Difference between revisions of "Bot Block"

From James Dooley's Wiki
Jump to: navigation, search
(Script)
(Block By User Agent)
Line 15: Line 15:
 
Block those user agents
 
Block those user agents
 
<code>[bash,n]
 
<code>[bash,n]
 +
 
#!/bin/bash
 
#!/bin/bash
logperiod=`tail -1000 <FULL DOMLOG FILE>`
+
logperiod=`tail -1000 <DOMLOG WITH FULL PATH>`
 
logrotate=10000
 
logrotate=10000
 +
logdelete=100
 
useragents[0]='Opera/9.02 (Windows NT 5.1; U; ru)'
 
useragents[0]='Opera/9.02 (Windows NT 5.1; U; ru)'
 
useragents[1]='Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)'
 
useragents[1]='Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)'
Line 23: Line 25:
  
 
function plog {
 
function plog {
         echo "[ `date` ] $1" >> /var/log/rubotblock
+
         echo "[ `date` ] $1" >> /var/log/botblock
         if [ "`wc -l /var/log/rubotblock | awk '{print $1}'`" -gt "$logrotate" ]
+
         if [ "`wc -l /var/log/botblock | awk '{print $1}'`" -gt "$logrotate" ]
 
         then
 
         then
                 sed -i -e "1d" /var/log/rubotblock
+
                 sed -i -e "`echo $logdelete`d" /var/log/botblock
 
         fi
 
         fi
 
         return
 
         return
Line 32: Line 34:
  
 
function botblock {
 
function botblock {
agentlen=${#useragents[@]}
+
        touch /var/run/.botblock
 +
        echo $$ > /var/run/.botblock
 +
 
 +
 
  
for (( u=0; u<${agentlen}; u++));
+
        agentlen=${#useragents[@]}
do
 
for i in $(echo "$logperiod" | grep "GET /" | grep "${useragents[$u]}" | cut -d " " -f1 | sort | uniq | sort)
 
do
 
        plog "Attempting to block $i ${useragents[$u]}"
 
        plog "`/usr/local/sbin/apf -d $i "RU Botnet IP (${useragents[$u]})" 2>&1`"
 
done
 
done
 
  
 +
        for (( u=0; u<${agentlen}; u++));
 +
        do
 +
                for i in $(echo "$logperiod" | grep "GET /" | grep "${useragents[$u]}" | cut -d " " -f1 | sort | uniq | sort)
 +
                do
 +
                        plog "Attempting to block $i ${useragents[$u]}"
 +
                        plog "`/usr/local/sbin/apf -d $i "RU Botnet IP (${useragents[$u]})" 2>&1`"
 +
                done
 +
        done
 +
        rm -f /var/run/.botblock
 
}
 
}
  
if [ ! -e "/var/run/.rubotblock" ]  
+
if [ ! -e "/var/run/.botblock" ]
 
then
 
then
 
         botblock
 
         botblock
else  
+
else
         plog "Lock file found, may be already running"
+
         plog "Lock file found, script may be already running"
         opid=`cat /var/run/.rubotblock`
+
         opid=`cat /var/run/.botblock`
 
         if [ ! "`ps ax | grep $opid | grep ${0##*/}`" ]
 
         if [ ! "`ps ax | grep $opid | grep ${0##*/}`" ]
 
         then
 
         then
                 plog "PID not active or not owned by script, removing lock file"
+
                 plog "PID not active or not owned by script, clearing pid file"
                 rm -f /var/run/.rubotblock
+
                 rm -f /var/run/.botblock
 
                 botblock
 
                 botblock
 
         else
 
         else
                 plog "Script already running, pid is not stale"
+
                 plog "Script already running, PID active"
 
         fi
 
         fi
 
fi
 
fi
 +
  
 
</code>
 
</code>
  
 
==What to change==
 
==What to change==

Revision as of 15:32, 7 July 2011

Overview

Script

Get Top User Agents

Get a list of top user agents (bot nets will only have a few and there will be tons of hits) [bash,n] tail -1000 <DOMLOGFILE> | cut -d '"' -f6 | sort | uniq -c | sort -n or [bash,n] cat <DOMLOGFILE> | cut -d '"' -f6 | sort | uniq -c | sort -n

Block By User Agent

Block those user agents [bash,n]

  1. !/bin/bash

logperiod=`tail -1000 <DOMLOG WITH FULL PATH>` logrotate=10000 logdelete=100 useragents[0]='Opera/9.02 (Windows NT 5.1; U; ru)' useragents[1]='Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)' useragents[2]='Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1'

function plog { 

       echo "[ `date` ] $1" >> /var/log/botblock
       if [ "`wc -l /var/log/botblock | awk '{print $1}'`" -gt "$logrotate" ]
       then
               sed -i -e "`echo $logdelete`d" /var/log/botblock
       fi
       return

}

function botblock { 

       touch /var/run/.botblock
       echo $$ > /var/run/.botblock



       agentlen=${#useragents[@]}

       for (( u=0; u<${agentlen}; u++));
       do
               for i in $(echo "$logperiod" | grep "GET /" | grep "${useragents[$u]}" | cut -d " " -f1 | sort | uniq | sort)
               do
                       plog "Attempting to block $i ${useragents[$u]}"
                       plog "`/usr/local/sbin/apf -d $i "RU Botnet IP (${useragents[$u]})" 2>&1`"
               done
       done
       rm -f /var/run/.botblock

}

if [ ! -e "/var/run/.botblock" ] then 

       botblock

else 

       plog "Lock file found, script may be already running"
       opid=`cat /var/run/.botblock`
       if [ ! "`ps ax | grep $opid | grep ${0##*/}`" ]
       then
               plog "PID not active or not owned by script, clearing pid file"
               rm -f /var/run/.botblock
               botblock
       else
               plog "Script already running, PID active"
       fi

fi


What to change

Retrieved from "http://wiki.jamesdooley.us/index.php?title=Bot_Block&oldid=166"