darinschmidt
Cadet
- Joined
- Aug 11, 2012
- Messages
- 9
Since i've been a huge fan of FreeNAS for, well since forever, i felt like it was time to contribute what i can. Not sure i this is already out there but this fit the bill with what i needed to block IP's at the router level. My setup is using a freenas server with a tplink wdr3600 ddwrt router. The goal is to create a list of IP's and send them to the router to add to IP tables to block. DO NOT THINK that because you use this script that it is by any means an excuse for NOT using a strong password. I'd just rather not allow them on my network to attemt to do harm to any of my PC's once in violation.
This script scans the security log or any log you specify and compiles a list of "bad" ips and also has an allow IP's list that you specify to be excluded. So here is the code. I'm still working on the part of sending the blocked ip's to the router as im having issues with SSH at the moment, but the script as far as i have tested, appears to be flawless. It may not be the best written so please make suggestions.
scp and the removal of the tmp files are currently commented out due to not being able to test SSH at the time im posting this, so if you workon this and test it to prove it works, make sure to uncomment them.
This script scans the security log or any log you specify and compiles a list of "bad" ips and also has an allow IP's list that you specify to be excluded. So here is the code. I'm still working on the part of sending the blocked ip's to the router as im having issues with SSH at the moment, but the script as far as i have tested, appears to be flawless. It may not be the best written so please make suggestions.
scp and the removal of the tmp files are currently commented out due to not being able to test SSH at the time im posting this, so if you workon this and test it to prove it works, make sure to uncomment them.
Code:
#!/bin/bash umask 022 # Darin Schmidt 2/5/2013 FreeBSD (FreeNAS 8.3.0 tested) v1.2 # BlockIP script # # This blocks all IP's that have failed to login after 3 attempts and creates # or attempts to use an invalid username # # This script assumes that you have created a file called allowip at the location # /var/run/ edit this if you prefer another location # # edit the code below to where your security log files are: # grep -w "Failed password" /var/log/tmplog.log >> /tmp/tmpfile # grep -w "Invalid user" /var/log//tmplog.log >> /tmp/tmpfile # # all files needed to function: # /tmp/tmpfile # /tmp/blocktheseIPs # /tmp/tmpfile2 # /var/log/blockedIPs.log # /var/run/allowips # blockedIPs.log logs all the IP's that you have blocked # # /tmp/blocktheseIPs file is uploaded to your DDWRT router via scp which then the # router executes the command to add these IP's to iptables to ban # # if [ "$safe" != "192" ]; then 192 si the first octet of the local IP's # to ensure they do not get banned for some odd reason as well as a secondary # countermeasure, you can add the entire 256 IP's to the allow list along with # other IP's you dont want banned # #check to make sure new fresh files are available if [ -f /tmp/tmpfile ] || [ -f /tmp/blocktheseIPs ] || [ -f /tmp/tmpfile2 ]; then rm -f /tmp/tmpfile rm -f /tmp/blocktheseIPs rm -f /tmp/tmpfile2 touch /tmp/tmpfile touch /tmp/blocktheseIPs touch /tmp/tmpfile2 else touch /tmp/tmpfile touch /tmp/blocktheseIPs touch /tmp/tmpfile2 fi #check to make sure the blockedIPs.log file exists if [ ! -f /var/log/blockedIPs.log ]; then touch /var/log/blockedIPs.log fi if [ ! -f /var/run/allowips ]; then touch /var/run/allowips fi #find all lines with IP's in the logs that shouldnt have access grep -w "Failed password" /var/log/tmplog.log >> /tmp/tmpfile grep -w "Invalid user" /var/log//tmplog.log >> /tmp/tmpfile sleep 1 #extract only the IPs and put them in a file cat /tmp/tmpfile | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' >> /tmp/tmpfile2 sleep 1 #find all non allowed IP's ip2="" t=0 b=0 for ip in `cat /tmp/tmpfile2`; do if [ "$ip" == "$ip2" ]; then b=$b+1 fi if [ "$ip" != "$ip2" ]; then b=0 fi for allow in `cat /var/run/allowips`; do if [ "$ip" == "$allow" ]; then t=$t+1 fi done if [ "$t" != 1 ] || [ "$b" == 2 ]; then safe=`echo $ip|cut -c 1-3` if [ "$safe" != "192" ]; then echo "$ip" >> /tmp/blocktheseIPs ip2=`echo $ip` fi t=0 fi done sleep 1 #copy IP's to a log file for future reference, copy the file to the router #and remove all temp files cat /tmp/blocktheseIPs >> /var/log/blockedIPs.log sleep 1 #scp <file> <user@routerIPorDOMAIN>:/tmp/. #rm -f /tmp/tmpfile #rm -f /tmp/blocktheseIPs #rm -f /tmp/tmpfile2