linux/ddos-mitigator
1
0
Fork 0
Code Issues Pull requests Releases 5 Wiki Activity

Prepare reading the database path from the command line.

Browse source
This commit is contained in:
Manuel Friedli 2020-08-04 03:49:21 +02:00
parent d735372872
commit 30e53268f5
1 changed files with 60 additions and 40 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

100
ddos-mitigator.sh
View file

@ -42,18 +42,6 @@ MY_IP="94.199.214.20"
MY_PORT="443" MY_PORT="443"
# After this point, no editing is required. # After this point, no editing is required.
# Define the files that will contain the addresses an subnets.
fileraw="raw-http.txt"
filtered="filtered-http.txt"
file8="sorted-http-8.txt"
file16="sorted-http-16.txt"
file24="sorted-http-24.txt"
file32="sorted-http-32.txt"
# This file will contain the addresses to be banned.
banlist="banlist.txt"
# This file contains the output of the last invocation of whois
whoisoutput="whois.txt"
# These suffixes must be appended to the respective addresses and subnets. # These suffixes must be appended to the respective addresses and subnets.
ext8=".0.0.0/8" ext8=".0.0.0/8"
ext16=".0.0/16" ext16=".0.0/16"
@ -61,15 +49,15 @@ ext24=".0/24"
ext32="/32" ext32="/32"
# Define some constants to format the output in a colorful way. # Define some constants to format the output in a colorful way.
red="\033[38;2;255;0;43m" red="$(printf '\033[38;2;255;0;43m')"
yellow="\033[38;2;255;204;0m" yellow="$(printf '\033[38;2;255;204;0m')"
green="\033[38;2;0;179;89m" green="$(printf '\033[38;2;0;179;89m')"
blue="\033[38;2;0;85;255m" blue="$(printf '\033[38;2;0;85;255m')"
bold="\033[1m" bold="$(printf '\033[1m')"
reset="\033[0m" reset="$(printf '\033[0m')"
# Clean up when the script exits. # Clean up when the script exits.
trap 'sudo -k; popd >/dev/null; rm -r ${tmpdir}' EXIT trap 'sudo -k; rm -r ${tmpdir}' EXIT
function check_installed() { function check_installed() {
local command="$1" local command="$1"
@ -78,15 +66,20 @@ function check_installed() {
local result=$? local result=$?
if [[ "${result}" -ne 0 ]] ; then if [[ "${result}" -ne 0 ]] ; then
echo -e "${red}Command ${bold}${command}${reset}${red} not found.${reset} Please install package ${blue}${package}${reset}." echo "${red}Command ${bold}${command}${reset}${red} not found.${reset} Please install package ${blue}${package}${reset}."
exit 1 exit 1
fi fi
} }
function print_help() { function print_help() {
cat <<ENDOFHELP cat <<ENDOFHELP
Usage: $(basename $0) [OPTION...] Usage: $(basename $0) -d FILE [OPTION...]
${bold}Mandatory options:${reset}
-d, --database=FILE The path to the GeoIP2 database file (must be either
country or city database).
${bold}Optional options:${reset}
-a, --auto[=LIMIT] Enable the autopilot for automatically banning IP -a, --auto[=LIMIT] Enable the autopilot for automatically banning IP
addresses of the desired country (see also -c option). addresses of the desired country (see also -c option).
When LIMIT is given, only auto-ban IP addresses with at When LIMIT is given, only auto-ban IP addresses with at
@ -110,8 +103,8 @@ Usage: $(basename $0) [OPTION...]
Mandatory or optional arguments to long options are also mandatory or optional Mandatory or optional arguments to long options are also mandatory or optional
for any corresponding short options. for any corresponding short options.
When invoked without options, the autopilot is disabled and the netmask SIZE is When invoked without optional options, the autopilot is disabled and the
inquired interactively. netmask SIZE is inquired interactively.
ENDOFHELP ENDOFHELP
} }
@ -144,7 +137,7 @@ function filter() {
} }
function parse_command_line_args() { function parse_command_line_args() {
TEMP=$(getopt -o 'a::,c:,j:,n:,h' -l 'auto::,country:,jail:,netmask:,help' -- "$@") TEMP=$(getopt -o 'a::,c:,d:,j:,n:,h' -l 'auto::,country:,database:,jail:,netmask:,help' -- "$@")
if [ $? -ne 0 ] ; then if [ $? -ne 0 ] ; then
echo 'Error parsing command line options. Terminating. Invoke with --help for help.' >&2 echo 'Error parsing command line options. Terminating. Invoke with --help for help.' >&2
@ -175,6 +168,10 @@ function parse_command_line_args() {
bancountry="$2" bancountry="$2"
shift shift
;; ;;
