Compare commits

..

13 commits

Author SHA1 Message Date
9b4a55dfb2 Merge pull request 'Don't call python3.8, but python.' (#6) from feature/fix-python into master
Reviewed-on: #6
2021-06-09 00:45:22 +02:00
64918328c9 Don't call python3.8, but python. 2021-06-08 22:45:25 +02:00
22bc52d665 Merge pull request 'feature/handle-python-exceptions' (#5) from feature/handle-python-exceptions into master
Reviewed-on: #5
2020-11-24 23:10:37 +01:00
31f0901134 Fix bugs and improve command line argument parsing and error handling. 2020-11-24 23:07:38 +01:00
70d41673f7 Try and handle python exceptions more gracefully. 2020-11-24 22:10:28 +01:00
a1d5821cc7 Merge pull request 'Fix silly, SILLY syntax error.' (#4) from bugfix/syntax-error into master
Reviewed-on: #4
2020-11-24 22:09:58 +01:00
b3afda4932 Fix silly, SILLY syntax error. 2020-11-24 22:08:37 +01:00
142db098be Merge pull request 'feature/config-file' (#3) from feature/config-file into master
Reviewed-on: #3
2020-11-24 21:35:12 +01:00
5078363348 Harmonize parameter processing order. 2020-11-24 21:28:30 +01:00
f5180a5e57 Improve parameter validation. 2020-11-24 21:28:30 +01:00
11ad1b471a Change the way default parameters are set. 2020-11-24 21:28:28 +01:00
8e0f22da8f Make it actually work.
To do: validate input from config file.
2020-11-24 21:28:24 +01:00
0871a25bf7 Add the possibility of using a config file instead of CLI parameters. 2020-11-24 21:28:15 +01:00
3 changed files with 194 additions and 82 deletions

30
ddos-mitigator.conf Normal file
View file

@ -0,0 +1,30 @@
# Example configuration file for ddos-mitigator.sh.
# PLEASE TAKE CARE not to put any whitespace around the '=' signs, as this file is directly sourced by the script
# file and this needs to conform to the BASH syntax. Also, make sure to declare the COUNTRIES variable with the
# correct array syntax: COUNTRIES=("AA" "BB" "CC"), or to comment it out altogether.
# The path to the GeoIP2 database file (must be either country or city database). This parameter is mandatory. If it is
# not specified here, it must be given on the command line (through the -d option).
DATABASE_FILE="/path/to/geoip/country-or-city-database.mmdb"
# Enable the autopilot for automatically banning IP addresses of the desired countries (see also COUNTRIES option).
# Only ban IP addresses with at least AUTOPILOT current connections. If the value is not specified or 0, don't
# automatically ban IP addresses, but run in interactive mode.
AUTOPILOT="0"
# Defines the subnet size in bytes to be analyzed. Valid values are:
# - 8 for class A networks (X.0.0.0/8)
# - 16 for class B networks (X.X.0.0/16)
# - 24 for class C networks (X.X.X.0/24)
# - 32 for class D networks (X.X.X.X/32)
# If not specified, run in interactive mode and prompt for the netmask size.
NETMASK="8"
# The country-codes to block as an array. Defaults to "CN" (China).
#COUNTRIES=("CN" "HK" "TW")
# Specify the JAIL to use for banning the IP addresses. Defaults to 'apache-auth'.
#JAIL="apache-auth"
# The desired port to monitor. Defaults to 443 (https).
#PORT="443"

View file

@ -32,10 +32,7 @@
# # # #
################################################################################ ################################################################################
# Set the host's own IP address. So far, only an IPv4 address is supported. # Store the start time; this enables us to output the total runtime at the end.
MY_IP="94.199.214.20"
# After this point, no editing is required.
start="$(date +%s)" start="$(date +%s)"
# Dependencies of this script. Simple array with the following structure: # Dependencies of this script. Simple array with the following structure:
@ -61,12 +58,10 @@ suffix8="/8"
suffix16="/16" suffix16="/16"
suffix24="/24" suffix24="/24"
suffix32="/32" suffix32="/32"
suffixipv6=""
ext8=".0.0.0" ext8=".0.0.0"
ext16=".0.0" ext16=".0.0"
ext24=".0" ext24=".0"
ext32="" ext32=""
extipv6=""
# Define some constants to format the output in a colorful way. # Define some constants to format the output in a colorful way.
red="$(printf '\033[38;2;255;0;43m')" red="$(printf '\033[38;2;255;0;43m')"
@ -141,6 +136,13 @@ Usage: $(basename $0) -d FILE [OPTION...]
printed to stderr and the program printed to stderr and the program
terminates with exit code 1. terminates with exit code 1.
-f, --config-file=FILENAME Specify the full path to the configuration
file. If omitted, all options are read
from the command line.
Any parameter specified on the command
line takes precedence over configuration
option read from the file.
-j, --jail=JAIL Specify the JAIL to use for banning the IP -j, --jail=JAIL Specify the JAIL to use for banning the IP
addresses. addresses.
Defaults to 'apache-auth'. Defaults to 'apache-auth'.
@ -152,12 +154,6 @@ Usage: $(basename $0) -d FILE [OPTION...]
- 2 or 16 for class B networks (X.X.0.0/16) - 2 or 16 for class B networks (X.X.0.0/16)
- 3 or 24 for class C networks (X.X.X.0/24) - 3 or 24 for class C networks (X.X.X.0/24)
- 4 or 32 for class D networks (X.X.X.X/32) - 4 or 32 for class D networks (X.X.X.X/32)
- 5 or 128 for IPv6 addresses (no IPv4
addresses are considered)
-6, --enable-ipv6 Enable banning of IPv6 addresses in
addition to the IPv4 addresses/networks
defined by -n (if SIZE is 1, 2, 3 or 4)
-p, --port=PORT The desired port to monitor. -p, --port=PORT The desired port to monitor.
Defaults to 443 (https). Defaults to 443 (https).
@ -202,8 +198,48 @@ function filter() {
mv "${filtered}" "${file}" mv "${filtered}" "${file}"
} }
function set_default_values() {
if [[ -z "${autopilot}" ]]; then
autopilot=0
fi
if [[ -z "${bancountries}" ]]; then
bancountries=("CN")
fi
if [[ -z "${jail}" ]]; then
jail="apache-auth"
fi
if [[ -z "${netmask}" ]]; then
netmask=0
fi
if [[ -z "${port}" ]]; then
port=443
fi
}
function parse_config_file() {
source "${configfile}"
if [[ -z "${autopilot}" ]]; then
autopilot="${AUTOPILOT}"
fi
if [[ -z "${bancountries}" ]]; then
bancountries=(${COUNTRIES[@]})
fi
if [[ -z "${database}" ]]; then
database="${DATABASE_FILE}"
fi
if [[ -z "${jail}" ]]; then
jail="${JAIL}"
fi
if [[ -z "${netmask}" ]]; then
netmask="${NETMASK}"
fi
if [[ -z "${port}" ]]; then
port="${PORT}"
fi
}
function parse_command_line_args() { function parse_command_line_args() {
TEMP=$(getopt -o 'a::,c:,d:,e,j:,n:,p:,6,h' -l 'auto::,country:,database:,dependencies,jail:,netmask:,port:,enable-ipv6,help' -- "$@") TEMP=$(getopt -o 'a::,c:,d:,e,f:,j:,n:,p:,h' -l 'auto::,country:,database:,dependencies,config-file:,jail:,netmask:,port:,help' -- "$@")
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo 'Error parsing command line options. Terminating. Invoke with --help for help.' >&2 echo 'Error parsing command line options. Terminating. Invoke with --help for help.' >&2
@ -220,10 +256,6 @@ function parse_command_line_args() {
'') '')
autopilot=1 autopilot=1
;; ;;
*[!0-9]*)
echo "Invalid argument for parameter 'auto': '${2}'. Invoke with --help for help." >&2
exit 1
;;
*) *)
autopilot="$2" autopilot="$2"
;; ;;
@ -232,10 +264,6 @@ function parse_command_line_args() {
;; ;;
'-c' | '--country') '-c' | '--country')
IFS=',' read -ra bancountries <<<"${2}" IFS=',' read -ra bancountries <<<"${2}"
if [[ -z ${bancountries[@]// /} ]]; then
