Add IPF rule automatically from log files
Here is a very simple command to add a rule to your firewall (IPF in my example) when you match something in a log file (apache in this case)
for item in `tail -n 150 access_log | grep "c+dir" | awk '{print $1}'` ; do echo "block in quick on ne0 proto ip from $item to any" >> /etc/ipf.conf ; done
This read 150 last line of access_log using tail, use grep as matching operator, use awk to catch ip (note that you could do /c+dir/{print $1} in awk to don’t use grep) then add a blocking rule in /etc/ipf.conf
You may want to add a comment to the end of the blocking rule saying why it was blocked.
Don’t forget to reload the firewall, /sbin/ipf -Fa -f /etc/ipf.conf for ipf, from time to time with cron to active the rule.
You may reload the firewall each time with
for item in `tail -n 150 access_log | grep "c+dir" | awk '{print $1}'` ; do echo "block in quick on ne0 proto ip from $item to any" >> /etc/ipf.conf; /sbin/ipf -Fa -f /etc/ipf.conf ; done
This system has 2 problems:
- You must run tail from cron as -f can’t work with the for statement.
- Rules are added at the end of ipf.conf, this is very useless if you have pass in quick proto ip any to any port 80 before.
So, here is a Perl script that will do a better job.
my $IPF_FILE="/etc/ipf.conf"; my $TMP_FILE="/tmp/ipf.new.rules"; my %h; open (FILE,"tail -fn 1 /usr/local/apache/logs/access_log|") || die "can't open FILE: $!"; while (<FILE>) { if ($_ =~ /^(.*)s-s-.*c+dir/) { if(exists($h{"$1"})) { $h{"$1"}++ } else { $h{"$1"} = 1; open(IPF, "< $IPF_FILE") or die "can't open $IPF_FILE: $!"; open(TMP, "> $TMP_FILE") or die "can't open $TMP_FILE: $!"; print TMP "block in log quick on ne0 from $1 to anyn" or die "can't write to $TMP_FILE: $!"; while (<IPF>) { (print TMP $_) or die "can't write to $TMP_FILE: $!"; } close(IPF) or die "can't close $IPF_FILE: $!"; close(TMP) or die "can't close $TMP_FILE: $!"; rename("$TMP_FILE", "$IPF_FILE") or die "can't rename $TMP_FILE to $IPF_FILE: $!"; system("ipf -Fa -f $IPF_FILE"); } } } close (FILE); }
Incrementation of $h{“$1”} is totally useless here but you may use it for something (like waiting more than one attemp of the IP before adding it to IPF). $h is used to don’t firewall two time the same IP.
You may think that $h is not usefull because as we have blocked the IP, we will not get any new request from it. Not really
- Tail is not working really in live, it check time to time for new line then print them, so between the first request of the IP and the reload of the firwall, you may have more than one request (don’t forget that reloading ipf take time also);
- My IPF rule is very strict, you may only block port 80, so you can still get request on port 443, or things like that.
Recent Comments