blocking-abusers.md (2380B)
1 Title: Blocking abusers on personal servers (OpenBSD PF) 2 Author: paco 3 Date: 2018-09-07 4 Type: article 5 6 Inspired by Jordan Geoghegan's article about [pf-badhost][1] I wanted to 7 create my own list based on the "attack attempts" I get on my personal 8 servers. This was tested on OpenBSD 6.3. 9 10 I just put together a small shell script that parses the httpd(8) logs 11 and creates 2 files. One to load into a PF table and another one with 12 entries I'm not sure about and had to be checked manually (either to add 13 them to the patterns to search for or to discard them as legit). 14 15 It's all really simple. The script is this one: 16 17 18 #!/bin/sh 19 20 FILE=$1 21 BLOCK=$2 22 BAD="" 23 UNKNOWN="" 24 25 patterns="login.cgi 26 admin 27 php 28 webdav 29 iframe" 30 31 [ -z "$FILE" ] && echo "Need a log file" && exit 1 32 33 while IFS= read -r line 34 do 35 # ignore first line (rotation) 36 echo "$line" | grep -q newsyslog && continue 37 38 #gather some info 39 IP=$(echo "$line" | awk '{print $2}') 40 REQ=$(echo "$line" | awk -F'"' '{print $2}' | awk '{print $2}') 41 42 # if you're behind a NAT and want to remove your network segment ... 43 # is not really needed if you just filter on egress, but still. 44 # echo "$IP" | grep -q "^10\\.42" && continue 45 46 # sort things into unknown and bad folks 47 if echo "$REQ" | grep -q -e "$patterns" ; then 48 BAD="${BAD}${IP} 49 " 50 else 51 UNKNOWN="${UNKNOWN}${IP} ($REQ) 52 " 53 fi 54 done < "$FILE" 55 56 echo "$BAD" | sort -uV > /tmp/bad_folks.txt 57 echo "$UNKNOWN" | sort -uV >> /tmp/to_check.txt 58 59 # and now we clean for duplicates and stuff ... 60 cat /etc/pf_tables/bad_folks.txt >> /tmp/bad_folks.txt 61 sort -uV /tmp/bad_folks.txt > /etc/pf_tables/bad_folks.txt 62 63 # and clean 64 rm /tmp/bad_folks.txt 65 66 if [ "$BLOCK" = "block" ]; then 67 doas pfctl -t bad_folks -T replace -f /etc/pf_tables/bad_folks.txt 68 fi 69 70 Just fill the `patterns` variable with one grep pattern per line. 71 72 Of course you'll have to add some rules to `pf.conf`: 73 74 75 table <bad_folks> persist file "/etc/pf_tables/bad_folks.txt" 76 block in quick on egress from <bad_folks> to any 77 78 Remember to add the necessary permissions on `doas.conf` to the user that runs 79 the script. 80 81 [1]: https://www.geoghegan.ca/pfbadhost.html