Difference between revisions of "Bot Block"

Revision as of 21:00, 6 July 2011

Overview

Script

Get a list of top user agents (bot nets will only have a few and there will be tons of hits) [bash,n] tail <DOMLOGFILE> | cut -d '"' -f6 | sort | uniq -c | sort -n

Block those user agents [bash,n]


!/bin/bash
logperiod=`tail -1000 <FULL DOMLOG FILE>`
logrotate=10000
useragents[0]='Opera/9.02 (Windows NT 5.1; U; ru)'
useragents[1]='Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)'
useragents[2]='Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1'
function plog {

       echo "[ `date` ] $1" >> /var/log/rubotblock
       if [ "`wc -l /var/log/rubotblock | awk '{print $1}'`" -gt "$logrotate" ]
       then
               sed -i -e "1d" /var/log/rubotblock
       fi
       return

}
function botblock {
agentlen=${#useragents[@]}
for (( u=0; u<${agentlen}; u++));
do
	for i in $(echo "$logperiod" | grep "GET /" | grep "${useragents[$u]}" | cut -d " " -f1 | sort | uniq | sort)
	do
	        plog "Attempting to block $i ${useragents[$u]}"
	        plog "`/usr/local/sbin/apf -d $i "RU Botnet IP (${useragents[$u]})" 2>&1`"
	done
done
}
if [ ! -e "/var/run/.rubotblock" ] 
then

       botblock

else    

       plog "Lock file found, may be already running"
       opid=`cat /var/run/.rubotblock`
       if [ ! "`ps ax | grep $opid | grep ${0##*/}`" ]
       then
               plog "PID not active or not owned by script, removing lock file"
               rm -f /var/run/.rubotblock
               botblock
       else
               plog "Script already running, pid is not stale"
       fi

fi

Difference between revisions of "Bot Block"

Revision as of 21:00, 6 July 2011

Overview

Script

What to change

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools