Difference between revisions of "Bot Block"
(→Block By User Agent) |
(→Block By User Agent) |
||
| Line 158: | Line 158: | ||
</code> | </code> | ||
| + | |||
| + | ===Block By Agent Length=== | ||
| + | <code>[bash,n] | ||
| + | #!/bin/bash | ||
| + | loglines=1000 | ||
| + | logperiod=`tail -$loglines /usr/local/apache/domlogs/abzocke.derblog.net` | ||
| + | logrotate=10000 | ||
| + | logdelete=100 | ||
| + | #useragents[0]='Opera/9.02 (Windows NT 5.1; U; ru)' | ||
| + | #useragents[1]='Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)' | ||
| + | #useragents[2]='Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1' | ||
| + | |||
| + | function plog { | ||
| + | echo "[ `date` ] $1" >> /var/log/botblock | ||
| + | if [ "`wc -l /var/log/botblock | awk '{print $1}'`" -gt "$logrotate" ] | ||
| + | then | ||
| + | sed -i -e "`echo $logdelete`d" /var/log/botblock | ||
| + | fi | ||
| + | return | ||
| + | } | ||
| + | |||
| + | function botblock { | ||
| + | touch /var/run/.botblock | ||
| + | echo $$ > /var/run/.botblock | ||
| + | |||
| + | |||
| + | |||
| + | agentlen=${#useragents[@]} | ||
| + | |||
| + | # for (( u=0; u<${agentlen}; u++)); | ||
| + | # do | ||
| + | # for i in $(echo "$logperiod" | grep "GET /" | grep "${useragents[$u]}" | cut -d " " -f1 | sort | uniq | sort) | ||
| + | # do | ||
| + | # plog "Attempting to block $i ${useragents[$u]}" | ||
| + | # plog "`/usr/local/sbin/apf -d $i "RU Botnet IP (${useragents[$u]})" 2>&1`" | ||
| + | # done | ||
| + | # done | ||
| + | for i in $(echo "$logperiod" | grep "GET / HTTP/1.1" | grep -E '"[a-zA-Z0-9]{10}"$') | ||
| + | do | ||
| + | ip=`echo "$i" | awk '{ print $1 }'` | ||
| + | useragent=`echo "$i" | rev | awk '{ print $1 }' | rev` | ||
| + | plog "Attempting to block $ip $useragent" | ||
| + | plog "`/usr/sbin/csf -d $ip Botnet: $useragent 2>&1`" | ||
| + | done | ||
| + | |||
| + | rm -f /var/run/.botblock | ||
| + | } | ||
| + | |||
| + | function checkbots { | ||
| + | if [ ! -e "/var/run/.botblock" ] | ||
| + | then | ||
| + | botblock | ||
| + | else | ||
| + | plog "Lock file found, script may be already running" | ||
| + | opid=`cat /var/run/.botblock` | ||
| + | if [ ! "`ps ax | grep $opid | grep ${0##*/}`" ] | ||
| + | then | ||
| + | plog "PID not active or not owned by script, clearing pid file" | ||
| + | rm -f /var/run/.botblock | ||
| + | botblock | ||
| + | else | ||
| + | plog "Script already running, PID active" | ||
| + | fi | ||
| + | fi | ||
| + | } | ||
| + | |||
| + | function enablecron { | ||
| + | if [ -e "/etc/cron.d/botblock.sh" ] | ||
| + | then | ||
| + | echo "Cron already enabled, use change to set new time" | ||
| + | else | ||
| + | echo "What time would you like to set the cron to" | ||
| + | echo "[IE: * * * * * ]" | ||
| + | read crontime; | ||
| + | if [ ! $crontime ] | ||
| + | then | ||
| + | crontime="* * * * *" | ||
| + | fi | ||
| + | echo "SHELL=/bin/bash" > /etc/cron.d/botblock.sh | ||
| + | echo "$crontime root $(readlink -f $0)" >> /etc/cron.d/botblock.sh | ||
| + | chmod 0644 /etc/cron.d/botblock.sh | ||
| + | echo "Cron enabled [$crontime root $(readlink -f $0)]" | ||
| + | return | ||
| + | fi | ||
| + | return | ||
| + | } | ||
| + | |||
| + | function disablecron { | ||
| + | if [ -e "/etc/cron.d/botblock.sh" ] | ||
| + | then | ||
| + | rm -f /etc/cron.d/botblock.sh | ||
| + | echo "Cron disabled" | ||
| + | else | ||
| + | echo "Cron not enabled" | ||
| + | fi | ||
| + | return | ||
| + | } | ||
| + | |||
| + | function scanlog { | ||
| + | if [ -e "$2" ] | ||
| + | then | ||
| + | tail -$loglines $2 | cut -d '"' -f6 | sort | uniq -c | sort -n | ||
| + | elif [ -e "/usr/local/apache/domlogs/$2" ] | ||
| + | then | ||
| + | tail -$loglines /usr/local/apache/domlogs/$2 | cut -d '"' -f6 | sort | uniq -c | sort -n | ||
| + | else | ||
| + | echo "$2 - Log file not found" | ||
| + | fi | ||
| + | return | ||
| + | } | ||
| + | |||
| + | function blockcount { | ||
| + | grep Botnet /etc/apf/deny_hosts.rules | cut -d "(" -f2-3 | sort | uniq -c | sort -n | ||
| + | return | ||
| + | } | ||
| + | |||
| + | case $1 in | ||
| + | --cron) | ||
| + | case $2 in | ||
| + | on) | ||
| + | enablecron | ||
| + | ;; | ||
| + | off) | ||
| + | disablecron | ||
| + | ;; | ||
| + | change) | ||
| + | disablecron | ||
| + | enablecron | ||
| + | ;; | ||
| + | esac | ||
| + | ;; | ||
| + | --scanlog) | ||
| + | scanlog | ||
| + | ;; | ||
| + | --blockcount) | ||
| + | blockcount | ||
| + | ;; | ||
| + | --help) | ||
| + | echo "Check for bots based on user agent and block in firewall:" | ||
| + | echo " --cron [on, change, off]" | ||
| + | echo " on: Turns on cron job and asks for time" | ||
| + | echo " change: Changes the cron time" | ||
| + | echo " off: Turns off the cron job" | ||
| + | echo "" | ||
| + | echo " --scanlog [domlog to scan]" | ||
| + | echo " Scan a log file and return user agents" | ||
| + | echo " --blockcount" | ||
| + | echo " Return number of current blocks per user agent" | ||
| + | ;; | ||
| + | *) | ||
| + | checkbots | ||
| + | ;; | ||
| + | esac | ||
| + | </script> | ||
==What to change== | ==What to change== | ||
Revision as of 12:06, 17 August 2011
Contents
Overview
Script
Get Top User Agents
Get a list of top user agents (bot nets will only have a few and there will be tons of hits)
[bash,n]
tail -1000 <DOMLOGFILE> | cut -d '"' -f6 | sort | uniq -c | sort -n
or
[bash,n]
cat <DOMLOGFILE> | cut -d '"' -f6 | sort | uniq -c | sort -n
Block By User Agent
Block those user agents
[bash,n]
- !/bin/bash
loglines=1000 logperiod=`tail -$loglines <DOMLOG WITH FULL PATH>` logrotate=10000 logdelete=100 useragents[0]='Opera/9.02 (Windows NT 5.1; U; ru)' useragents[1]='Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)' useragents[2]='Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1'
function plog {
echo "[ `date` ] $1" >> /var/log/botblock
if [ "`wc -l /var/log/botblock | awk '{print $1}'`" -gt "$logrotate" ]
then
sed -i -e "`echo $logdelete`d" /var/log/botblock
fi
return
}
function botblock {
touch /var/run/.botblock
echo $$ > /var/run/.botblock
agentlen=${#useragents[@]}
for (( u=0; u<${agentlen}; u++));
do
for i in $(echo "$logperiod" | grep "GET /" | grep "${useragents[$u]}" | cut -d " " -f1 | sort | uniq | sort)
do
plog "Attempting to block $i ${useragents[$u]}"
plog "`/usr/local/sbin/apf -d $i "RU Botnet IP (${useragents[$u]})" 2>&1`"
done
done
rm -f /var/run/.botblock
}
function checkbots {
if [ ! -e "/var/run/.botblock" ]
then
botblock
else
plog "Lock file found, script may be already running"
opid=`cat /var/run/.botblock`
if [ ! "`ps ax | grep $opid | grep ${0##*/}`" ]
then
plog "PID not active or not owned by script, clearing pid file"
rm -f /var/run/.botblock
botblock
else
plog "Script already running, PID active"
fi
fi
}
function enablecron { if [ -e "/etc/cron.d/botblock.sh" ] then echo "Cron already enabled, use change to set new time" else echo "What time would you like to set the cron to" echo "[IE: * * * * * ]" read crontime; if [ ! $crontime ] then crontime="* * * * *" fi echo "SHELL=/bin/bash" > /etc/cron.d/botblock.sh echo "$crontime root $(readlink -f $0)" >> /etc/cron.d/botblock.sh chmod 0644 /etc/cron.d/botblock.sh echo "Cron enabled [$crontime root $(readlink -f $0)]" return fi return }
function disablecron { if [ -e "/etc/cron.d/botblock.sh" ] then rm -f /etc/cron.d/botblock.sh echo "Cron disabled" else echo "Cron not enabled" fi
return
}
function scanlog {
if [ -e "$2" ]
then
tail -$loglines $2 | cut -d '"' -f6 | sort | uniq -c | sort -n
elif [ -e "/usr/local/apache/domlogs/$2" ]
tail -$loglines /usr/local/apache/domlogs/$2 | cut -d '"' -f6 | sort | uniq -c | sort -n
else
echo "$2 - Log file not found"
fi
return }
function blockcount {
grep Botnet /etc/apf/deny_hosts.rules | cut -d "(" -f2-3 | sort | uniq -c | sort -n
