linux/ddos-mitigator
1
0
Fork 0
Code Issues Pull requests Releases 5 Wiki Activity

Filter already banned addresses in order to avoid unnecessary work.

Browse source
This commit is contained in:
Manuel Friedli 2020-07-30 13:19:03 +02:00
parent e12361472b
commit 8d193c0122
1 changed files with 36 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

42
ddos-mitigator.sh
View file

@ -24,6 +24,7 @@ MY_PORT="443"
# After this point, no editing is required. # After this point, no editing is required.
# Define the files that will contain the addresses an subnets. # Define the files that will contain the addresses an subnets.
fileraw="raw-http.txt" fileraw="raw-http.txt"
filtered="filtered-http.txt"
file8="sorted-http-8.txt" file8="sorted-http-8.txt"
file16="sorted-http-16.txt" file16="sorted-http-16.txt"
file24="sorted-http-24.txt" file24="sorted-http-24.txt"
@ -88,6 +89,14 @@ inquired interactively.
ENDOFHELP ENDOFHELP
} }
function execAsRoot() {
if [[ $(id -un) == "root" ]] ; then
"$@"
else
sudo "$@"
fi
}
function parseCommandline() { function parseCommandline() {
TEMP=$(getopt -o 'a::,j:,n:,h' -l 'auto::,jail:,netmask:,help' -- "$@") TEMP=$(getopt -o 'a::,j:,n:,h' -l 'auto::,jail:,netmask:,help' -- "$@")
@ -165,6 +174,9 @@ jail="apache-auth"
parseCommandline "$@" parseCommandline "$@"
# List already banned addresses in the chosen jail
banned="$(execAsRoot fail2ban-client get "${jail}" banip)"
# Determine the current connections to the desired port; store the raw data in # Determine the current connections to the desired port; store the raw data in
# $fileraw. # $fileraw.
netstat -nt | grep "${MY_IP}:${MY_PORT}" | tr -s '[:blank:]' | cut -d' ' -f5 \ netstat -nt | grep "${MY_IP}:${MY_PORT}" | tr -s '[:blank:]' | cut -d' ' -f5 \
@ -176,6 +188,29 @@ cut -d. -f1-3 "${fileraw}" | sort | uniq -c | sort -rn > "${file24}"
cut -d. -f1-2 "${fileraw}" | sort | uniq -c | sort -rn > "${file16}" cut -d. -f1-2 "${fileraw}" | sort | uniq -c | sort -rn > "${file16}"
cut -d. -f1 "${fileraw}" | sort | uniq -c | sort -rn > "${file8}" cut -d. -f1 "${fileraw}" | sort | uniq -c | sort -rn > "${file8}"
function filter() {
# list of current connections
file="$1"
# subnet extension, e.g. ".0.0/16"
ext="$2"
rm -f "${filtered}"
# Reject already banned addresses
while read -r -u3 address ; do
if [[ "${banned}" != *"${address}${ext}"* ]] ; then
echo "${address}" >> "${filtered}"
fi
done 3< "${file}"
mv "${filtered}" "${file}"
}
# Filter already banned addresses
filter "${file32}" "${ext32}"
filter "${file24}" "${ext24}"
filter "${file16}" "${ext16}"
filter "${file8}" "${ext8}"
# Determine the number of entries per file. # Determine the number of entries per file.
nlines32=$(cat "${file32}" | wc -l) nlines32=$(cat "${file32}" | wc -l)
nlines24=$(cat "${file24}" | wc -l) nlines24=$(cat "${file24}" | wc -l)
@ -378,12 +413,7 @@ sudo -k
# one of them. # one of them.
while read -r addr ; do while read -r addr ; do
echo "Banning ${addr} ..." echo "Banning ${addr} ..."
if [[ $(id -un) == "root" ]] ; then execAsRoot fail2ban-client set "${jail}" banip "${addr}"
# Don't use sudo when we're running as root.
fail2ban-client set "${jail}" banip "${addr}"
else
sudo fail2ban-client set "${jail}" banip "${addr}"
fi
done < "${banlist}" done < "${banlist}"
echo -e "${green}All done!${reset}" echo -e "${green}All done!${reset}"