'-d'|'--database')
database="$2"
shift
;;
'-j'|'--jail') '-j'|'--jail')
jail="$2" jail="$2"
shift shift
@ -215,6 +212,16 @@ function parse_command_line_args() {
esac esac
shift shift
done done
if [[ -z "${database}" ]] ; then
echo "No GeoIP database specified. Invoke with --help for more information." >&2
exit 1
fi
if [[ ! -r "${database}" ]] ; then
echo "Database '${database}' is not accessible." >&2
exit 1
fi
} }
################################################################################ ################################################################################
@ -303,11 +310,11 @@ function process_file () {
fi fi
grep -iq "^country: *${bancountry}$" "${whoisoutput}" grep -iq "^country: *${bancountry}$" "${whoisoutput}"
country_cn=$? country_cn=$?
echo -en "Address ${bold}$((nline++)) of ${nlines}${reset}: \ echo -n "Address ${bold}$((nline++)) of ${nlines}${reset}: \
Found '${blue}${addr}${reset}' ${hilite}${count}${reset} times." Found '${blue}${addr}${reset}' ${hilite}${count}${reset} times."
if [[ ${autopilot} -eq 0 ]] ; then if [[ ${autopilot} -eq 0 ]] ; then
echo -en "Ban [y/N/s=No, and skip remaining]? " echo -n "Ban [y/N/s=No, and skip remaining]? "
read banaction read banaction
else else
if [[ ${country_cn} -eq 0 ]] ; then if [[ ${country_cn} -eq 0 ]] ; then
@ -331,17 +338,17 @@ Found '${blue}${addr}${reset}' ${hilite}${count}${reset} times."
case "${banaction}" in case "${banaction}" in
"s" | "S" ) "s" | "S" )
echo -e "Not banning '${blue}${addr}${reset}', \ echo "Not banning '${blue}${addr}${reset}', \
skipping remaining addresses." skipping remaining addresses."
return return
;; ;;
"y" | "Y" ) "y" | "Y" )
echo -e "Adding '${blue}${addr}${reset}' to \ echo "Adding '${blue}${addr}${reset}' to \
banlist." banlist."
echo "${addr}" >> "${banlist}" echo "${addr}" >> "${banlist}"
;; ;;
"n" | "N" | * ) "n" | "N" | * )
echo -e "Not banning '${blue}${addr}${reset}'." echo "Not banning '${blue}${addr}${reset}'."
;; ;;
esac esac
# Here goes: Pipe the file contents via filedescriptor 3. # Here goes: Pipe the file contents via filedescriptor 3.
@ -352,10 +359,31 @@ banlist."
# Create a temp directory, chdir into it and create the (initially empty) # Create a temp directory, chdir into it and create the (initially empty)
# banlist file. # banlist file.
tmpdir=$(mktemp -d) tmpdir=$(mktemp -d)
# Suppress output of dir stack.
pushd "${tmpdir}" > /dev/null # Set up all file paths
# Define the files that will contain the addresses an subnets.
fileraw="${tmpdir}/raw-http.txt"
filtered="${tmpdir}/filtered-http.txt"
file8="${tmpdir}/sorted-http-8.txt"
file16="${tmpdir}/sorted-http-16.txt"
file24="${tmpdir}/sorted-http-24.txt"
file32="${tmpdir}/sorted-http-32.txt"
# This file will contain the addresses to be banned.
banlist="${tmpdir}/banlist.txt"
# This file contains the output of the last invocation of whois
whoisoutput="${tmpdir}/whois.txt"
touch "${banlist}" touch "${banlist}"
# Parse the command line options
autopilot=0
netmask=0
jail="apache-auth"
bancountry="CN"
database=
parse_command_line_args "$@"
check_installed "sudo" "app-admin/sudo" check_installed "sudo" "app-admin/sudo"
check_installed "fail2ban-client" "net-analyzer/fail2ban" check_installed "fail2ban-client" "net-analyzer/fail2ban"
check_installed "whois" "net-misc/whois" check_installed "whois" "net-misc/whois"
@ -370,14 +398,6 @@ check_installed "sponge" "sys-apps/moreutils"
check_installed "netstat" "sys-apps/net_tools" check_installed "netstat" "sys-apps/net_tools"
check_installed "getopt" "sys-apps/util-linux" check_installed "getopt" "sys-apps/util-linux"
# Parse the command line options
autopilot=0
netmask=0
jail="apache-auth"
bancountry="CN"
parse_command_line_args "$@"
# List already banned addresses in the chosen jail # List already banned addresses in the chosen jail
banned="$(exec_as_root fail2ban-client get "${jail}" banip)" banned="$(exec_as_root fail2ban-client get "${jail}" banip)"
@ -474,4 +494,4 @@ while read -r addr ; do
exec_as_root fail2ban-client set "${jail}" banip "${addr}" exec_as_root fail2ban-client set "${jail}" banip "${addr}"
done < "${banlist}" done < "${banlist}"
echo -e "${green}All done!${reset}" echo "${green}All done!${reset}"