddies

if [ -e $RECENT_FILE ]; then
        comm -13 $RECENT_FILE $WORK_FILE | awk -v NOW="$NOW" '$0=NOW ",Blocked  ,"$0' >> $HISTORY_FILE
        comm -23 $RECENT_FILE $WORK_FILE | awk -v NOW="$NOW" '$0=NOW ",Unblocked,"$0' >> $HISTORY_FILE
        cp $WORK_FILE $RECENT_FILE
else
        echo No history found - recording current bad ip set
        cp $WORK_FILE $RECENT_FILE
        cat $RECENT_FILE | awk -v NOW="$NOW" '$0=NOW ",Blocked  ,"$0' >> $HISTORY_FILE
fi

@@ Line 1: / Line 1: @@
+Botstop is an aggressive little defender that aims to reduce the impact of botnets on a host. It does this by looking through log files for the IP addresses of hosts that are behaving badly, and then blocking them using iptables.
+It's motivation is:
+* Block known baddies
+* Detect baddies within a couple of minute or so
+* Reduce the impact on my log files
+* Record new addresses as they are blocked
+* Record addresses as they become unblocked
+Bad behaviour is defined as:
+* Anyone who has failed login during SMTP
+** this is perhaps a little harsh
+* Anyone attempting to SSH as 'root'
+** That account should never be accessible directly over SSH
+* Anyone attempting to SSH as 'support' - an unknown user on most systems
+** Commonly used usernames that don't exist are indicators of a brute force attack from a bot
+* Anyone attempting to access jmx-console over HTTP - it's a well-known attack vector used by many bots
+** Who really uses that anyway? Bots, that's who. Fuck them.
+It reads the current log and the previous log, but no more. This means that IP addresses will eventually be allowed back in, and the time will depend on the log-rotation.
+===Installation===
+* Copy the file and save as /root/bin/botstop.sh
+* Configure root's crontab to run the script every few minutes.
+===Output===
+Logging of blocks (and unblocks) is recorded in /var/log/botstop.log
+===Script===
 <source lang="bash">
 #/bin/bash
@@ Line 13: / Line 47: @@
          grep "Failed password for root" /var/log/auth.log /var/log/auth.log.1 | sed "s/.*from.\([0-9\.]*\).*$/\1/g" | sort --u
          grep "Failed password for invalid user support" /var/log/auth.log /var/log/auth.log.1 | sed "s/.*from.\([0-9\.]*\).*$/\1/g" | sort --u
+        grep "Failed password for invalid user admin" /var/log/auth.log /var/log/auth.log.1 | sed "s/.*from.\([0-9\.]*\).*$/\1/g" | sort --u
          grep "jmx-console" /var/log/apache2/*.log /var/log/apache2/*.log.1 | sed "s/.* \([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\) .*$/\1/g" | sort --u
 }

Difference between revisions of "Botstop.sh"

Latest revision as of 15:27, 28 July 2017

Installation

Output

Script

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools