Difference between revisions of "Bot Block"
(→Block By Agent Length) |
(→Block By User Agent) |
||
| Line 47: | Line 47: | ||
do | do | ||
plog "Attempting to block $i ${useragents[$u]}" | plog "Attempting to block $i ${useragents[$u]}" | ||
| − | plog "`/usr/local/sbin/apf -d $i "RU Botnet IP (${useragents[$u]})" 2>&1`" | + | plog "`/usr/local/sbin/apf -d $i "RU Botnet IP (${useragents[$u]})" 2>&1`" ########APF FIREWALL |
| + | #plog "`/usr/sbin/csf -d $i "RU Botnet IP (${useragents[$u]})" 2>&1`" ########CSF FIREWALL | ||
done | done | ||
done | done | ||
| Line 108: | Line 109: | ||
tail -$loglines $2 | cut -d '"' -f6 | sort | uniq -c | sort -n | tail -$loglines $2 | cut -d '"' -f6 | sort | uniq -c | sort -n | ||
elif [ -e "/usr/local/apache/domlogs/$2" ] | elif [ -e "/usr/local/apache/domlogs/$2" ] | ||
| + | then | ||
tail -$loglines /usr/local/apache/domlogs/$2 | cut -d '"' -f6 | sort | uniq -c | sort -n | tail -$loglines /usr/local/apache/domlogs/$2 | cut -d '"' -f6 | sort | uniq -c | sort -n | ||
else | else | ||
| Line 138: | Line 140: | ||
scanlog | scanlog | ||
;; | ;; | ||
| − | --blockcount | + | --blockcount) |
blockcount | blockcount | ||
| + | ;; | ||
--help) | --help) | ||
echo "Check for bots based on user agent and block in firewall:" | echo "Check for bots based on user agent and block in firewall:" | ||
Revision as of 13:54, 27 August 2011
Contents
Overview
Script
Get Top User Agents
Get a list of top user agents (bot nets will only have a few and there will be tons of hits)
[bash,n]
tail -1000 <DOMLOGFILE> | cut -d '"' -f6 | sort | uniq -c | sort -n
or
[bash,n]
cat <DOMLOGFILE> | cut -d '"' -f6 | sort | uniq -c | sort -n
Block By User Agent
Block those user agents
[bash,n]
- !/bin/bash
loglines=1000 logperiod=`tail -$loglines <DOMLOG WITH FULL PATH>` logrotate=10000 logdelete=100 useragents[0]='Opera/9.02 (Windows NT 5.1; U; ru)' useragents[1]='Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)' useragents[2]='Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1'
function plog {
echo "[ `date` ] $1" >> /var/log/botblock
if [ "`wc -l /var/log/botblock | awk '{print $1}'`" -gt "$logrotate" ]
then
sed -i -e "`echo $logdelete`d" /var/log/botblock
fi
return
}
function botblock {
touch /var/run/.botblock
echo $$ > /var/run/.botblock
agentlen=${#useragents[@]}
for (( u=0; u<${agentlen}; u++));
do
for i in $(echo "$logperiod" | grep "GET /" | grep "${useragents[$u]}" | cut -d " " -f1 | sort | uniq | sort)
do
plog "Attempting to block $i ${useragents[$u]}"
plog "`/usr/local/sbin/apf -d $i "RU Botnet IP (${useragents[$u]})" 2>&1`" ########APF FIREWALL
#plog "`/usr/sbin/csf -d $i "RU Botnet IP (${useragents[$u]})" 2>&1`" ########CSF FIREWALL
done
done
rm -f /var/run/.botblock
}
function checkbots {
if [ ! -e "/var/run/.botblock" ]
then
botblock
else
plog "Lock file found, script may be already running"
opid=`cat /var/run/.botblock`
if [ ! "`ps ax | grep $opid | grep ${0##*/}`" ]
then
plog "PID not active or not owned by script, clearing pid file"
rm -f /var/run/.botblock
botblock
else
plog "Script already running, PID active"
fi
fi
}
function enablecron { if [ -e "/etc/cron.d/botblock.sh" ] then echo "Cron already enabled, use change to set new time" else echo "What time would you like to set the cron to" echo "[IE: * * * * * ]" read crontime; if [ ! $crontime ] then crontime="* * * * *" fi echo "SHELL=/bin/bash" > /etc/cron.d/botblock.sh echo "$crontime root $(readlink -f $0)" >> /etc/cron.d/botblock.sh chmod 0644 /etc/cron.d/botblock.sh echo "Cron enabled [$crontime root $(readlink -f $0)]" return fi return }
function disablecron { if [ -e "/etc/cron.d/botblock.sh" ] then rm -f /etc/cron.d/botblock.sh echo "Cron disabled" else echo "Cron not enabled" fi
return
}
function scanlog {
if [ -e "$2" ]
then
tail -$loglines $2 | cut -d '"' -f6 | sort | uniq -c | sort -n
elif [ -e "/usr/local/apache/domlogs/$2" ]
then
