#!/bin/sh # Copyright (c) 2008-2010 David R. Forrest (Forrest) # # Permission to use, copy, modify, and distribute this material # for any purpose and without fee is hereby granted, provided # that the above copyright notice and this permission notice # appear in all copies, and that the name of Forrest not be # used in advertising or publicity pertaining to this # material without the specific, prior written permission # of an authorized representative of Forrest. FORREST # MAKES NO REPRESENTATIONS ABOUT THE ACCURACY OR SUITABILITY # OF THIS MATERIAL FOR ANY PURPOSE. IT IS PROVIDED "AS IS", # WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES. # Drop future ip packets from this attacker and add to /var/tmp/badacters # D.R. Forrest 12/15/02 # Usage: dropbad ipaddress[/24]|FQDN [comment_passed_to_report] # $1 is ipaddress[/24] or FQDN to be dropped; $2 is just comment printed on report # -----Revisions ------------- # 1/23/03 Warn of bad IP address - don't append # 7/22/03 Don't duplicate entries # 8/21/05 Mail advice to root. # 9/16/05 Added positional argument $2 as a print item. # (Used by killit to pass login name) # 7/13/10 Added FQDN and Class C nets as options to IP # 7/20/10 Abort if trying to block MX secondaries # 4/14/12 Added IPv6 address routines print_info=$2 ## logger -st dropbad "Command line is: $0 $* Field 1 is: $1 Field 2 is: $2" ## for debugging if [[ $1 =~ ^2...:.*$ ]] ; then logger -st dropbad "Seems we have an IPv6; $1 eh?" /usr/local/bin/host $1 |/bin/grep 'dnsmadeeasy' - && \ { echo "Cannot block MX secondary *.dnsmadeeasy.com -- ignored."; exit; } /bin/grep "$1" /var/tmp/6badactors >/dev/null 2>&1 && \ { logger -st dropbad "$1 is already in 6badactors. Not added again!"; exit; } echo "/sbin/ip6tables -A 6badactors -s $1 -j DROP -m comment --comment \"$print_info $(date +%x)\"" >> /var/tmp/6badactors /usr/bin/logger -st dropbad " $1 added to /root/6badactors and blocked in ip_6tables. $print_info" /sbin/ip6tables -A 6badactors -s $1 -j DROP -m comment --comment "$print_info $(date +%x)" printf "IPv6:$1 added to /root/6badactors and blocked. $print_info\n$(host $1)" |/bin/mail -s "$1 IPv6 blocked" root exit fi if [[ ! $1 =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\/?2?4?$ ]] ; then echo " Not an IPv4. Resolve $1 as an assumed FQDN and recheck" if [[ $(/usr/local/bin/host $1) =~ '([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)' ]] ; then set $BASH_REMATCH; fi fi if [[ ! $1 =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\/?2?4?$ ]] ; then { logger -st dropbad "$1 is not a valid net (Class C), host, or IPv4. Not added."; exit; } fi /bin/grep "$1" /var/tmp/badactors >/dev/null 2>&1 && \ { logger -st dropbad "$1 is already in badactors. Not added again!"; exit; } /usr/local/bin/host $1 |/bin/grep 'dnsmadeeasy' - && \ { echo "Cannot block MX secondary *.dnsmadeeasy.com -- ignored."; exit; } /sbin/iptables -A badactors -s $1 -j DROP -m comment --comment "$print_info $(date +%x)" || exit 1 echo "/sbin/iptables -A badactors -s $1 -j DROP -m comment --comment \"$print_info $(date +%x)\"" >> /var/tmp/badactors # Print it /usr/bin/logger -st dropbad " $1 added to and blocked in ip_tables. $print_info" # and mail it. /usr/bin/printf "IP $1 added to and blocked in ip_tables. $print_info\n$(host $1)" |/bin/mail -s "$1 Blocked" root exit