#!/bin/sh ################################################################################ # The 400blocker script performs the following: # # 1. Check if the 400.log is populated by Syslog-NG; if populated, then # # copy logs to temp file (bad guy 400 http status code file) and # # clear the 400.log # # 2. Read the 'bad guy 400 http status code file' line-by-line: # # a. Extract the ip address # # b. Add ip address to blacklist (ipset hash list). The blacklist hash # # list is configured to expire entries after five minutes. # ################################################################################ f400log="/var/log/400.log" # log file populated by Syslog-NG workfile="/var/log/t400.log"; touch $workfile # temp working log file host=$(cat /etc/hostname) # var containing web server host name while true; do # infinite loop if [ -s "$f400log" ]; then # determine if 400.log is populated cp "$f400log" "$workfile" # copy logs to temp working log file cat /dev/null > "$f400log" # clear the 400.log file while [ -s "$workfile" ]; do # determine if temp working log file is populated log=$(/bin/head -n 1 "$workfile") # read first line of file block_ip=$(/bin/echo "$log" | /bin/sed -rn "s/.+ $host (([0-9]{1,3}\.){3}[0-9]{1,3}).*/\1/p") # extract the source ip address if [ -n "$block_ip" ]; then # determine if ip address was extracted /usr/sbin/ipset add --exist blacklist $block_ip # add ip address to blacklist if it doesn't exist already /bin/sed -i "/$block_ip/d" $workfile # clear any lines containing extracted ip address else /bin/sed -i '1d' $workfile # no ip address extracted, remove line from file fi done fi sleep 1 done