Misc:Abuse Log: Difference between revisions
From Amar
Jump to navigationJump to search
comment5, http://postdoc.indiana.edu/category/internal-science purchase viagra, 8], |
No edit summary |
||
(15 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
<pre> | |||
#!/usr/bin/perl -w | |||
use strict; | |||
use Data::Dumper; | |||
use DBI; | |||
use Config::IniFiles; | |||
use Net::Telnet; | |||
$| = 1; | |||
our $user = 'admin'; | |||
our $pass = 'xxxxxxxxx'; | |||
my $host1 = '192.168.20.1'; | |||
my $name1 = 'A'; | |||
my $host2 = '192.168.20.3'; | |||
my $name2 = 'B'; | |||
my $badip = ''; | |||
# Requests of interest. Remember to do the regular expression | |||
my $log_events = { '.page' => 1, | |||
'.wmv' => 2, | |||
'.mov' => 2, | |||
'.cgi' => 3, | |||
'.pl' => 3, | |||
'.html' => 4, | |||
}; | |||
my $ids_events = { '.jpg' => 5, | |||
'.bmp' => 5, | |||
'.png' => 5, | |||
'.gif' => 5, | |||
}; | |||
my $log_exts = join("\|",keys(%$log_events)); | |||
$log_exts =~ s/\./\\\./g; | |||
my $log_ext_match = qr/($log_exts)$/; | |||
my $ids_exts = join("\|",keys(%$ids_events)); | |||
$ids_exts =~ s/\./\\\./g; | |||
my $ids_ext_match = qr/($ids_exts)$/; | |||
my $dir_match = qr{/}; | |||
my $max_hits = { 1 => 60, | |||
2 => 12, | |||
3 => 30, | |||
4 => 120, | |||
5 => 20, | |||
}; | |||
my $pattern = qr/([0-9]+\.[0-9]+\.[0-9]+)\.[0-9]+/; | |||
# print Data::Dumper->Dump([$log_exts, $log_ext_match],[qw(log_exts log_ext_match)]); | |||
my $exclude = {}; | |||
&check_ip($exclude); | |||
my $db = 'ABUSE'; | |||
my $cfg = Config::IniFiles->new( -file=> '/etc/db_connect.conf', -default=> 'DEFAULT'); | |||
my $dbi = "DBI:mysql:".$cfg->val($db,"name").":".$cfg->val($db,"host"); | |||
my $dbh = DBI->connect($dbi,$cfg->val($db,'user'),$cfg->val($db,'password'), {RaiseError => 1, AutoCommit => 0}); | |||
my $sth_ins = $dbh->prepare( | |||
qq[INSERT INTO abuse_log | |||
(IP,event_id,bucket_id,hits) | |||
VALUES (?,?,MINUTE(NOW()),1) | |||
]); | |||
my $sth_upd = $dbh->prepare( | |||
qq[UPDATE abuse_log | |||
SET hits = hits + 1 | |||
WHERE IP = ? AND event_id = ? AND bucket_id = MINUTE(NOW()) | |||
]); | |||
my $sth_get = $dbh->prepare( | |||
qq[ SELECT hits FROM abuse_log | |||
WHERE IP = ? AND event_id = ? AND bucket_id = MINUTE(NOW()) | |||
]); | |||
my $sth_log = $dbh->prepare( | |||
qq[ INSERT INTO blocked | |||
(IP,event_id,hits) | |||
VALUES (?,?,?) | |||
]); | |||
open ("STDOUT", ">>$ARGV[0]") || die $!; | |||
while (my $line = <STDIN>) { | |||
chomp $line; | |||
my @fields = split /\|/, $line; | |||
my %fields = map { split /\=/,$_ } @fields; | |||
if ( $fields{U} =~ /$log_ext_match/ ) { | |||
# print STDOUT Data::Dumper->Dump([\%fields],[qw(*fields)]); | |||
my $event = $1; | |||
my $ip = $fields{I}; | |||
my $subnet = undef; | |||
if ($ip =~ $pattern) { | |||
