Skip to content

Commit d06c477

Browse files
author
Todd Stein
committed
fixed email formatting, fixed log inclusion in email, quieted firewall-cmd output, fixed escaped quoting in command buffering
1 parent 724f202 commit d06c477

File tree

1 file changed

+7
-17
lines changed

1 file changed

+7
-17
lines changed

auto-blockip.journald

+7-17
Original file line numberDiff line numberDiff line change
@@ -37,10 +37,10 @@ blockIP() { # input is a string
3737
# if we've seen fewer than $MOLE_LIMIT attackers from this /24
3838
if [[ $(firewall-cmd --list-rich-rules | egrep -c "$same_subnet_match_string") -lt $MOLE_LIMIT ]]; then
3939
# we only want to block the IP
40-
local ip_search_string="^rule family=\"ipv4\" source address=\"($escaped_ip|${escaped_ip%.*}.0/24)\" reject$"
40+
local ip_search_string="^rule family=\\\"ipv4\\\" source address=\\\"($escaped_ip|${escaped_ip%.*}.0/24)\\\" reject$"
4141
local command="
4242
if ! firewall-cmd --list-rich-rules | egrep -q \"$ip_search_string\"; then
43-
firewall-cmd --add-rich-rule=\"rule family='ipv4' source address='$ip' reject\"
43+
firewall-cmd -q --add-rich-rule=\"rule family='ipv4' source address='$ip' reject\"
4444
fi
4545
"
4646
else
@@ -49,7 +49,7 @@ blockIP() { # input is a string
4949
local subnet_search_string="^rule family=\"ipv4\" source address=\"${subnet//./\.}\" reject$"
5050
local command="
5151
if ! firewall-cmd --list-rich-rules | egrep -q \"$subnet_search_string\"; then
52-
firewall-cmd --add-rich-rule=\"rule family='ipv4' source address='$subnet' reject\"
52+
firewall-cmd -q --add-rich-rule=\"rule family='ipv4' source address='$subnet' reject\"
5353
fi
5454
"
5555
fi
@@ -119,23 +119,13 @@ sendMail() { # no input
119119
fi
120120

121121
body="$(printf "%s\n\n\n%s\n\n\n%s" "$heading" "$whois" "$log")"
122-
body="$heading\n\n\n$whois\n\n\n$log"
123-
124-
(
125-
echo "From: cron@$HOSTNAME"
126-
echo "To: ${EMAIL_ADDRESS}"
127-
echo "Subject: ${subject}"
128-
echo "Content-Type: text/html"
129-
echo "MIME-Version: 1.0"
130-
echo ""
131-
echo "${body}"
132-
) | /usr/sbin/sendmail -t
122+
123+
mail -s "$subject" "$EMAIL_ADDRESS" <<<"$body"
133124
}
134125

135126

136127
# generate list of possible attackers
137-
attackers=$(last_n_minutes.journald $LOOK_BACK | egrep 'sshd\[[0-9]+\]:.*(Failed password|Invalid user)' | egrep -o '\bfrom ([0-9]{1,3}\.){3}[0-9]{1,3}\b' | sort | uniq -c | sort -nr | awk -v m=$MAX_ALLOWED_FAILURES -F '[= ]+' '{if ($2>m) {print $NF} else {exit}}')
138-
128+
attackers=$(journalctl --since "$LOOK_BACK minutes ago" | egrep 'sshd\[[0-9]+\]:.*(Failed password|Invalid user)' | egrep -o '\bfrom ([0-9]{1,3}\.){3}[0-9]{1,3}\b' | sort | uniq -c | sort -nr | awk -v m=$MAX_ALLOWED_FAILURES -F '[= ]+' '{if ($2>m) {print $NF}}')
139129

140130
for rhost in $attackers; do
141131

@@ -157,7 +147,7 @@ for rhost in $attackers; do
157147
blockIP $ip
158148

159149
# grab full secure history of $rhost
160-
log=$(last_n_minutes.journald $LOOK_BACK | grep -E "\b${rhost//./\.}\b")
150+
log=$(journalctl --since "24 hours ago" | grep -E "\b${rhost//./\.}\b")
161151

162152
# set $whois and $country
163153
getWhoisAndCountry $ip

0 commit comments

Comments
 (0)