[ale] automating IP blocking on the firewall

James P. Kinney III jkinney at localnetsolutions.com
Sat Jun 29 09:27:14 EDT 2002 

I wrote just the thing during the nimba worm heyday.

GPL'ed of course! Directions are in the header.

On Fri, 2002-06-28 at 23:16, Keith Hopkins wrote:
>   I'm still constantly getting hit on my web server (apache/linux) by the nimda viri.  I'd like to have my web server go over it's error logs occationally, and send a list of IP address to the firewall (iptables/linux).  Then I'd like to have the firewall block those IP on the incoming interface for N days.
> 
>   Has anyone done anything like this, or know of a package that would make this easier to do?  Or, if I end up writing this myself, any suggestions on helpful perl routines?
> 
> -- 
> Lost in Tokyo,
>   Keith
> 
> 
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> sent to listmaster at ale dot org.
-- 
James P. Kinney III   \Changing the mobile computing world/
President and CEO      \          one Linux user         /
Local Net Solutions,LLC \           at a time.          /
770-493-8244             \.___________________________./

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 




#!/usr/bin/perl
# This is for extracting the Micro$oft boxes that have been compromised
# and blocking their access to the webserver for several weeks

######################################
#  Copyright Notice
#
#  This program, web-block.pl is 
#  Copyright 2001 
#  Local Net Solutions, LLC
#  4003 Allenwood Way
#  Tucker GA  30084
#
#  This program is free software; you can redistribute it and/or modify
#  it under the terms of the GNU General Public License as published by
#  the Free Software Foundation; either version 2 of the License, or
#  (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
#
#  The full text of the license can be found online at http://www.gnu.org/licenses/gpl.txt
######################################

######################################
#  Instructions for use
#
#  This program should be copied into a convenient location
#  such as /usr/local/sbin and the owner is root and the mode is 500.
#  As this sript will access an iptables firewall, it must have root priveledges.
#  Create a file /etc/hosts.web.deny. e.g. touch /etc/hosts.web.deny as root.
#  It can also be set to run on a cron job. e.g.
#  */20 * * * * /usr/local/sbin/web-block.pl
#  this will run every 20 minutes. It will only check the the most recent error_log
#
#  If it is run as <path>/web-block.pl all , it will check all the error_logs, 
#  even the older, saved ones, up to error_log.4. This is for allowing aged IP's
#  to no longer be blocked.
#  It is a good idea to add this to the webserver log rotation process. On a RedHat 7.1
#  machine, edit /etc/logrotate.d/apache to look like:
#  /var/log/httpd/error_log {
#    missingok
#    postrotate
#        /bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null || true
#        /root/web-block.pl all
#    endscript
#  }
#  Now it is pretty automatic. 
#
#  To Do:
#  add a web-block.pl off argument flag
#  add an external file for exploit strings to search for.
#  be nicer on the firewall and only block the port 80 from the machines.
#  add an automailer to send complaints to the network mangers the offenders are on (yeah, right!).
#
######################################

use strict;

# the file with the data is 
my $log = "/var/log/httpd/error_log";

# old log files add a .i i=1..4

# the place to store the output IP's to block
my $dropfile = "/etc/hosts.web.deny";

# strings to search for in the log file
my @strings = ("winnt", "cmd.exe", "root.exe");

# create a hash of the already blocked IP's

my ($key, %dropped, %filed, %block_these, %blocked, $in, @IN, $logfile, $j);

# Accept args to search all log files
my $log_depth = "0";
my $all = $ARGV[0];
#print "arg = $all\n";
if ($all =~ m/all/){$log_depth = "4"}

%filed = get_filed_hosts();

%block_these = get_hosts_to_block();

%dropped = iptables_firewall_check();

if ($log_depth == 4){
	foreach $key (keys %filed){ # removes old IP's from blacklist
		if ($block_these{$key} !~ "drop"){delete $filed{$key}}
	}
	write_drop_file();
}
else{ # Should handle a restart OK
	foreach $key (keys %filed){ # add all filed IP for blocking.
		if ($block_these{$key} !~ "drop"){$block_these{$key} = "drop"}
	}
	write_drop_file();
}

foreach $key (keys %dropped){
        delete $block_these{$key} #no duplicate filter rules
}

# Do the deed
foreach $key (keys %block_these){
	if ($key =~ m/\d+\.\d+\.\d+\.\d+/){
		`/sbin/iptables -I INPUT -s $key -j DROP`;
	}
}

#################################
##   Subroutines
#################################

sub get_filed_hosts{
	# create a hash of the already blocked IP's
	open (IN, "<$dropfile") || die "Failed to open $dropfile for read\n";
	@IN = <IN>;
	close IN;
	chomp(@IN);
	foreach $in (@IN) {
 	       $filed{$in}="filed";
	}
}

sub write_drop_file{
        my $key;
        open (OUT, ">$dropfile") || die "failed to open $dropfile for write\n";
        foreach $key ( keys %blocked ){
                if ($key =~ m/\d+\.\d+\.\d+\.\d+/){
                        print OUT "$key\n";
                }
        }
        close OUT;
}

sub get_hosts_to_block { # generate list of IP's to block from httpd log files
	# open logfile and stuff into an array for string searching
	my (@temp, $match, $i, %block_these);
	for ($j=0; $j<=$log_depth; $j++){
        	if ($j == 0){$logfile=$log}
        	else {$logfile = $log.".$j"}
		if ( -r $logfile){
			open (IN, "<$logfile") || die "failed to open $logfile for read\n";
			@IN=<IN>;
			chomp(@IN);
			close IN;
		}
		for ($i=0;$i<=$#strings;$i++){
			$match .= $strings[$i];
			if ($i != $#strings) {$match .= "|"}
		}	
		foreach $in (@IN){
			if ($in =~ m/$match/){
				@temp = split( /\s/, $in);
				# $temp[8] has ip address pluss and extra "]" on the end.
				chop($temp['8']);
				$block_these{$temp['8']} = "drop";
			}
		}
	}
	return %block_these;
} #end sub host_block		

sub iptables_firewall_check { #get list of IP's currently blocked
	my (@rules, %temp, @dropped, $IP);
	@rules = `/sbin/iptables -L INPUT -n | grep DROP | grep -v INPUT`;
	chomp(@rules);
	my (@temp);
	foreach my $rule (@rules){
		#print "$rule\n";
		@temp = split (/\s+/, $rule);
		#print "IP=$temp[3]\n";
		if ($temp[3] =~ m/\d+\.\d+\.\d+\.\d+/){
			push (@dropped, $temp[3]);
		}
	}
	foreach $IP (@dropped){
		#print "dropped IP -> $IP\n";
		$temp{$IP} = "FW";
	}
	return %temp;
}

 This is a digitally signed message part

More information about the Ale mailing list