return }
case $1 in
--cron)
case $2 in
on) enablecron ;; off) disablecron ;; change) disablecron enablecron ;; esac
;;
--scanlog)
scanlog
;;
--blockcount
blockcount
--help)
echo "Check for bots based on user agent and block in firewall:"
echo " --cron [on, change, off]" echo " on: Turns on cron job and asks for time" echo " change: Changes the cron time" echo " off: Turns off the cron job"
echo ""
echo " --scanlog [domlog to scan]"
echo " Scan a log file and return user agents"
echo " --blockcount"
echo " Return number of current blocks per user agent"
;;
*)
checkbots
;;
esac
Block By Agent Length
[bash,n]
- !/bin/bash
loglines=1000 logperiod=`tail -$loglines /usr/local/apache/domlogs/abzocke.derblog.net` logrotate=10000 logdelete=100
- useragents[0]='Opera/9.02 (Windows NT 5.1; U; ru)'
- useragents[1]='Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)'
- useragents[2]='Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1'
function plog {
echo "[ `date` ] $1" >> /var/log/botblock
if [ "`wc -l /var/log/botblock | awk '{print $1}'`" -gt "$logrotate" ]
then
sed -i -e "`echo $logdelete`d" /var/log/botblock
fi
return
}
function botblock {
touch /var/run/.botblock
echo $$ > /var/run/.botblock
agentlen=${#useragents[@]}
- for (( u=0; u<${agentlen}; u++));
- do
- for i in $(echo "$logperiod" | grep "GET /" | grep "${useragents[$u]}" | cut -d " " -f1 | sort | uniq | sort)
- do
- plog "Attempting to block $i ${useragents[$u]}"
- plog "`/usr/local/sbin/apf -d $i "RU Botnet IP (${useragents[$u]})" 2>&1`"
- done
- done
for i in $(echo "$logperiod" | grep "GET / HTTP/1.1" | grep -E '"[a-zA-Z0-9]{10}"$') do ip=`echo "$i" | awk '{ print $1 }'` useragent=`echo "$i" | rev | awk '{ print $1 }' | rev` plog "Attempting to block $ip $useragent" plog "`/usr/sbin/csf -d $ip Botnet: $useragent 2>&1`" done
rm -f /var/run/.botblock
}
function checkbots {
if [ ! -e "/var/run/.botblock" ]
then
botblock
else
plog "Lock file found, script may be already running"
opid=`cat /var/run/.botblock`
if [ ! "`ps ax | grep $opid | grep ${0##*/}`" ]
then
plog "PID not active or not owned by script, clearing pid file"
rm -f /var/run/.botblock
botblock
else
plog "Script already running, PID active"
fi
fi
}
function enablecron { if [ -e "/etc/cron.d/botblock.sh" ] then echo "Cron already enabled, use change to set new time" else echo "What time would you like to set the cron to" echo "[IE: * * * * * ]" read crontime; if [ ! $crontime ] then crontime="* * * * *" fi echo "SHELL=/bin/bash" > /etc/cron.d/botblock.sh echo "$crontime root $(readlink -f $0)" >> /etc/cron.d/botblock.sh chmod 0644 /etc/cron.d/botblock.sh echo "Cron enabled [$crontime root $(readlink -f $0)]" return fi return }
function disablecron { if [ -e "/etc/cron.d/botblock.sh" ] then rm -f /etc/cron.d/botblock.sh echo "Cron disabled" else echo "Cron not enabled" fi
return
}
function scanlog {
if [ -e "$2" ]
then
tail -$loglines $2 | cut -d '"' -f6 | sort | uniq -c | sort -n
elif [ -e "/usr/local/apache/domlogs/$2" ]
then
tail -$loglines /usr/local/apache/domlogs/$2 | cut -d '"' -f6 | sort | uniq -c | sort -n
else
echo "$2 - Log file not found"
fi
return }
function blockcount {
grep Botnet /etc/apf/deny_hosts.rules | cut -d "(" -f2-3 | sort | uniq -c | sort -n
return }
case $1 in
--cron)
case $2 in
on) enablecron ;; off) disablecron ;; change) disablecron enablecron ;; esac
;;
--scanlog)
scanlog
;;
--blockcount)
blockcount
;;
--help)
echo "Check for bots based on user agent and block in firewall:"
echo " --cron [on, change, off]" echo " on: Turns on cron job and asks for time" echo " change: Changes the cron time" echo " off: Turns off the cron job"
echo ""
echo " --scanlog [domlog to scan]"
echo " Scan a log file and return user agents"
echo " --blockcount"
echo " Return number of current blocks per user agent"
;;
*)
checkbots
;;
esac
</script>
==What to change==
