-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathblock_me.py
207 lines (167 loc) · 6.25 KB
/
block_me.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
#!/usr/bin/python
#version: Python 2
#Notes: You need to setup a cronjob to run this. Normally running this every 2 minutes will do the job.
#Additional Notes: Many of the commands called are legacy now. 'netstat' is being replaced by 'ss' for example.
import subprocess
import sys
whitelist=['156.119.190.184','156.119.195.42','10.162.61.79','127.0.0.1'] #base whitelist
whitelist.append('149.101.1.118') #DOJ added 8/15/2017
whitelist.append('66.104.15.23') #BNC added 8/25/2017
##############################
#variables to change
##############################
generic_suffix="something.xxx.example"
admin_email="somone@" + generic_suffix # to and from email address
my_host= ecf + "." + generic_suffix
smtp_host="smtp.someplace.xxx.example"
cc1="myemail@" + generic_suffix
cc2="myemail2@" + generic_suffix
carbon_copy_email=[cc1,cc2]
#for x in whitelist:
# print "debug: white listed hosts - " + x
blockvalue=200 #default 2
alertvalue=5
proc = subprocess.Popen("netstat -ntu | awk '{print $5}' | cut -d: -f1 | grep -v '[ervers|ddress]' |sort | uniq -c | sort -n", shell=True,stdout=subprocess.PIPE)
running = proc.stdout.read()
sorted_ips_running = running.split('\n')
#########################################
#functions
#########################################
def block_ip(ip):
#check for valid ip
oct1,oct2,oct3,oct4=ip.split(".")
print "debug blocking " + oct1 + "." + oct2 + "." + oct3 + "." + oct4
if ( oct1>0 and len(ip)>8):
#print "debug ok4"
print"running firewall block rule..."
mycmd = "/sbin/iptables -I INPUT 1 -s " + ip + " -j DROP"
print mycmd
subprocess.Popen(mycmd ,shell=True,stdout=subprocess.PIPE)
#########################################
##################################################
def write_message_to_log(first_part,second_part):
##################################################
print "debug write_message_to_log function\n"
d=get_date("2") #dates with seconds
f = open('/var/tmp/logfile_block_me.txt', 'a')
if first_part=="":
#log entry without colon
line_string = d + "," + str(second_part) + "\n"
else:
line_string = d + ":" + first_part + " " + str(second_part) + "\n"
f.write(line_string)
f.close()
print "debug write message to log finished.\n"
def get_logs_of_connections(ip):
#todo
exit
#########################################
##################################################
def get_date(a):
##################################################
import datetime
if a == "1":
#get date with seconds
now = datetime.datetime.now()
d = now.strftime("%Y-%m-%d_%H:%M:%S ")
##d="2009-12-10" #debug date static
elif a=="2":
now = datetime.datetime.now()
d = now.strftime("%Y-%m-%d,%H:%M:%S")
else:
#regular date for email
d = datetime.date.today() #dyanmic
##d="2009-12-10" #debug date static
#print "debug get_date date is " + str(d)
return str(d) #return as string
##################################################
##################################################
def write_to_mailclient(mycount,ip):
##################################################
print "did we get this far"
import smtplib
import re
cc_list_count=0
cc_header=[] #carbon copy header info for email
for email_address in carbon_copy_email:
cc_list_count=cc_list_count+1
cc_header.append("cc: <" + str(email_address) + ">\r\n")
new_msg=[] #new message
#message header info
fromaddr = ("From: " + my_host + " <" + str(admin_email) + ">" )
toaddr=("To: <" + str(admin_email) + ">" )
print "\t Attempting to send message...\n"
today=get_date("any")
subject="Subject: blocking ip " + ip
total_addrs=[] #mulple email addresses
total_addrs.append(admin_email)
#if we have carbon copy info add it in
if cc_list_count>0:
for cc_email in carbon_copy_email:
total_addrs.append(cc_email)
header= fromaddr + "\r\n"
header= header + toaddr + "\r\n"
if cc_list_count>0:
for cc_email in cc_header:
header= header + cc_email
header= header + subject + "\r\n"
print "debug: (header) " + header
new_msg = (header + "Hello,\r We detected an LARGE AMOUNT of tcp connections to " + my_host + " There are " + mycount + " connections from " + ip + " so we blocked them.\r\n\r\n")
body=""
body = body + "************************ \r\n"
###########
#add header and subject to the message
###########
body = new_msg + body
###########
#add signiture to mail message
###########
body = body + "##########\r\nUSBC\r\nSystems\r\nTel: 410-962-XXXX\r\n###########"
#####
#end of message
#####
#tmp1=" address " + admin_email
#tmp2=str(len(body)) + " characters"
#write_message_to_log(tmp1,tmp2)
print "\t....Attempting to send the message to " + admin_email
print "\t....Opening connection to server...\n"
server = smtplib.SMTP(smtp_host)
server.set_debuglevel(1)
print "\t....sending email\n"
server.sendmail(fromaddr, total_addrs, body)
print "\t....attempting to end connection with the server\n"
server.quit()
#########################################
#########################################
#MAIN AREA
#remove whitelisted ips from list
for r in sorted_ips_running:
match=0
con=r.split()
if len(con)==2:
for wip in whitelist:
if wip==con[1]:
#print "match found " + wip + " = " + con[1]
match=1
if match==0:
#print "no match for ip " + con[1]
if int(con[0]) > blockvalue:
#process new firewall rules
tmp1=con[0] + " TCP connections "
tmp2=" from " + con[1]
print "appending values " + tmp1 + ":" + tmp2 + " to list"
tmp3=con[1] + "," + con[0] #format of log file is ALERT,IP
write_message_to_log("BLOCKED",tmp3)
print "sending message " + tmp1 + ":" + tmp2 + " to list"
write_to_mailclient(con[0],con[1])
#send email about blocking before we block it
print "BLOCKING " + str(con[1])+ " - " + str(con[0])
block_ip(str(con[1]))
elif int(con[0]) > alertvalue:
print "ALERT " + str(con[1])+ " - " + str(con[0])
a=get_date("2")#standard format
tmp_info="ALERT," + str(con[1])+ "," + str(con[0])
write_message_to_log("",tmp_info)
else:
a=get_date("2")#standard format
print str(a) + "," + str(con[0]) + ",connections from," + str(con[1])