echo "Invalid argument for parameter 'country': '${2}'. Invoke with --help for help." >&2
exit 1
fi
shift shift
;; ;;
'-d' | '--database') '-d' | '--database')
@ -246,30 +274,30 @@ function parse_command_line_args() {
check_dependencies check_dependencies
exit $? exit $?
;; ;;
'-f' | '--config-file')
configfile="${2}"
shift
;;
'-j' | '--jail') '-j' | '--jail')
jail="${2}" jail="${2}"
shift shift
;; ;;
'-n' | '--netmask') '-n' | '--netmask')
case "${2}" in case "${2}" in
'1' | '8') '1')
netmask=8 netmask=8
;; ;;
'2' | '16') '2')
netmask=16 netmask=16
;; ;;
'3' | '24') '3')
netmask=24 netmask=24
;; ;;
'4' | '32') '4')
netmask=32 netmask=32
;; ;;
'5'|'128')
netmask="ipv6"
;;
*) *)
echo "Invalid argument for parameter 'netmask': '${2}'. Invoke with --help for help." >&2 netmask="${2}"
exit 1
;; ;;
esac esac
shift shift
@ -278,9 +306,6 @@ function parse_command_line_args() {
port="${2}" port="${2}"
shift shift
;; ;;
'-6'|'--enable-ipv6')
enableipv6=1
;;
'-h' | '--help') '-h' | '--help')
print_help print_help
exit exit
@ -297,15 +322,81 @@ function parse_command_line_args() {
shift shift
done done
# If the config file option is set, parse the config file.
if [[ ! -z ${configfile+x} ]]; then
if [[ ! -f "${configfile}" || ! -r "${configfile}" ]]; then
echo "Can not read configuration file '${2}'. Invoke with --help for help." >&2
exit 1
fi
parse_config_file
fi
# Here, we set the default values for all options that have not been set yet.
set_default_values
}
function validate_parameter_values() {
# GeoIP-Database
if [[ -z "${database}" ]]; then if [[ -z "${database}" ]]; then
echo "No GeoIP database specified. Invoke with --help for more information." >&2 echo "No GeoIP database specified. Invoke with --help for more information." >&2
exit 1 exit 1
fi fi
if [[ ! -r "${database}" ]]; then if [[ ! -f "${database}" || ! -r "${database}" ]]; then
echo "Database '${database}' is not accessible." >&2 echo "Database '${database}' is not accessible." >&2
exit 1 exit 1
fi fi
# Autopilot
case "${autopilot}" in
*[!0-9]*)
echo "Invalid value for parameter 'auto' / 'AUTOPILOT': '${autopilot}'." >&2
echo "Invoke with --help for help." >&2
exit 1
;;
esac
# Countries
if [[ -z ${bancountries[@]// /} ]]; then
echo "Invalid value for parameter 'country' / 'COUNTRIES': '${bancountries[*]}'." >&2
echo "Invoke with --help for help." >&2
exit 1
fi
# Jail
if [[ -z "${jail}" ]]; then
echo "Invalid value for parameter 'jail' / 'JAIL': '${jail}'." >&2
echo "Invoke with --help for help." >&2
exit 1
fi
# Netmask
case "${netmask}" in
'0' | '8' | '16' | '24' | '32')
# Everything OK.
;;
*)
echo "Invalid value for parameter 'netmask': '${2}'." >&2
echo "Invoke with --help for help." >&2
exit 1
;;
esac
# Port
case "${port}" in
*[!0-9]*)
echo "Invalid value for parameter 'port' / 'PORT': '${autopilot}'." >&2
echo "Invoke with --help for help." >&2
exit 1
;;
esac
if [[ ${port} -lt 0 || ${port} -gt 65535 ]]; then
echo "Invalid value for parameter 'port' / 'PORT': '${autopilot}'." >&2
echo "Value must be between 0 ... 65535 (inclusive)." >&2
echo "Invoke with --help for help." >&2
exit 1
fi
} }
################################################################################ ################################################################################
@ -380,7 +471,6 @@ function process_file() {
local banaction='' local banaction=''
local nline=1 local nline=1
local country= local country=
# Read the contents from filedescriptor 3 (important: Don's use the # Read the contents from filedescriptor 3 (important: Don's use the
# standard filedescriptor because we need to handle user input from # standard filedescriptor because we need to handle user input from
# within the loop). # within the loop).
@ -453,22 +543,21 @@ file8="${tmpdir}/sorted-http-8.txt"
file16="${tmpdir}/sorted-http-16.txt" file16="${tmpdir}/sorted-http-16.txt"
file24="${tmpdir}/sorted-http-24.txt" file24="${tmpdir}/sorted-http-24.txt"
file32="${tmpdir}/sorted-http-32.txt" file32="${tmpdir}/sorted-http-32.txt"
fileipv6="${tmpdir}/sorted-http-ipv6.txt"
