Thanks Sean for the script - I have the same problem with hackers trying
to access my asterisks SIP server.
I do it a bit differently, I scan the asterisk log file and add the
offenders to the shorewall dynamic black list. Attached the script I
use of course this only work if you use Asterisk :) I run it every few
minutes in cron
Bill
On 12/15/2011 09:27 AM, Sean Whitney wrote:
I got tired of people from other countries trying to make an anonymous
SIP call through my SIP box and other senseless attacks on Shorewall, so
I wrote a script that added entire countries to the blacklist. I don't
know anybody in these countries so I wasn't worried about blocking
access to anything from my home. I can initiate connections out and
complete them, it just drops connections originating from these ranges.
The script condenses IP scopes to limit the blacklist somewhat. It's
running very well right now on a box with 256M of memory.
-----------This is in /etc/cron.weekly-------------------------
#!/bin/sh
#
# cron.d/shorewall -- update blacklist and restart
#
IP=/usr/local/bin/ip_blacklist.sh
SHOREWALL=/sbin/shorewall
test -x $IP || exit 1
test -x $SHOREWALL || exit 1
$IP&& $SHOREWALL refresh
----------This is /usr/local/bin/ip_blacklist.sh----------------
#!/bin/sh
# More country IP blocks available at
# http://www.countryipblocks.net/country-blocks/cidr/
# Make sure the next line is 1 line
URL="http://www.countryipblocks.net/e_country_data/RO_cidr.txt
http://www.countryipblocks.net/e_country_data/RU_cidr.txt
http://www.countryipblocks.net/e_country_data/KR_cidr.txt
http://www.countryipblocks.net/e_country_data/CN_cidr.txt";
FILE=/tmp/blacklist.txt
WGET=$(which wget)
SED=$(which sed)
GREP=$(which grep)
SORT=$(which sort)
AGGREGATE=$(which aggregate)
BLACKLIST="/etc/shorewall/blacklist"
DATE=$(date)
test x$WGET = x&& echo $0 requires wget&& exit 1
test x$SED = x&& echo $0 requires sed&& exit 1
test x$AGGREGATE = x&& echo $0 requires aggregate (apt-get install
aggregate)&& exit 1
test x$SORT = x&& echo $0 requires sort&& exit 1
BEGINNING="#ADDRESS/SUBNET PROTOCOL PORT"
ENDING="#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE"
cd /tmp
test -f $FILE&& rm $FILE
$($WGET -q $URL -O $FILE)
echo $BEGINNING> $BLACKLIST
echo "#Downloaded: " $DATE>> $BLACKLIST
$GREP "^#" $FILE>> $BLACKLIST
cat $FILE|$GREP -v ^#| $SORT -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n \
|$AGGREGATE -t -q>> $BLACKLIST
echo $ENDING>> $BLACKLIST
----------------------------------------------------------------------
Any feedback or comments are greatly appreciated.
Sean
#!/bin/bash
#
#Script to scan the asterisk log file and drop hackers trying to login
#
#
# Setup the email To: and message we want
SUBJECT="New IP address detected by \"sip-drop\""
# Email To ?
ToEMAIL="[email protected]"
# Email text/message tempary file
EMAILMESSAGE="/tmp/emailmessage.txt"
#First line in the message
echo -e "Adding the following via \"shorewall drop\" \n"> $EMAILMESSAGE
sendmail=0
#scan_log=(`nice awk '/Wrong/{print$12}' /var/log/asterisk/messages | sed
"s/'//g"`)
scan_log=(`grep "failed for" /var/log/asterisk/messages |awk '{printf "%s\n" ,
$NF}' FS="failed for" | awk '{print$1}' | sed "s/'//g"`)
new_ip=("pad")
for a in "${scan_log[@]}"; do
#echo "NEW_IP ARRAY ${new_ip[@]}"
for i in "${new_ip[@]}"; do
#echo "a $a"
#echo "i $i"
#echo ${new_ip[@]}
if [ $i ]; then
add_ip=$a
if [ $a == $i ]; then
# echo "$a in list"
add_ip="false"
break
fi
fi
done
if [ $add_ip != "false" ] ; then
new_ip=("${new_ip[@]}" $add_ip)
fi
done
unset new_ip[0]
echo -e "IP's found in /var/log/asterisk/messages: \n"
for i in "${new_ip[@]}"; do
echo $i
done
current_ip_rules=(`iptables -nv -L dynamic | awk '/DROP/{print$8}'`)
echo -e "\nCurrent IP Rules: \n"
for i in "${current_ip_rules[@]}"; do
echo $i
done
for a in "${new_ip[@]}"; do
for i in "${current_ip_rules[@]}"; do
if [ $i ]; then
add_ip_blacklist=$a
if [ $a == $i ]; then
add_ip_blacklist="false"
# echo "add_ip_blacklist $add_ip_blacklist"
# echo "$a Matches entry in iptables $i don't add"
break
fi
fi
done
if [ $add_ip_blacklist != "false" ] ; then
echo -e "\nshorewall dropping\n"
/sbin/shorewall drop $add_ip_blacklist
sendmail=1
echo "$add_ip_blacklist add to blacklist" >>$EMAILMESSAGE
# send an email using /bin/mail
# echo "$add_ip_blacklist add to blacklist"
fi
done
if [ $sendmail == 1 ]; then
/bin/mail -s "$SUBJECT" "$ToEMAIL" < $EMAILMESSAGE
fi
rm /tmp/emailmessage.txt
new_ip_rules=(`iptables -nv -L dynamic | awk '/DROP/{print$8}'`)
echo -e "\nNew IP Rules: \n"
for i in "${new_ip_rules[@]}"; do
echo $i
done
------------------------------------------------------------------------------
10 Tips for Better Server Consolidation
Server virtualization is being driven by many needs.
But none more important than the need to reduce IT complexity
while improving strategic productivity. Learn More!
http://www.accelacomm.com/jaw/sdnl/114/51507609/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
