blocking lame botnets

 #!/bin/sh


if [ -z "$1" ] ; then

echo please provide the ip to ban

exit

fi


if [ -z "$2" ] ; then

echo please provide the reason as a string with underscores

echo eg tried_to_hack_dns

echo if you provide the reason as http-hacker it will

echo prevent this ip from accessing http ports

exit

fi 


if [ -z "`grep $1 /etc/hosts.deny`" ] ; then

echo "# "$2 >> /etc/hosts.deny

if [ "$2" != "http-hacker" ] ; then

echo "sshd,pop,pop3,smb,imap,afp,ftp: "$1 >> /etc/hosts.deny

fi

if [ "$2" = "http-hacker" ] ; then

        echo "sshd,pop,pop3,smb,imap,afp,ftp,http,https: "$1 >> /etc/hosts.deny

        fi

echo "Added the following to hosts.deny:"

tail -n2 /etc/hosts.deny

ourIp="[insert here]"

echo "iptables -t filter -I INPUT -s $1 -p tcp --dport 22 -d $ourIp -j REJECT etc, etc"

iptables -t filter -I INPUT -s $1 -p tcp --dport 22 -d $ourIp -j REJECT

iptables -t filter -I INPUT -s $1 -p tcp --dport 110 -d $ourIp -j REJECT

iptables -t filter -I INPUT -s $1 -p tcp --dport 143 -d $ourIp -j REJECT

iptables -t filter -I INPUT -s $1 -p tcp --dport 548 -d $ourIp -j REJECT

iptables -t filter -I INPUT -s $1 -p tcp --dport 20 -d $ourIp -j REJECT

iptables -t filter -I INPUT -s $1 -p tcp --dport 21 -d $ourIp -j REJECT

iptables -t filter -I INPUT -s $1 -p tcp --dport 445 -d $ourIp -j REJECT

if [ "$2" = "http-hacker" ] ; then

iptables -t filter -I INPUT -s $1 -p tcp --dport 80 -d $ourIp -j REJECT

iptables -t filter -I INPUT -s $1 -p tcp --dport 443  -d $ourIp -j REJECT

fi

iptables-save > /etc/sysconfig/iptables.save

fi

if [ "`grep $1 /etc/hosts.deny`" = "" ] ; then

echo $1" is already in hosts.deny"

fi


/scripts/ban-email $1 $2


echo "DONT FORGET TO TRY SSH IN TO CHECK THE FIREWALL HASNT LOCKED YOU OUT"


echo $1 >> /root/hackers




and ban-email script:


#!/bin/sh


if [ -z "$1" ] ; then

echo please provide the ip or address to ban

exit

fi


if [ -z "$2" ] ; then

echo please provide the reason as a string with underscores

echo eg spammer

exit

fi 


if [ -z "`grep $1 /etc/mail/access`" ] ; then

# we've not banned them before

echo "# "$2 >> /etc/mail/access

echo $1"      DENY" >> /etc/mail/access

cd /etc/mail ; make ; cd - 2> /dev/null 1>/dev/null

echo "Added the following to mail-access:"

tail -n2 /etc/mail/access

# echo "blacklist_from $1" >> /etc/mail/sa-blacklist

#/scripts/sa-restart

exit

fi

if [ "`grep $1 /etc/mail/access`" != "" ] ; then

echo "not adding $1 - alreading in mail.access"

exit

fi


Popular posts from this blog

ZFS syntax (updated)

Introduction ZFS is an alternative filesystem. It allows RAID, deduplication and compression. You create a collection of drives as a 'pool'. That's useful if you want many drives as one big drive. Suppose you have two spare drives, sdc1 and sdd1. To make them into one big drive with deduplication and no compression, do this. Deduplication = where it doesn't make multiple copies of identical files, just marks them as copies. Creating a ZFS pool (drive collection) zpool create -f zfspool /dev/sdc1  /dev/sdd1 zfs set compression= off  zfspool zfs set dedup= on  zfspool zpool list df -h you'll see it is mounted as /zfspool A zfs snapshot  is a read-only copy of  zfs  file system or volume. They consume no extra space in the  zfs  pool and can be created instantly. They can be used to save a state of file system at particular point of time and can later be rolled back to exactly same state.  LVM is similar to ZFS but doesn't offer all these other features. (In my e
Read more

/var/log/journal taking up lots of space

 If /var/log/journal is taking up too much space, you can clear it and prevent it growing too big again. Prevention: vi /etc/systemd/journald.conf   Look for: SystemMaxUse=2000M Or similar, and set it to a lower value Then: service systemd-journald restart Clearing once-off: journalctl --vacuum-time=2d assuming for example you want to clear everything before two days ago.
Read more

throttle traffic on apache

sudo apt install apache2-utils sudo apt install libapache2-mod-evasive vi /etc/apache2/mods-enabled/evasive.conf service apache restart edit it and set values as per below or whatever else you like, the time quantities are seconds     DOSSiteInterval     1     DOSBlockingPeriod   10     #DOSLogDir           "/var/lock/mod_evasive"
Read more