The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mod_sec Block IP Script

Discussion in 'General Discussion' started by Solokron, Mar 6, 2007.

  1. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    I inquired about something such as this a couple years ago. I see that configserver has the feature. Has anyone created a separate script to grep the modsec error log for repeat attempts and add the offender to APFs firewall deny list? We spend so much time with modsec rules where if we could ban the script kiddy right from the start (instead of allow him/her to finally find a vulnerability) we could relieve a lot of our headaches.
     
  2. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    I like the idea, I could make something up if you need.
     
  3. sh4ka

    sh4ka Well-Known Member

    Joined:
    May 12, 2005
    Messages:
    442
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    cPanel Access Level:
    DataCenter Provider
    Like 1 and half year ago, when I was just starting shell scripting, i developed a Mod_Sec Ban IP script to work together with APF Firewall... it was working, but failing at the same time doing certain things, didnt had enought time to finish it. I can give you the source if you want.. anyway.. now CSF Firewall alrready have that feature included.
     
  4. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    Absolutely! I would like to get a script going for the community which does not use CSF.


     
  5. sh4ka

    sh4ka Well-Known Member

    Joined:
    May 12, 2005
    Messages:
    442
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    cPanel Access Level:
    DataCenter Provider
    In 5 minutes I will post it, im translating it to english :)
     
  6. sh4ka

    sh4ka Well-Known Member

    Joined:
    May 12, 2005
    Messages:
    442
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    cPanel Access Level:
    DataCenter Provider
    As I told before, dont expect a super perl mod security script like chirpy uses in his CSF Firewall... this is VERY BASIC shell scripting developed more than 1 year ago.. it works, but you have to work on the code.

    Main File:
    Code:
    #!/bin/bash
    #
    #   Mfb - [Mod_Security + APF Firewall Ban]
    #   by sh4ka 
    
    
    # History
    # v.0.1 - June 09 - 2006
    #      Search and filter attacking IPs trough the audit_log file.
    # v.0.2 - June 12 - 2006
    #      Created a non-numerial expressions filter.
    # v.0.3 - June 13 - 2006
    #      Added white list feature.
    # v.0.4 - March 07 - Translated to english and opening this basic 
    # script to the cPanel community =) :p 
    
    NAM="Mfb Mod_Security + APF Firewall Ban"
    VER=0.4
    OFF_IP=/usr/local/Mfb/offending.list
    WHT_LST=/usr/local/Mfb/white.list
    TMP_COMP=/tmp/Mfb_comp.tmp
    TMP_OFFLIST=/tmp/Mfb_offending.tmp
    TMP_WHTLST=/tmp/Mfb_whitelist.tmp
    DENYPATH=/etc/apf/deny_hosts.rules
    UNBAN=/usr/local/Mfb/unban_list.tmp
    REQ=Request
    ALOG=/usr/local/apache/logs/audit_log
    DN=/dev/null
    
    mkdir /usr/local/Mfb/ 2> $DN
    rm $OFF_IP -f
    rm $TMP_COMP -f
    rm $TMP_WHTLST -f
    
    banner () {
    echo "$NAM $VER"
    echo "2007 - sh4ka"
    }
    
    banner
    
    filter ()  {
    
    #### Filter the offending IPs, and deny using the firewall
    grep "$REQ" $ALOG --binary-files=text | awk '{print $3 }' | sort -n | uniq -dc | egrep -v "-" > $TMP_COMP
    while read IP; do
    if [ "$(echo $IP | awk '{print $1}')" -ge "3" ]; then
       echo $IP | awk '{print $2}' >> $TMP_WHTLST
    fi
    done < $TMP_COMP
    echo
    
    #### Checking if IP is white listed
    if [ -f $TMP_WHTLST ]; then
    for POS_WHT in `cat $TMP_WHTLST`
    do
        if cat "$WHT_LST" | grep "$POS_WHT" 1> $DN
        then
            echo "$POS_WHT ignored! (listed at white.list)"
        else
            echo "$POS_WHT" >> $OFF_IP
        fi
    done
    fi
    #### Check if offending IP si already banned
    if [ -f $OFF_IP ]; then
            for IP in `cat $OFF_IP`
            do
               if cat "$DENYPATH" | grep "$IP" 1> $DN
               then
                   echo "$IP ignored! (already banned)"
               else
                   if apf -d $IP Mfb | grep "Inserted" 1> $DN
                   then
                         echo "Denying IP: $IP" | mail yourmail@yourhost.com -s "Denying using Mfb"
                         echo "Denying IP: $IP"
                         if cat $UNBAN | grep "$IP" 1> $DN
                         then
                             echo 1> $DN
                         else
                             echo $IP >> $UNBAN
                         fi
                   else
                         echo "An error ocurred while trying to deny access for some IPs, please verify."
                   fi
               fi
            done
    echo; echo ...Done!
    else
          echo "There are no offending IPs"
    fi
    }
    
    #### Checking for log.
    Verificamos que los logs esten presentes
    if [ $(ls -la $ALOG | awk '{print $5}') -le 1 ]; then
       echo
       echo "Log file: $ALOG, doesn't have any logs, please ensure Mod_Security is working properly."
       exit
    else
    filter
    fi
    
    Second file ( unban file ):
    Code:
    #!/bin/bash
    echo "Mfb Mod_Security + APF Firewall Ban 0.4"
    echo "2007 - sh4ka"
    echo
    UNBAN=/usr/local/Mfb/unban_list.tmp
    
    if [ $(ls -la $UNBAN | awk '{print $5}') -le 1 ]; then
       echo "There are not any IPs to un-ban."
       exit
    else
       echo "Un-baning IPs..."
       while read IP_UNBAN
       do
          apf -u $IP_UNBAN Mfb 1> /dev/null
          echo $IP_UNBAN
       done < $UNBAN
       echo
       echo "...Done"
    fi
    
     
    #6 sh4ka, Mar 7, 2007
    Last edited: Mar 8, 2007
  7. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    That's great Sh4ka! Collectively I am sure someone can come up with something fully functional from this.

     
  8. sh4ka

    sh4ka Well-Known Member

    Joined:
    May 12, 2005
    Messages:
    442
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    cPanel Access Level:
    DataCenter Provider
    I wish i had more time to work in useful scripts like this one... maybe in a month I will be able to re-write this script, but now its impossible, i'm working 14 hours per day :(

    good luck.
     
  9. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    You may want to remove your email address to avoid email harvesters picking it up.

    What kind of issues did you run into with the script?
     
Loading...

Share This Page