Beefy Boxes and Bandwidth Generously Provided by pair Networks
We don't bite newbies here... much
 
PerlMonks  

Comment on

( #3333=superdoc: print w/replies, xml ) Need Help??
#!/usr/bin/perl # activeblock - daemon which blocks invalid IPs attempting access to t +he server # started by cron and uses locking of dbm to be unique # # Written by Stephen S. Flitman, MD, Programmer at Arms, Xenoscience I +nc. # Released under GPLv3. # # 1.0 012408 Initial work # 1.1 012608 Exclusion list # 1.2 013008 Use File::Tail and run as a daemon if -c; drops -t option # 1.3 082608 Exclusion list by IP, also works for class C address like + 192.168.0 # 1.4 120108 Exclusion list by host also # 1.5 052809 -a Allow switch and -l List blocked addresses ###################################################################### +########## use strict; use File::Tail; use GDBM_File; use Getopt::Std; use Socket; my %opts; my $logFile='/root/activeblock.log'; my $dbm='/root/activeblock.dbm'; my $cmdBlock = '/sbin/iptables -I INPUT -s %s -p tcp -m tcp --dport 0 +:999 -j DROP'; my $cmdDelete = '/sbin/iptables -D INPUT -s %s -p tcp -m tcp --dport 0 +:999 -j DROP'; my $cmdList = '/sbin/iptables -L INPUT -n'; my %exclude=('192.168.0.*'=>1); my $dbg=0; my $nAttempts=3; ###################################################################### +######### sub writelog { my $msg=join('',@_); open(FILE,'>>',$logFile) || die "Can't append to $logFile: $!"; print FILE scalar localtime,': ',$msg,"\n"; close FILE; } sub logerror { my $msg=join('',@_); writelog $msg; exit 1; } ###################################################################### +######### getopts('abcdhluz',\%opts); if ($opts{h} || length("$opts{a}$opts{b}$opts{l}$opts{c}")>1) { print <<EOT; Usage: activeblock [-abcdhluz] [logfile] [ip...] Peruse logfile for IPs to block using iptables. Additional IPs to exclude from blocking can also be supplied. -a Allow (unblock) listed IPs but may be blocked again later. -b Block listed IPs -c Called from cron to run as a daemon. -d Debug mode. -h This help display. -l List current blocked addresses. -u Update iptables for real (with -c). -z Zap database. EOT exit 1; } $dbg++ if $opts{d}; if ($opts{a}) { # allow/unblock my ($res,$nDeleted,$ip); for $ip (@ARGV) { $res=sprintf($cmdDelete,$ip); $res=qx/$res 2>&1/; if ($res) { print "Error on deleting $ip from INPUT chain: $res\n"; } else { ++$nDeleted; } } print $nDeleted ? "Allowed $nDeleted IPs\n" : "Those IPs were not +found\n"; exit; } if ($opts{b}) { # block my ($res,$ip); for $ip (@ARGV) { $res=sprintf($cmdBlock,$ip); $res=qx/$res 2>&1/; if ($res) { print "Error on blocking $ip: $res\n"; } else { print "Blocked $ip\n"; } } exit; } if ($opts{l}) { # list print qx/$cmdList/; exit; } my %ip; my ($logSecure,@ips)=@ARGV; map { $exclude{$_}++ } @ips; my $exclude=join('|',map { reify($_) } keys %exclude); writelog "exclude: $exclude" if $dbg; unless (tie %ip,'GDBM_File',$dbm,GDBM_WRCREAT,0666) { exit if $opts{c}; # I'm called by cron but another me is running a +lready die "Can't tie $dbm: $!"; } if ($opts{z}) { # zap ip table %ip=(); writelog "$dbm cleared"; } if ($opts{c}) { my $ref=tie *LOG,"File::Tail",(name=>$logSecure); $SIG{HUP}=sub { writelog 'daemon exiting'; untie %ip; exit; }; while (<LOG>) { process($_); } # never exits unless killed, use -HUP to make sure database is unti +ed properly } #else non-daemon behavior open(LOG,$logSecure) || die "Can't open $logSecure: $!"; while (<LOG>) { process($_); } close LOG; # done untie %ip; exit; sub reify { my $ip=shift; if ($ip=~/^\d+/) { $ip=~s/\*/\\d+/g; } else { my $packed_ip=gethostbyname($ip); $ip=inet_ntoa($packed_ip) if defined $packed_ip; } $ip=~s/([.])/\\$1/g; $ip; } sub process { my $line=shift; register_ip($2,$1) if $line=~/Invalid user (\w+) from (\d+\.\d+\.\d ++\.\d+)/; register_ip($2,$1) if $line=~/Failed password for (\w+) from (\d+\. +\d+\.\d+\.\d+)/; register_ip($1) if $line=~/reverse mapping.*\[(\d+\.\d+\.\d+\.\d ++)\] failed/; register_ip($1) if $line=~/Could not reverse map address (\d+\.\ +d+\.\d+\.\d+)/; register_ip($1) if $line=~/Address (\d+\.\d+\.\d+\.\d+).*POSSIBL +E BREAK/; register_ip($2,$1) if $line=~/Failed keyboard-interactive.pam for ( +\w+) from (\d+\.\d+\.\d+\.\d+)/; # more patterns here } sub register_ip { my ($ip,$user)=@_; print "register_ip($ip,$user)\n" if $dbg; if ($ip=~/^($exclude)$/o) { writelog "Ignore $ip"; return; } my ($res,$blk)=split(/,/,$ip{$ip}); ++$res; if ($blk ne 'BLK' && ($res>=$nAttempts || $user eq 'root')) { # + nAttempts failures, or trying to login as root writelog "Block $ip $user"; my $cmdline=sprintf($cmdBlock,$ip); my $result=$opts{u} ? `$cmdline 2>&1` : ''; if (length $result) { # error writelog "$cmdline: $result"; } else { $blk='BLK'; } } $ip{$ip}="$res,$blk"; }

In reply to activeblock by sflitman

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Chatterbox?
    [Corion]: marto: Oof - that means taking a day off or can you work from home?
    [marto]: Corion, I can do some non-technical things, but there's no way for me to connect to the clients network.
    [marto]: which is a shame, I had a really productive day yesterday
    [Corion]: marto: Meh, so it'll be a day of cleaning out email...
    [marto]: and hoped that I'd be able to continue the momentum :)
    [marto]: I can't even access client email, nor my employers since those idiots moved to citrix
    [marto]: it literally doesn't work. Also, via their citrix interface theres no way to open attachments, or upload an attachment for sending. The company policy is that you email you work account from a personal one, and forward it on from there :/

    How do I use this? | Other CB clients
    Other Users?
    Others pondering the Monastery: (4)
    As of 2018-01-16 08:51 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?
      How did you see in the new year?










      Results (175 votes). Check out past polls.

      Notices?