tail -$loglines /usr/local/apache/domlogs/$2 | cut -d '"' -f6 | sort | uniq -c | sort -n
else
echo "$2 - Log file not found"
fi
return }
function blockcount {
grep Botnet /etc/apf/deny_hosts.rules | cut -d "(" -f2-3 | sort | uniq -c | sort -n
return }
case $1 in
--cron)
case $2 in
on) enablecron ;; off) disablecron ;; change) disablecron enablecron ;; esac
;;
--scanlog)
scanlog
;;
--blockcount)
blockcount
;;
--help)
echo "Check for bots based on user agent and block in firewall:"
echo " --cron [on, change, off]" echo " on: Turns on cron job and asks for time" echo " change: Changes the cron time" echo " off: Turns off the cron job"
echo ""
echo " --scanlog [domlog to scan]"
echo " Scan a log file and return user agents"
echo " --blockcount"
echo " Return number of current blocks per user agent"
;;
*)
checkbots
;;
esac
Block By Agent Length
[bash,n]
- !/bin/bash
loglines=1000 logperiod=`tail -$loglines /usr/local/apache/domlogs/abzocke.derblog.net` logrotate=10000 logdelete=100
- useragents[0]='Opera/9.02 (Windows NT 5.1; U; ru)'
- useragents[1]='Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)'
- useragents[2]='Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1'
function plog {
echo "[ `date` ] $1" >> /var/log/botblock
if [ "`wc -l /var/log/botblock | awk '{print $1}'`" -gt "$logrotate" ]
then
sed -i -e "`echo $logdelete`d" /var/log/botblock
fi
return
}
function botblock {
touch /var/run/.botblock
echo $$ > /var/run/.botblock
agentlen=${#useragents[@]}
- for (( u=0; u<${agentlen}; u++));
- do
- for i in $(echo "$logperiod" | grep "GET /" | grep "${useragents[$u]}" | cut -d " " -f1 | sort | uniq | sort)
- do
- plog "Attempting to block $i ${useragents[$u]}"
- plog "`/usr/local/sbin/apf -d $i "RU Botnet IP (${useragents[$u]})" 2>&1`"
- done
- done
for i in $(echo "$logperiod" | grep "GET / HTTP/1.1" | grep -E '"[a-zA-Z0-9]{10}"$' | awk '{ print $1 }') do plog "Attempting to block $i" plog "`/usr/sbin/csf -d $i Botnet 2>&1`" done
rm -f /var/run/.botblock
}
function checkbots {
if [ ! -e "/var/run/.botblock" ]
then
botblock
else
plog "Lock file found, script may be already running"
opid=`cat /var/run/.botblock`
if [ ! "`ps ax | grep $opid | grep ${0##*/}`" ]
then
plog "PID not active or not owned by script, clearing pid file"
rm -f /var/run/.botblock
botblock
else
plog "Script already running, PID active"
fi
fi
}
function enablecron { if [ -e "/etc/cron.d/botblock.sh" ] then echo "Cron already enabled, use change to set new time" else echo "What time would you like to set the cron to" echo "[IE: * * * * * ]" read crontime; if [ ! $crontime ] then crontime="* * * * *" fi echo "SHELL=/bin/bash" > /etc/cron.d/botblock.sh echo "$crontime root $(readlink -f $0)" >> /etc/cron.d/botblock.sh chmod 0644 /etc/cron.d/botblock.sh echo "Cron enabled [$crontime root $(readlink -f $0)]" return fi return }
function disablecron { if [ -e "/etc/cron.d/botblock.sh" ] then rm -f /etc/cron.d/botblock.sh echo "Cron disabled" else echo "Cron not enabled" fi
return
}
function scanlog {
if [ -e "$2" ]
then
tail -$loglines $2 | cut -d '"' -f6 | sort | uniq -c | sort -n
elif [ -e "/usr/local/apache/domlogs/$2" ]
then
tail -$loglines /usr/local/apache/domlogs/$2 | cut -d '"' -f6 | sort | uniq -c | sort -n
else
echo "$2 - Log file not found"
fi
return }
function blockcount {
grep Botnet /etc/apf/deny_hosts.rules | cut -d "(" -f2-3 | sort | uniq -c | sort -n
return }
case $1 in
--cron)
case $2 in
on) enablecron ;; off) disablecron ;; change) disablecron enablecron ;; esac
;;
--scanlog)
scanlog
;;
--blockcount)
blockcount
;;
--help)
echo "Check for bots based on user agent and block in firewall:"
echo " --cron [on, change, off]" echo " on: Turns on cron job and asks for time" echo " change: Changes the cron time" echo " off: Turns off the cron job"
echo ""
echo " --scanlog [domlog to scan]"
echo " Scan a log file and return user agents"
echo " --blockcount"
echo " Return number of current blocks per user agent"
;;
*)
checkbots
;;
esac
