Skrypt bash, któy skanuje wybrane logi (sam je musisz zdefiniować) i pozwala banować adresy IP skanerów w oparciu o ipset.
#!/bin/bash
######################################################### Apache access_log ###################################################################
#Look for the file and if does not exist create it.
for x in /root/access_403.txt ; do
[ ! -f $x ] && touch $x;
done
################################################################################################################################################
grep all the lines not containing the word google and pass it to grep,
grep all the lines that contain the word " 403 " (spaces are specially inserted - see what the apache2 log looks like) and pass it to awk,
use awk to display the first column and pass it to awk,
use awk to display a regexp to extract IP addresses from the log file,
use ip as the string that starts with the character listed above (something between 0 and 9) and display the string and pass it to sed,
use sed to remove any blank lines and pass it to uniq,
use uniq to show me how many times the IP address has been listed and pass it to awk,
use awk to select the first column and if it is 3 or more then display what is in column 2 and pass it to grep,
use grep to separate all this from /root/access_403.txt and the rest that is left should be put into /tmp/access_403.log
################################################################################################################################################
cat /var/log/httpd/access_log | grep -v bot | grep -v google | grep " 403 " | awk '{ print $1 }' | awk '{match($0,/[0-9]+.[0-9]+.[0-9]+.[0-9]+/); ip = substr($0,RSTART,RLENGTH); print ip}' | sed '/^$/d' | uniq -c | awk '$1>1{print $2}'| grep -F -x -v -f /root/access_403.txt > /tmp/access_403.log
################################################################################################################################################
for IP which is in /tmp/access_403.log run a command that adds IP addresses from a file
and/or use commands to add each IP address to the ipset/firewalld ipset
################################################################################################################################################
if [ -s /tmp/access_403.log ]
then
cat /tmp/access_403.log >> /root/access_403.txt
#firewall-cmd --permanent --ipset=blacklist --add-entries-from-file=/tmp/access_403.log
for ip in $(cat /tmp/access_403.log); do /usr/sbin/ipset add blacklist $ip;done
for ip in $(cat /tmp/access_403.log); do firewall-cmd --permanent --ipset=blacklist --add-entry=$ip;done
#for ip in $(cat /tmp/access_403.log); do iptables -A INPUT -s $ip/32 -d 0/0 -j DROP; done
fi
rm -f /tmp/access_403.log
#echo "List of blocked IP addresses:" | cat /root/403.txt
######################################################### Apache error_log #####################################################################
for x in /root/error_403.txt ; do
[ ! -f $x ] && touch $x;
done
cat /var/log/httpd/error_log| grep " 403 " | awk '{ print $13 }' | awk '{match($0,/[0-9]+.[0-9]+.[0-9]+.[0-9]+/); ip = substr($0,RSTART,RLENGTH); print ip}' | sed '/^$/d' | uniq -c | awk '$1>0{print $2}'| grep -F -x -v -f /root/error_403.txt > /tmp/error_403.log
if [ -s /tmp/error_403.log ]
then
cat /tmp/error_403.log >> /root/error_403.txt
#firewall-cmd --permanent --ipset=blacklist --add-entries-from-file=/tmp/error_403.log
for ip in $(cat /tmp/error_403.log); do /usr/sbin/ipset add blacklist $ip;done
for ip in $(cat /tmp/error_403.log); do firewall-cmd --permanent --ipset=blacklist --add-entry=$ip;done
#for ip in $(cat /tmp/error_403.log); do iptables -A INPUT -s $ip/32 -d 0/0 -j DROP; done
fi
rm -f /tmp/error_403.log
#echo "List of blocked IP addresses:" | cat /root/403.txt
firewall-cmd --reload