$subnet = $1; | |||
}; | |||
if (exists($exclude->{$ip}) || exists($exclude->{$subnet})) { | |||
print STDOUT $line."\n"; | |||
next; | |||
} | |||
my $event_id = $log_events->{$event}; | |||
my $max = $max_hits->{$event_id}; | |||
# Assume UPDATE and catch error | |||
eval{ | |||
$sth_get->execute($ip,$event_id); | |||
}; | |||
unless ($@) { | |||
my ($hits) = $sth_get->fetchrow_array(); | |||
$hits ||= 0; | |||
# print STDOUT Data::Dumper->Dump([$ip,$event,$event_id,$max,$hits],[qw(ip event event_id max hits)]); | |||
if ($hits > $max) { | |||
print STDOUT "***** ABUSE **** $ip $event ( $hits )\n"; | |||
&disable_ip($ip); | |||
eval { | |||
open ABUSE_LOG, ">>/nfsroot/logs/log_abuse.log" or print STDOUT $!; | |||
print ABUSE_LOG "***** ABUSE **** $ip $event ( $hits )\n"; | |||
print ABUSE_LOG Data::Dumper->Dump([\%fields, $hits, $max],[qw(*fields hits max)]); | |||
close ABUSE_LOG; | |||
}; | |||
eval { | |||
$sth_log->execute($ip,$event_id,$hits); | |||
}; | |||
} | |||
my $rv; | |||
eval{ | |||
# print STDOUT "Updating"; | |||
$rv = $sth_upd->execute($ip,$event_id); | |||
# print STDOUT "Error : '$@".$dbh->errstr."' rv = '$rv'\n"; | |||
}; | |||
if ($@ || $rv == 0) { | |||
eval{ | |||
# print STDOUT "Inserting "; | |||
$sth_ins->execute($ip,$event_id); | |||
}; | |||
} | |||
if ($@) { | |||
print STDOUT "BAD db: $@\n"; | |||
$dbh->rollback(); | |||
} else { | |||
$dbh->commit(); | |||
} | |||
} | |||
print STDOUT $line."\n"; | |||
} elsif ( $fields{U} =~ /$ids_ext_match/ ) { | |||
my $event = $1; | |||
my $ip = $fields{I}; | |||
my $subnet = undef; | |||
if ($ip =~ $pattern) { | |||
$subnet = $1; | |||
}; | |||
if (exists($exclude->{$ip}) || exists($exclude->{$subnet})) { | |||
print STDOUT $line."\n"; | |||
next; | |||
} | |||
my $event_id = $ids_events->{$event}; | |||
my $max = $max_hits->{$event_id}; | |||
# IDS case #1 | |||
# /home/www/v3/images/images/images/images/images/images/images/images/images/images .... | |||
# count the no of / and if above a #, kill the IP | |||
my @dirs = split($dir_match, $fields{U}); | |||
my $hits = scalar(@dirs); | |||
# Log it | |||
if ($hits>$max) { | |||
print STDOUT "***** ABUSE **** $ip $event ( $hits )\n"; | |||
&disable_ip( $ip); | |||
eval { | |||
open ABUSE_LOG, ">>/nfsroot/logs/log_abuse.log" or print STDOUT $!; | |||
print ABUSE_LOG "***** ABUSE **** $ip $event ( $hits )\n"; | |||
print ABUSE_LOG Data::Dumper->Dump([\%fields, $hits, $max],[qw(*fields hits max)]); | |||
close ABUSE_LOG; | |||
}; | |||
eval { | |||
$sth_log->execute($ip,$event_id,$hits); | |||
}; | |||
} | |||
} | |||
# Temp LOG ALL - bad bad bad | |||
# print STDOUT $line."\n"; | |||
} | |||
close (STDOUT); | |||
$sth_log->finish; | |||
$sth_ins->finish; | |||
$sth_upd->finish; | |||
$sth_get->finish; | |||
$dbh->disconnect; | |||
exit 0; | |||
sub hold_it { | |||