# This file will contain the addresses to be banned. # This file will contain the addresses to be banned.
banlist="${tmpdir}/banlist.txt" banlist="${tmpdir}/banlist.txt"
touch "${banlist}" touch "${banlist}"
# Parse the command line options # Parse the command line options
autopilot=0 autopilot=
enableipv6=0 netmask=
netmask=0 jail=
jail="apache-auth" bancountries=
bancountries=("CN")
database= database=
port=443 port=
parse_command_line_args "$@" parse_command_line_args "$@"
validate_parameter_values
check_dependencies check_dependencies
dependencies_ok=$? dependencies_ok=$?
@ -487,8 +576,6 @@ connections=$(ss -HOn state established "( sport = :${port} )" | tr -s '[:blank:
echo "${connections}" | grep '^\[::ffff:' - | cut -d: -f4 | cut -d] -f1 | grep -v '^$' >"${fileraw}" echo "${connections}" | grep '^\[::ffff:' - | cut -d: -f4 | cut -d] -f1 | grep -v '^$' >"${fileraw}"
# Pure IPv4: 192.168.0.1:443 # Pure IPv4: 192.168.0.1:443
echo "${connections}" | grep -v '^\[' - | cut -d: -f1 | grep -v '^$' >>"${fileraw}" echo "${connections}" | grep -v '^\[' - | cut -d: -f1 | grep -v '^$' >>"${fileraw}"
# IPv6: [aaaa:...]:443
echo "${connections}" | grep '^\[[^:]' - | cut -d']' -f1 | sed -e 's/^\[//' | grep -v '^$' | sort > "${fileipv6}"
# Group and sort the data into the subnet-specific files. # Group and sort the data into the subnet-specific files.
sort "${fileraw}" >"${file32}" sort "${fileraw}" >"${file32}"
@ -501,21 +588,18 @@ filter "${file32}" "${ext32}" "${suffix32}"
filter "${file24}" "${ext24}" "${suffix24}" filter "${file24}" "${ext24}" "${suffix24}"
filter "${file16}" "${ext16}" "${suffix16}" filter "${file16}" "${ext16}" "${suffix16}"
filter "${file8}" "${ext8}" "${suffix8}" filter "${file8}" "${ext8}" "${suffix8}"
filter "${fileipv6}" "" ""
# Determine the number of connections per address # Determine the number of connections per address
uniq -c "${file32}" | sort -rn | sponge "${file32}" uniq -c "${file32}" | sort -rn | sponge "${file32}"
uniq -c "${file24}" | sort -rn | sponge "${file24}" uniq -c "${file24}" | sort -rn | sponge "${file24}"
uniq -c "${file16}" | sort -rn | sponge "${file16}" uniq -c "${file16}" | sort -rn | sponge "${file16}"
uniq -c "${file8}" | sort -rn | sponge "${file8}" uniq -c "${file8}" | sort -rn | sponge "${file8}"
uniq -c "${fileipv6}" | sort -rn | sponge "${fileipv6}"
# Determine the number of entries per file. # Determine the number of entries per file.
nlines32=$(cat "${file32}" | wc -l) nlines32=$(cat "${file32}" | wc -l)
nlines24=$(cat "${file24}" | wc -l) nlines24=$(cat "${file24}" | wc -l)
nlines16=$(cat "${file16}" | wc -l) nlines16=$(cat "${file16}" | wc -l)
nlines8=$(cat "${file8}" | wc -l) nlines8=$(cat "${file8}" | wc -l)
nlinesipv6=$(cat "${fileipv6}" | wc -l)
if [ ${netmask} -eq 0 ]; then if [ ${netmask} -eq 0 ]; then
# Now let the user choose which file to process. # Now let the user choose which file to process.
@ -524,7 +608,6 @@ if [ ${netmask} -eq 0 ]; then
echo "[2] 16bit: ${nlines16} entries" echo "[2] 16bit: ${nlines16} entries"
echo "[3] 24bit: ${nlines24} entries" echo "[3] 24bit: ${nlines24} entries"
echo "[4] 32bit: ${nlines32} entries" echo "[4] 32bit: ${nlines32} entries"
echo "[5] IPv6: ${nlinesipv6} entries"
read -p 'Which one do you want to work with (q=Quit) [1-4]? ' choice read -p 'Which one do you want to work with (q=Quit) [1-4]? ' choice
# Based on the user's choice, initialize the variables $file, $ext and # Based on the user's choice, initialize the variables $file, $ext and
@ -543,9 +626,6 @@ if [ ${netmask} -eq 0 ]; then
"4") "4")
netmask=32 netmask=32
;; ;;
"5" )
netmask="ipv6"
;;
"Q" | "q") "Q" | "q")
echo "You chose to abort. That's fine! Have a nice day!" echo "You chose to abort. That's fine! Have a nice day!"
exit exit
@ -570,15 +650,6 @@ unset TEMP
echo "Processing ${file}." echo "Processing ${file}."
# Handle IPv6 option
if [[ "${enableipv6}" -eq 1 ]]; then
if [[ "${netmask}" != "ipv6" ]]; then
cat "${file}" "${fileipv6}" | sort -n | sponge "${file}"
nlines=$(( ${nlines} + ${nlinesipv6} ))
fi
fi
# Invoke the processing function on the chosen file. # Invoke the processing function on the chosen file.
process_file "${file}" process_file "${file}"

