View previous topic :: View next topic |
Author |
Message |
kamikaze04 Guru
Joined: 28 Mar 2004 Posts: 366 Location: Valencia-Spain
|
Posted: Sun Oct 09, 2005 1:06 pm Post subject: Anti-abuse apache script.Ip banner |
|
|
Hi everybody,
One of the things that i hate more, is whe i check my apache logs and i find an ip that has been doing a massive attack to my apache server. On the one hand, he wastes my bandwith, an on the other, if i let him doing thousands and thousands of petitions, it is more probable that he finds a bug, missconfiguration etc.
So i created a little script that is executed every few minutes in a crontab job, it checks if there are a big number of petitions in may error.log. If it happens, the script bans it.
I've tried that the script wastes the minimal time when there are no changes in error_log (which is the most probable). It also, stops when consideres that it won't find any other fucking ip.
Take a look at it, and if you want, send me your modifications to make it faster, or more elegant, coz i'm not an expert programmer in bash.
Here it is:
Code: |
#!/bin/sh
########################################
# Banner apache abusers v0.03 #
# Jaime Armendariz. #
# Free modification and redistribution #
########################################
####### MODIFY THIS #########
mylog="/var/log/apache2/error_log"
time_aux="/root/bin1/CRONS/time_aux"
file="/root/bin1/CRONS/apache_aux"
#If we don't use white list, we must use this: white_list="0.0.0.0"
#every ip/network should must be separated by -e
white_list="-e 81.203. -e 158.42.192. -e 127.0.0.1"
max_failures="200"
#############################
#If is the first time running the script, it creates the auxiliar file
if [ ! -e $time_aux ] ; then touch $time_aux;fi
#We check if there have been changes in the log since last time we ran the script.If there
#are no changes, script stops
if [ $time_aux -ot $mylog ]
then
#update the time of our auxliar file
touch $time_aux
#create a file with the number of times that every ip has failed on our web-server
#It will be something like this:
# 4774 83.131.117.100
# 446 83.26.203.178
# 225 142.156.202.154
# 4 87.202.105.131
# 3 211.240.191.94
# 2 82.42.1.4
# 2 83.41.2.33
aux=`cat $mylog |grep -v notice|grep -v $white_list | tr -s ' ' | cut -f8 -d' ' | cut -f1 -d ']' | sort | uniq -c | sort -rn`
echo "$aux" > $file
#theese 4 lines are used to read line per line the file apache_aux
x=0
lns=`wc -l $file`
y=`expr "$lns" : '\([0-9]*\)'`
date=`date`
#read the file until the last line
while [ "$x" -lt "$y" ]
do
#it will execute the next lines for every line readed:
let x=x+1
a=`head -n $x $file | tail -n 1`
set -- $a
#in arg $1 we have the number of failures
#in arg $2 we have the ip that made that failures
#If the number of failures is > $failures
if [ $1 -gt $max_failures ]
then
#if it is still not banned => ban it
cc=`cat /etc/hosts.deny | grep $2`
if [ -z "$cc" ]
then
echo "ALL: $2 #Apache abuse: $1 $date" >> /etc/hosts.deny
/sbin/route add -host $2 reject
fi
else
#the ip's are ordered from max number of attempts to less number
#so if we arrive to an ip that doesn't have > $failures, we can
#do a break, and stop the program, because we won't find any
#other ip to be banned. So we save time and cpu
break
fi
done
else
#in case that there are no modifications in the log since last time the script runned, it only shows "No Modifications"
echo "no modifications"
fi
exit 0
|
So if there is an attacker, i stop it in less than 2 minutes (i run it every 2 min), and the output in the /etc/hosts.deny is:
Code: |
ALL: 112.90.211.138
ALL: 15.87.236.183
ALL: 110.171.199.2
ALL: 13.38.217.150 #Apache abuse: 4774 dom oct 9 14:55:18 CEST 2005
|
Hope it is usefull to any of you. Mail me with your modifications, comments.
Changelog
=============
Version 0.02:
- Corrected bug in cat $log. Added tr -s ' '.
Version 0.03:
- Added to white list 127.0.0.1
- Added route reject for attackers _________________ Todo lo que quisiste saber sobre google en: www.noticiasgoogle.es
Last edited by kamikaze04 on Sat Nov 12, 2005 10:48 pm; edited 1 time in total |
|
Back to top |
|
|
alinv Guru
Joined: 19 Nov 2002 Posts: 395 Location: Bucharest
|
Posted: Mon Oct 17, 2005 11:22 pm Post subject: |
|
|
I'm not sure if fail2ban does not address the same problem. _________________ Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better.
S.B. |
|
Back to top |
|
|
kamikaze04 Guru
Joined: 28 Mar 2004 Posts: 366 Location: Valencia-Spain
|
Posted: Sat Nov 12, 2005 10:51 pm Post subject: |
|
|
Thanks to all the people that helped to improve this script. Now version 0.03 is working.
I also recommend to use mod_security with this script. _________________ Todo lo que quisiste saber sobre google en: www.noticiasgoogle.es |
|
Back to top |
|
|
think4urs11 Bodhisattva
Joined: 25 Jun 2003 Posts: 6659 Location: above the cloud
|
Posted: Sun Nov 13, 2005 12:18 pm Post subject: |
|
|
an alternative for this could be mod_evasive http://www.nuclearelephant.com/projects/mod_evasive/ _________________ Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
Back to top |
|
|
kamikaze04 Guru
Joined: 28 Mar 2004 Posts: 366 Location: Valencia-Spain
|
Posted: Sun Nov 13, 2005 2:27 pm Post subject: |
|
|
Thnx i didn't know this module (mod_evasive)...i'll give a try this night!! _________________ Todo lo que quisiste saber sobre google en: www.noticiasgoogle.es |
|
Back to top |
|
|
LostControl l33t
Joined: 02 Mar 2004 Posts: 885 Location: La Glane, Suisse
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|