my ($host,$name, @IPs) = @_; | |||
my $session = Net::Telnet->new (Timeout => 10, Prompt => '/.*#.*$/', Dump_log => '/tmp/telnet.log'); | |||
# print "$host: @IPs\n"; | |||
$session->open($host); | |||
$session->put($user."\n"); | |||
$session->waitfor ('/.*Password:.*/'); | |||
$session->put($pass."\n"); | |||
# $session->login($user, $pass); | |||
#print $session->cmd(String => 'admin'); | |||
# $session->waitfor('/ Name/'); | |||
#$session->waitfor('/Password.*/'); | |||
#print $session->cmd('g0dm0d3'); | |||
$session->waitfor('/.*'.$name.'#.*/'); | |||
my @output = $session->cmd('config t'."\n"); | |||
my $res = join("\n",@output); | |||
$res .= "\n"; | |||
# $session->waitfor('/.*A\(config\)#.*/'); | |||
# Execute a command | |||
# my @output = $session->cmd('show server real l83'."\n"); | |||
# $session->waitfor('/.*\(config\)#.*/'); | |||
foreach my $badip (@IPs) { | |||
$res .= "$badip \n"; | |||
@output = $session->cmd("security hold-source-ip $badip 60\n"); | |||
$res .= join("\n",@output); | |||
$res .= "\n"; | |||
} | |||
@output = $session->cmd('end'); | |||
$res .= join("\n",@output); | |||
$res .= "\n"; | |||
if (0) { | |||
@output = $session->cmd('exit'); | |||
$res .= join("\n",@output); | |||
$res .= "\n"; | |||
# $res .= $session->cmd('exit'); | |||
} | |||
$session->close; | |||
print STDOUT $res; | |||
}; | |||
sub disable_ip { | |||
my (@ips) = @_; | |||
&hold_it($host1,$name1,@ips); | |||
&hold_it($host2,$name2,@ips); | |||
} | |||
sub check_ip { | |||
my ($exclude) = @_; | |||
my $ips = [qw( | |||
195.92.67.71 | |||
166.102.104.65 | |||
24.191.101.131 | |||
211.50.250.249 | |||
152.163.207.214 | |||
213.154.134.157 | |||
68.47.133.228 | |||
63.118.66.11 | |||
166.102.104.65 | |||
206.154.135.67 | |||
208.236.105 | |||
209.217.134.7 | |||
12.8.9.140 | |||
157.130.79.70 | |||
209.217.134.10 | |||
65.116.11.120 | |||
65.116.11.115 | |||
4.36.232 | |||
4.36.233 | |||
4.36.234 | |||
66.28.24 | |||
208.62.228 | |||
208.62.229 | |||
208.62.230 | |||
66.194.164.160 | |||
66.194.164.162 | |||
66.194.164.157 | |||
66.194.164.200 | |||
69.25.84.2 | |||
66.165.178 | |||
65.223.64 | |||
64.38.240 | |||
64.38.241 | |||
66.37.115 | |||
64.74.164 | |||
38.118.131 | |||
)]; | |||
%$exclude = map {$_ => 1 } @$ips; | |||
} | |||
</pre> |
Latest revision as of 03:07, 8 November 2011
#!/usr/bin/perl -w use strict; use Data::Dumper; use DBI; use Config::IniFiles; use Net::Telnet; $| = 1; our $user = 'admin'; our $pass = 'xxxxxxxxx'; my $host1 = '192.168.20.1'; my $name1 = 'A'; my $host2 = '192.168.20.3'; my $name2 = 'B'; my $badip = ''; # Requests of interest. Remember to do the regular expression my $log_events = { '.page' => 1, '.wmv' => 2, '.mov' => 2, '.cgi' => 3, '.pl' => 3, '.html' => 4, }; my $ids_events = { '.jpg' => 5, '.bmp' => 5, '.png' => 5, '.gif' => 5, }; my $log_exts = join("\|",keys(%$log_events)); $log_exts =~ s/\./\\\./g; my $log_ext_match = qr/($log_exts)$/; my $ids_exts = join("\|",keys(%$ids_events)); $ids_exts =~ s/\./\\\./g; my $ids_ext_match = qr/($ids_exts)$/; my $dir_match = qr{/}; my $max_hits = { 1 => 60, 2 => 12, 3 => 30, 4 => 120, 5 => 20, }; my $pattern = qr/([0-9]+\.