e1e0.net

sources for e1e0 website
git clone https://git.e1e0.net/e1e0.net.git
Log | Files | Refs

blocking-abusers.md (2380B)

      1 Title: Blocking abusers on personal servers (OpenBSD PF)
      2 Author: paco
      3 Date: 2018-09-07
      4 Type: article
      5 
      6 Inspired by Jordan Geoghegan's article about [pf-badhost][1] I wanted to
      7 create my own list based on the "attack attempts" I get on my personal
      8 servers.  This was tested on OpenBSD 6.3.
      9 
     10 I just put together a small shell script that parses the httpd(8) logs
     11 and creates 2 files. One to load into a PF table and another one with
     12 entries I'm not sure about and had to be checked manually (either to add
     13 them to the patterns to search for or to discard them as legit).
     14 
     15 It's all really simple. The script is this one:
     16 
     17 
     18     #!/bin/sh
     19     
     20     FILE=$1
     21     BLOCK=$2
     22     BAD=""
     23     UNKNOWN=""
     24     
     25     patterns="login.cgi
     26     admin
     27     php
     28     webdav
     29     iframe"
     30     
     31     [ -z "$FILE" ] && echo "Need a log file" && exit 1
     32     
     33     while IFS= read -r line
     34     do
     35         # ignore first line (rotation)
     36         echo "$line" | grep -q newsyslog && continue
     37     
     38         #gather some info
     39         IP=$(echo "$line" | awk '{print $2}')
     40         REQ=$(echo "$line" | awk -F'"' '{print $2}' | awk '{print $2}')
     41     
     42         # if you're behind a NAT and want to remove your network segment ...
     43         # is not really needed if you just filter on egress, but still.
     44         # echo "$IP" | grep -q "^10\\.42" && continue
     45     
     46         # sort things into unknown and bad folks
     47         if echo "$REQ" | grep -q -e "$patterns" ; then
     48             BAD="${BAD}${IP}
     49     "
     50         else
     51             UNKNOWN="${UNKNOWN}${IP} ($REQ)
     52     "
     53         fi
     54     done < "$FILE"
     55     
     56     echo "$BAD" | sort -uV > /tmp/bad_folks.txt
     57     echo "$UNKNOWN" | sort -uV >> /tmp/to_check.txt
     58     
     59     # and now we clean for duplicates and stuff ...
     60     cat /etc/pf_tables/bad_folks.txt >> /tmp/bad_folks.txt
     61     sort -uV /tmp/bad_folks.txt > /etc/pf_tables/bad_folks.txt
     62     
     63     # and clean
     64     rm /tmp/bad_folks.txt
     65     
     66     if [ "$BLOCK" = "block" ]; then
     67         doas pfctl -t bad_folks -T replace -f /etc/pf_tables/bad_folks.txt
     68     fi
     69 
     70 Just fill the `patterns` variable with one grep pattern per line.
     71 
     72 Of course you'll have to add some rules to `pf.conf`:
     73 
     74 
     75     table <bad_folks> persist file "/etc/pf_tables/bad_folks.txt"
     76     block in quick on egress from <bad_folks> to any
     77 
     78 Remember to add the necessary permissions on `doas.conf` to the user that runs
     79 the script.
     80 
     81 [1]: https://www.geoghegan.ca/pfbadhost.html