linux/ddos-mitigator
1
0
Fork 0
Code Issues Pull requests Releases 5 Wiki Activity

feature/config-file #3

Merged
manuel merged 5 commits from feature/config-file into master 2020-11-24 21:35:13 +01:00
Conversation 0 Commits 5 Files changed 2 +74 -5
2 changed files with 74 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 0871a25bf7 - Show all commits

30
ddos-mitigator.conf Normal file
View file

@ -0,0 +1,30 @@
# Example configuration file for ddos-mitigator.sh.
# PLEASE TAKE CARE not to put any whitespace around the '=' signs, as this file is directly sourced by the script
# file and this needs to conform to the BASH syntax. Also, make sure to declare the COUNTRIES variable with the
# correct array syntax: COUNTRIES=("AA" "BB" "CC"), or to comment it out altogether.
# The path to the GeoIP2 database file (must be either country or city database). This parameter is mandatory. If it is
# not specified here, it must be given on the command line (through the -d option).
DATABASE_FILE="/path/to/geoip/country-or-city-database.mmdb"
# Enable the autopilot for automatically banning IP addresses of the desired countries (see also COUNTRIES option).
# Only ban IP addresses with at least AUTOPILOT current connections. If the value is not specified or 0, don't
# automatically ban IP addresses, but run in interactive mode.
AUTOPILOT="1"
# Defines the subnet size in bytes to be analyzed. Valid values are:
# - 8 for class A networks (X.0.0.0/8)
# - 16 for class B networks (X.X.0.0/16)
# - 24 for class C networks (X.X.X.0/24)
# - 32 for class D networks (X.X.X.X/32)
# If not specified, run in interactive mode and prompt for the netmask size.
NETMASK="8"
# The country-codes to block as an array. Defaults to "CN" (China).
#COUNTRIES=("CN" "HK" "TW")
# Specify the JAIL to use for banning the IP addresses. Defaults to 'apache-auth'.
#JAIL="apache-auth"
# The desired port to monitor. Defaults to 443 (https).
#PORT="443"

49
ddos-mitigator.sh
View file

@ -32,10 +32,7 @@
# # # #
################################################################################ ################################################################################
# Set the host's own IP address. So far, only an IPv4 address is supported. # Store the start time; this enables us to output the total runtime at the end.
MY_IP="94.199.214.20"
# After this point, no editing is required.
start="$(date +%s)" start="$(date +%s)"
# Dependencies of this script. Simple array with the following structure: # Dependencies of this script. Simple array with the following structure:
@ -139,6 +136,13 @@ Usage: $(basename $0) -d FILE [OPTION...]
printed to stderr and the program printed to stderr and the program
terminates with exit code 1. terminates with exit code 1.
-f, --config-file=FILENAME Specify the full path to the configuration
file. If omitted, all options are read
from the command line.
Any parameter specified on the command
line takes precedence over configuration
option read from the file.
-j, --jail=JAIL Specify the JAIL to use for banning the IP -j, --jail=JAIL Specify the JAIL to use for banning the IP
addresses. addresses.
Defaults to 'apache-auth'. Defaults to 'apache-auth'.
@ -194,8 +198,30 @@ function filter() {
mv "${filtered}" "${file}" mv "${filtered}" "${file}"
} }
function parse_config_file() {
source "${configfile}"
if [[ -z "${autopilot+x}" ]]; then
autopilot="${AUTOPILOT}"
fi
if [[ -z "${bancountries}" ]]; then
bancountries=()${COUNTRIES[@]})
fi
if [[ -z "${database+x}" ]]; then
database="${DATABASE_FILE}"
fi
if [[ -z "${jail+x}" ]]; then
jail="${JAIL}"
fi
if [[ -z "${netmask+x}" ]]; then
netmask="${NETMASK}"
fi
if [[ -z "${port+x}" ]]; then
port="${PORT}"
fi
}
function parse_command_line_args() { function parse_command_line_args() {
TEMP=$(getopt -o 'a::,c:,d:,e,j:,n:,p:,h' -l 'auto::,country:,database:,dependencies,jail:,netmask:,port:,help' -- "$@") TEMP=$(getopt -o 'a::,c:,d:,e,f:,j:,n:,p:,h' -l 'auto::,country:,database:,dependencies,config-file:,jail:,netmask:,port:,help' -- "$@")
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo 'Error parsing command line options. Terminating. Invoke with --help for help.' >&2 echo 'Error parsing command line options. Terminating. Invoke with --help for help.' >&2
@ -238,6 +264,14 @@ function parse_command_line_args() {
check_dependencies check_dependencies
exit $? exit $?
;; ;;
'-f' | '--config-file')
configfile="${2}"
if [[ ! -f "${configfile}" || ! -r "${configfile}" ]]; then
echo "Can not read configuration file '${2}'. Invoke with --help for help." >&2
exit 1
fi
shift
;;
'-j' | '--jail') '-j' | '--jail')
jail="${2}" jail="${2}"
shift shift
@ -283,6 +317,11 @@ function parse_command_line_args() {
shift shift
done done
# If the config file option is set, parse the config file.
if [[ ! -z ${configfile+x} ]]; then
parse_config_file
fi
if [[ -z "${database}" ]]; then if [[ -z "${database}" ]]; then
echo "No GeoIP database specified. Invoke with --help for more information." >&2 echo "No GeoIP database specified. Invoke with --help for more information." >&2
exit 1 exit 1