[0-9]+\.[0-9]+)\.[0-9]+/; # print Data::Dumper->Dump([$log_exts, $log_ext_match],[qw(log_exts log_ext_match)]); my $exclude = {}; &check_ip($exclude); my $db = 'ABUSE'; my $cfg = Config::IniFiles->new( -file=> '/etc/db_connect.conf', -default=> 'DEFAULT'); my $dbi = "DBI:mysql:".$cfg->val($db,"name").":".$cfg->val($db,"host"); my $dbh = DBI->connect($dbi,$cfg->val($db,'user'),$cfg->val($db,'password'), {RaiseError => 1, AutoCommit => 0}); my $sth_ins = $dbh->prepare( qq[INSERT INTO abuse_log (IP,event_id,bucket_id,hits) VALUES (?,?,MINUTE(NOW()),1) ]); my $sth_upd = $dbh->prepare( qq[UPDATE abuse_log SET hits = hits + 1 WHERE IP = ? AND event_id = ? AND bucket_id = MINUTE(NOW()) ]); my $sth_get = $dbh->prepare( qq[ SELECT hits FROM abuse_log WHERE IP = ? AND event_id = ? AND bucket_id = MINUTE(NOW()) ]); my $sth_log = $dbh->prepare( qq[ INSERT INTO blocked (IP,event_id,hits) VALUES (?,?,?) ]); open ("STDOUT", ">>$ARGV[0]") || die $!; while (my $line = <STDIN>) { chomp $line; my @fields = split /\|/, $line; my %fields = map { split /\=/,$_ } @fields; if ( $fields{U} =~ /$log_ext_match/ ) { # print STDOUT Data::Dumper->Dump([\%fields],[qw(*fields)]); my $event = $1; my $ip = $fields{I}; my $subnet = undef; if ($ip =~ $pattern) { $subnet = $1; }; if (exists($exclude->{$ip}) || exists($exclude->{$subnet})) { print STDOUT $line."\n"; next; } my $event_id = $log_events->{$event}; my $max = $max_hits->{$event_id}; # Assume UPDATE and catch error eval{ $sth_get->execute($ip,$event_id); }; unless ($@) { my ($hits) = $sth_get->fetchrow_array(); $hits ||= 0; # print STDOUT Data::Dumper->Dump([$ip,$event,$event_id,$max,$hits],[qw(ip event event_id max hits)]); if ($hits > $max) { print STDOUT "***** ABUSE **** $ip $event ( $hits )\n"; &disable_ip($ip); eval { open ABUSE_LOG, ">>/nfsroot/logs/log_abuse.log" or print STDOUT $!; print ABUSE_LOG "***** ABUSE **** $ip $event ( $hits )\n"; print ABUSE_LOG Data::Dumper->Dump([\%fields, $hits, $max],[qw(*fields hits max)]); close ABUSE_LOG; }; eval { $sth_log->execute($ip,$event_id,$hits); }; } my $rv; eval{ # print STDOUT "Updating"; $rv = $sth_upd->execute($ip,$event_id); # print STDOUT "Error : '$@".$dbh->errstr."' rv = '$rv'\n"; }; if ($@ || $rv == 0) { eval{ # print STDOUT "Inserting "; $sth_ins->execute($ip,$event_id); }; } if ($@) { print STDOUT "BAD db: $@\n"; $dbh->rollback(); } else { $dbh->commit(); } } print STDOUT $line."