4 scripts to maintain iptables
#!/usr/bin/perl
# reads iptables.log and extracts IP-VISITOR: SRC ip-address
# foreign connections to the local website
use strict;
my ($date, $res, $ip, $pos1, $pos2);
$date=`date +%d-%m-%Y`;
chomp($date);
my $oldip="0.0.0.0";
my $log="/var/log/iptables.log";
my $ipfile="/tmp/visitors-ip.txt";
my $tmp="/tmp/temp.txt";
open(FH, "<$log") or die $!;
open(IPF, ">$ipfile") or die $!;
while() {
chomp;
if (/IP-VISITOR:/ && /DST=192.168.1.9/) {
$pos1 = index($_, "SRC=");
$pos2 = index($_, " ", $pos1);
$ip = substr($_, $pos1+4, $pos2-$pos1-4);
if ($ip ne $oldip) {
print IPF "$ip\n";
$oldip=$ip;
}
}
}
close(FH);
close(IPF);
$res=`sort -u $ipfile > $tmp`;
$res=`cp $tmp $ipfile`;
$res=`cp $log $log"_"$date`;
$res=`cp /dev/null $log`;
________________________________________________________________________
#!/bin/bash
# runs the ip-addresses through the abuseip database
# and creates an output file with abusive IPs
apiUserInput=ad75c52c4b8b9edc1c5124ade714fe9c64779354bd304fe3984e597bd6e8908f7ee204a522f6322a
outputPath=/tmp/bulkresults.txt_$(date +"%d-%m-%Y")
ipFile=/tmp/visitors-ip.txt
maxAge=30
actualsize=$(wc -c <"$ipFile")
if [ $actualsize -lt 5 ]; then
exit 0
fi
rm $outputPath
cat $ipFile | while read line #Read file specified in ipFile variable and runs through while loop for every line of file
do
echo "IP #" $i "of" $numIps"," $line
curl -G https://api.abuseipdb.com/api/v2/check \
--data-urlencode "ipAddress=$line" \
-d maxAgeInDays=$maxAge \
-H "Key: $apiUserInput" \
-H "Accept: application/json" \
-o "/tmp/currentip.json"
cat /tmp/currentip.json | /usr/local/bin/jq -r '.[] | "\(.ipAddress), \(.abuseConfidenceScore), \(.totalReports), \(.isp), \(.countryCode), \(.domain), \(.numDistinctUsers), \(.lastReportedAt)"' >> $outputPath #Selects fields to write to output file
i=$[$i+1] #Increments line to be read
done
/bin/sed -i 1i"IP Address, % Confidence of Abuse, Total Reports within "$maxAge" days, ISP, Country Code, Domain, Distinct Users Reporting, Last Reported At" $outputPath #Adds header to CSV file
rm /tmp/currentip.json #removes temporary file
_____________________________________________________________________
#!/usr/bin/perl
# split the bulkresult coming from api.abuseipdb.com and select abusive ip-addresses, ip's from
#certain countries and anything coming from Facebook. Create a file scammer.zone_date with the excisting
# ip-addresses plus the new ones.
use strict;
my ($date, $bulkresult, $bulk_ip, $scammer_zone, $scammer_list, $tmp, $ip, $abuse, $report,$ISP,$country, @rest, $result);
$date=`date +%d-%m-%Y`;
chomp($date);
$bulkresult="/tmp/bulkresults.txt_$date";
$bulk_ip="/tmp/bulk_ip_$date";
$scammer_zone="/tmp/scammer.zone_$date";
$scammer_list="/tmp/scammer_list_$date";
$tmp="/tmp/temp_$date";
$result=`/sbin/ipset list scammer | tail -n +8 > $scammer_list`;
open (IF, "< $bulkresult") or die $!;
open (OF, "> $bulk_ip") or die $!;
while () {
chomp;
($ip,$abuse,$report,$ISP,$country,@rest)=split(/,/);
if (/Facebook/) {
print OF "$ip\n";
} elsif ($abuse > 0) {
print OF "$ip\n";
} elsif ($country =~ /CN|HK|BR|VN|JP|SG|PH|IT|RU/) {
print OF "$ip\n";
}
}
close(IF);
close(OF);
$result=`cat $scammer_list >> $scammer_zone`;
$result=`cat $bulk_ip >> $scammer_zone`;
________________________________________________________________________
#!/bin/sh
#create a new set and swap it with scammer, making the latter empty.
#add all ip-addresses to the scammer set using ipset A scammer “ip-addresses”
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; export PATH
# instead of flush - replace
/sbin/ipset create newset hash:net
/sbin/ipset swap newset scammer
/sbin/ipset destroy newset
# Add each IP address from the downloaded list into the ipset 'scammer'
for i in $(cat /tmp/scammer.zone_$(date +"%d-%m-%Y")); do ipset -A scammer $i; done
# Restore iptables
/sbin/iptables-restore < /etc/iptables/iptables.rules