linux/ddos-mitigator
1
0
Fork 0
Code Issues Pull requests Releases 5 Wiki Activity

Rename some functions, list prerequisites.

Browse source
This commit is contained in:
Manuel Friedli 2020-08-03 13:19:18 +02:00
parent ea0fae026a
commit c5dc76f8eb
1 changed files with 40 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
ddos-mitigator.sh
View file

@ -1,11 +1,17 @@
#!/bin/sh #!/bin/sh
################################################################################
################################################################################
########### FIXME: This text is outdated and needs to be rewritten. ###########
################################################################################
################################################################################
################################################################################ ################################################################################
# # # #
# Try and prevent apache overloads by banning IP addresses that have (too) # # Try and prevent apache overloads by banning IP addresses that have (too) #
# many open connections. # # many open connections. #
# This script uses netstat to determine the connections to the HTTPS port of # # This script uses netstat to determine the connections to the HTTPS port of #
# the host machine and provides automated whois information retrieval based on # # the host machine and provides automated whois information retrieval based on #
# the address or the /24- /16- or /8-subnet thereof. Addresses (or subnets) # # the address or the /24-, /16- or /8-subnet thereof. Addresses (or subnets) #
# are presented to the user in order of descending connection count. For each # # are presented to the user in order of descending connection count. For each #
# address (or subnet), the user can choose to ban or ignore it. Addresses (or # # address (or subnet), the user can choose to ban or ignore it. Addresses (or #
# subnets) chosen to be banned will be blocked by the apache-badbots jail of # # subnets) chosen to be banned will be blocked by the apache-badbots jail of #
@ -16,6 +22,20 @@
# # # #
################################################################################ ################################################################################
################################################################################
# #
# Prerequisites: #
# - app-admin/sudo (`sudo`) #
# - net-analyzer/fail2ban (`fail2ban-client`) #
# - net-misc/whois (`whois`) #
# - sys-apps/coreutils (`cut`, `id`, `sort`, `touch`, `tr`, `uniq`) #
# - sys-apps/grep (`grep`) #
# - sys-apps/moreutils (`sponge`) #
# - sys-apps/net_tools (`netstat`) #
# - sys-apps/util-linux (`getopt`) #
# #
################################################################################
# Set the host's own IP address. So far, only an IPv4 address is supported. # Set the host's own IP address. So far, only an IPv4 address is supported.
MY_IP="94.199.214.20" MY_IP="94.199.214.20"
# Set the desired port to monitor. # Set the desired port to monitor.
@ -51,6 +71,18 @@ reset="\033[0m"
# Clean up when the script exits. # Clean up when the script exits.
trap 'sudo -k; popd >/dev/null; rm -r ${tmpdir}' EXIT trap 'sudo -k; popd >/dev/null; rm -r ${tmpdir}' EXIT
function check_installed() {
local command="$1"
local package="$2"
which "${command}" 2>/dev/null >&2
local result=$?
if [[ "${result}" -ne 0 ]] ; then
echo -e "${red}Command ${bold}${command}${reset}${red} not found.${reset} Please install package ${blue}${package}${reset}."
exit 1
fi
}
# Create a temp directory, chdir into it and create the (initially empty) # Create a temp directory, chdir into it and create the (initially empty)
# banlist file. # banlist file.
tmpdir=$(mktemp -d) tmpdir=$(mktemp -d)
@ -58,7 +90,7 @@ tmpdir=$(mktemp -d)
pushd "${tmpdir}" > /dev/null pushd "${tmpdir}" > /dev/null
touch "${banlist}" touch "${banlist}"
function printHelp() { function print_help() {
cat <<ENDOFHELP cat <<ENDOFHELP
Usage: $(basename $0) [OPTION...] Usage: $(basename $0) [OPTION...]
@ -89,7 +121,7 @@ inquired interactively.
ENDOFHELP ENDOFHELP
} }
function execAsRoot() { function exec_as_root() {
if [[ $(id -un) == "root" ]] ; then if [[ $(id -un) == "root" ]] ; then
"$@" "$@"
else else
@ -97,7 +129,7 @@ function execAsRoot() {
fi fi
} }
function parseCommandline() { function parse_command_line_args() {
TEMP=$(getopt -o 'a::,j:,n:,h' -l 'auto::,jail:,netmask:,help' -- "$@") TEMP=$(getopt -o 'a::,j:,n:,h' -l 'auto::,jail:,netmask:,help' -- "$@")
if [ $? -ne 0 ] ; then if [ $? -ne 0 ] ; then
@ -151,7 +183,7 @@ function parseCommandline() {
shift shift
;; ;;
'-h'|'--help') '-h'|'--help')
printHelp print_help
exit exit
;; ;;
'--') '--')
@ -172,10 +204,10 @@ autopilot=0
netmask=0 netmask=0
jail="apache-auth" jail="apache-auth"
parseCommandline "$@" parse_command_line_args "$@"
# List already banned addresses in the chosen jail # List already banned addresses in the chosen jail
banned="$(execAsRoot fail2ban-client get "${jail}" banip)" banned="$(exec_as_root fail2ban-client get "${jail}" banip)"
# Determine the current connections to the desired port; store the raw data in # Determine the current connections to the desired port; store the raw data in
# $fileraw. # $fileraw.
@ -422,7 +454,7 @@ sudo -k
# one of them. # one of them.
while read -r addr ; do while read -r addr ; do
echo "Banning ${addr} ..." echo "Banning ${addr} ..."
execAsRoot fail2ban-client set "${jail}" banip "${addr}" exec_as_root fail2ban-client set "${jail}" banip "${addr}"
done < "${banlist}" done < "${banlist}"
echo -e "${green}All done!${reset}" echo -e "${green}All done!${reset}"