\n"; } elsif ( $fields{U} =~ /$ids_ext_match/ ) { my $event = $1; my $ip = $fields{I}; my $subnet = undef; if ($ip =~ $pattern) { $subnet = $1; }; if (exists($exclude->{$ip}) || exists($exclude->{$subnet})) { print STDOUT $line."\n"; next; } my $event_id = $ids_events->{$event}; my $max = $max_hits->{$event_id}; # IDS case #1 # /home/www/v3/images/images/images/images/images/images/images/images/images/images .... # count the no of / and if above a #, kill the IP my @dirs = split($dir_match, $fields{U}); my $hits = scalar(@dirs); # Log it if ($hits>$max) { print STDOUT "***** ABUSE **** $ip $event ( $hits )\n"; &disable_ip( $ip); eval { open ABUSE_LOG, ">>/nfsroot/logs/log_abuse.log" or print STDOUT $!; print ABUSE_LOG "***** ABUSE **** $ip $event ( $hits )\n"; print ABUSE_LOG Data::Dumper->Dump([\%fields, $hits, $max],[qw(*fields hits max)]); close ABUSE_LOG; }; eval { $sth_log->execute($ip,$event_id,$hits); }; } } # Temp LOG ALL - bad bad bad # print STDOUT $line."\n"; } close (STDOUT); $sth_log->finish; $sth_ins->finish; $sth_upd->finish; $sth_get->finish; $dbh->disconnect; exit 0; sub hold_it { my ($host,$name, @IPs) = @_; my $session = Net::Telnet->new (Timeout => 10, Prompt => '/.*#.*$/', Dump_log => '/tmp/telnet.log'); # print "$host: @IPs\n"; $session->open($host); $session->put($user."\n"); $session->waitfor ('/.*Password:.*/'); $session->put($pass."\n"); # $session->login($user, $pass); #print $session->cmd(String => 'admin'); # $session->waitfor('/ Name/'); #$session->waitfor('/Password.*/'); #print $session->cmd('g0dm0d3'); $session->waitfor('/.*'.$name.'#.*/'); my @output = $session->cmd('config t'."\n"); my $res = join("\n",@output); $res .= "\n"; # $session->waitfor('/.*A\(config\)#.*/'); # Execute a command # my @output = $session->cmd('show server real l83'."\n"); # $session->waitfor('/.*\(config\)#.*/'); foreach my $badip (@IPs) { $res .= "$badip \n"; @output = $session->cmd("security hold-source-ip $badip 60\n"); $res .= join("\n",@output); $res .= "\n"; } @output = $session->cmd('end'); $res .= join("\n",@output); $res .= "\n"; if (0) { @output = $session->cmd('exit'); $res .= join("\n",@output); $res .= "\n"; # $res .= $session->cmd('exit'); } $session->close; print STDOUT $res; }; sub disable_ip { my (@ips) = @_; &hold_it($host1,$name1,@ips); &hold_it($host2,$name2,@ips); } sub check_ip { my ($exclude) = @_; my $ips = [qw( 195.92.67.71 166.102.104.65 24.191.101.131 211.50.250.249 152.163.207.214 213.154.134.157 68.47.133.228 63.118.66.11 166.102.104.65 206.154.135.67 208.236.105 209.217.134.7 12.8.9.140 157.130.79.70 209.217.134.10 65.116.11.120 65.116.11.115 4.36.232 4.36.233 4.36.234 66.28.24 208.62.228 208.62.229 208.62.230 66.194.164.160 66.194.164.162 66.194.164.157 66.194.164.200 69.25.84.2 66.165.178 65.223.64 64.38.240 64.38.241 66.37.115 64.74.164 38.118.131 )]; %$exclude = map {$_ => 1 } @$ips; }