Difference between revisions of "Botstop.sh"
From DarkWiki
| Line 1: | Line 1: | ||
This is an aggressive little defender that aims to reduce the impact of botnets on a host. It does this by looking through log files for the IP addresses of hosts that are behaving badly, and then blocking them using iptables. | This is an aggressive little defender that aims to reduce the impact of botnets on a host. It does this by looking through log files for the IP addresses of hosts that are behaving badly, and then blocking them using iptables. | ||
| + | |||
| + | ===Installation=== | ||
| + | |||
| + | * Copy the file and save as /root/bin/botstop.sh | ||
| + | * Configure root's crontab to run the script every few minutes. | ||
| + | |||
| + | ===Output=== | ||
| + | |||
| + | Logging of blocks (and unblocks) is recorded in /var/log/botstop.log | ||
===Script=== | ===Script=== | ||
Revision as of 16:06, 27 July 2017
This is an aggressive little defender that aims to reduce the impact of botnets on a host. It does this by looking through log files for the IP addresses of hosts that are behaving badly, and then blocking them using iptables.
Installation
- Copy the file and save as /root/bin/botstop.sh
- Configure root's crontab to run the script every few minutes.
Output
Logging of blocks (and unblocks) is recorded in /var/log/botstop.log
Script
#/bin/bash
RECENT_FILE=/root/bin/.botstop.recent
WORK_FILE=/root/bin/.botstop.work
HISTORY_FILE=/var/log/botstop.log
NOW=$(date)
IPT=/sbin/iptables
OUTPUT=DROP
function scanForBadBehaviour() {
grep LOGIN /var/log/mail.log /var/log/mail.log.1 | grep failed | sed -r "s/.*\[([0-9\.]*).*/\1/g" | sort -u
grep "Failed password for root" /var/log/auth.log /var/log/auth.log.1 | sed "s/.*from.\([0-9\.]*\).*$/\1/g" | sort --u
grep "Failed password for invalid user support" /var/log/auth.log /var/log/auth.log.1 | sed "s/.*from.\([0-9\.]*\).*$/\1/g" | sort --u
grep "jmx-console" /var/log/apache2/*.log /var/log/apache2/*.log.1 | sed "s/.* \([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\) .*$/\1/g" | sort --u
}
function blockBaddies() {
$IPT -F
$IPT -X LOGDROP
$IPT -N LOGDROP
$IPT -A LOGDROP -j LOG
$IPT -A LOGDROP -j DROP
$IPT -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
$IPT -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j $OUTPUT
$IPT -A INPUT -s 58.218.0.0/16 -j $OUTPUT
$IPT -A INPUT -s 91.200.12.0/24 -j $OUTPUT
$IPT -A INPUT -s 91.200.13.0/24 -j $OUTPUT
$IPT -A INPUT -s 140.115.110.0/24 -j $OUTPUT
$IPT -A INPUT -s 168.215.58.40 -j $OUTPUT
$IPT -A INPUT -s 45.76.0.0/16 -j $OUTPUT
$IPT -A INPUT -s 116.31.116.0/24 -j $OUTPUT
$IPT -A INPUT -s 222.59.162.0/24 -j $OUTPUT
$IPT -A INPUT -s 221.194.47.0/24 -j $OUTPUT
$IPT -A INPUT -s 46.148.27.0/24 -j $OUTPUT
for IP in `cat $WORK_FILE`; do
$IPT -A INPUT -s $IP/32 -j $OUTPUT
done
}
scanForBadBehaviour | sort -u > $WORK_FILE
blockBaddies
if [ -e $RECENT_FILE ]; then
comm -13 $RECENT_FILE $WORK_FILE | awk -v NOW="$NOW" '$0=NOW ",Blocked ,"$0' >> $HISTORY_FILE
comm -23 $RECENT_FILE $WORK_FILE | awk -v NOW="$NOW" '$0=NOW ",Unblocked,"$0' >> $HISTORY_FILE
cp $WORK_FILE $RECENT_FILE
else
echo No history found - recording current bad ip set
cp $WORK_FILE $RECENT_FILE
cat $RECENT_FILE | awk -v NOW="$NOW" '$0=NOW ",Blocked ,"$0' >> $HISTORY_FILE
fi