View file

@ -1,16 +1,24 @@
#!/usr/bin/python3.8 #!/usr/bin/python
import getopt import argparse
import sys import sys
try: try:
import geoip2.database import geoip2.database
import geoip2.errors
except ImportError: except ImportError:
print( print(
"Required module geoip2.database not found. On Gentoo Linux, please install dev-python/geoip2 from the 'fritteli' overlay.", "Required modules geoip2.database and geoip2.errors not found. On Gentoo Linux, please install dev-python/geoip2 from the 'fritteli' overlay.",
file=sys.stderr) file=sys.stderr)
exit(1) exit(1)
try:
import maxminddb.errors
except ImportError:
print(
"Required module maxminddb.errors not found. On Gentoo Linux, please install dev-python/maxminddb from the 'fritteli' overlay.",
file=sys.stderr)
exit(1)
class LookupException(Exception): class LookupException(Exception):
""" """
@ -47,6 +55,14 @@ def get_county_code(ipaddress, dbfile):
raise LookupException("Unsupported DB type: " + dbtype) raise LookupException("Unsupported DB type: " + dbtype)
return country.iso_code return country.iso_code
except FileNotFoundError as e:
raise LookupException(e.args)
except maxminddb.errors.InvalidDatabaseError as e:
raise LookupException(e.args)
except geoip2.errors.AddressNotFoundError as e:
raise LookupException(e.args)
except ValueError as e:
raise LookupException(e.args)
finally: finally:
if reader: if reader:
reader.close() reader.close()
@ -60,21 +76,12 @@ def parse_command_line(argv):
:return: :return:
""" """
dbfile = None dbfile = None
try: parser = argparse.ArgumentParser(description='Get the country code from an IP address')
opts, args = getopt.getopt(argv, "f:") parser.add_argument('-f', dest='dbfile', required=True, help="Path to the GeoIP2 database file")
except getopt.GetoptError as e: parser.add_argument('address', help="The IP address to check")
raise LookupException("Error parsing command line") from e args = parser.parse_args()
for opt, arg in opts:
if opt == "-f":
dbfile = arg
else:
raise LookupException("Unknown command line argument")
if len(args) == 0:
raise LookupException("No address given on command line")
return dbfile, args[0]
return args.dbfile, args.address
def main(argv): def main(argv):
""" """
@ -83,14 +90,18 @@ def main(argv):
:param argv: Format: "-f /path/to/database.mmdb ip.v4.add.ress" :param argv: Format: "-f /path/to/database.mmdb ip.v4.add.ress"
:return: :return:
""" """
try:
(dbfile, ipaddress) = parse_command_line(argv) (dbfile, ipaddress) = parse_command_line(argv)
code = get_county_code(ipaddress, dbfile) code = get_county_code(ipaddress, dbfile)
print(code) print(code)
except LookupException as e:
print(e.args, file=sys.stderr)
print("Unknown")
if __name__ == '__main__': if __name__ == '__main__':
try: try:
main(sys.argv[1:]) main(sys.argv[1:])
except BaseException as e: except BaseException as e:
print("Usage: geoip-lookup.py -f /path/to/geoip2-database.mmdb 192.168.1.1", file=sys.stderr) print("Unknown")
raise e raise e