#!/bin/sh # ==================================================================== # Written by Alex S Grebenschikov # for www.plugins-da.net # block_ip.sh script to run BFM (Directadmin) with CSF/LFD # ==================================================================== # Version: 0.1.7 Mon Aug 8 18:06:23 +07 2016 # Last modified: Mon Aug 8 18:06:23 +07 2016 # ==================================================================== # Version: 0.1.7 Mon Aug 8 18:06:23 +07 2016 # Bugfix: A support for TTL=0 (in Directadmin) added # ==================================================================== # Version: 0.1.5 Mon Apr 25 11:30:01 NOVT 2016 # Changes: A switcher USE_PORT_SELECTED_BLOCK added # ==================================================================== # Version: 0.1.4 Thu Jan 14 19:20:39 NOVT 2016 # Changes: grep replaced with egrep to support old format of # /root/block_ips.txt, when IP comes w/out date. # A switcher CSF_GREP_API_CALL added # ==================================================================== # USE_PORT_SELECTED_BLOCK=1; # SET TO 1 OR 0 # 1: TO BAN ACCESS ONLY TO A PORT WHICH # WAS BRUTEFORCED # 0: TO BLOCK ACCESS TO ALL PORTS # # NOTICE: MANUAL TRIGGER FROM DIRECTADMIN # WILL STILL BLOCK ACCESS TO ALL PORTS # FOR AN IP CSF_GREP_API_CALL=0; # SET TO 1 TO USE API CALL TO CSF # WHEN SEARCHING AN IP AGAINST BLOCKLIST # SET TO 0 (ZERO) TO GREP A FILE DIRECTLY # 1 - MORE ACCURATE, USE csf # 0 - MORE SPEEDY, USE egrep # ==================================================================== BF="/root/blocked_ips.txt"; EF="/root/exempt_ips.txt"; SLF="/usr/local/directadmin/data/admin/brute_skip.list"; CAF="/etc/csf/csf.allow"; CATF="/var/lib/csf/csf.tempallow"; CDF="/etc/csf/csf.deny"; CDTF="/var/lib/csf/csf.tempban"; CSF="/usr/sbin/csf"; FTP_PORTS="20 21"; SSH_PORTS="22"; WEB_PORTS="80 443"; EXIM_PORTS="25 465 587"; DOVECOT_PORTS="110 143 993 995"; DIRECTADMIN_PORTS="2222"; function detect_attacked_service() { # FTP c=`echo "${data}" | grep -c ftpd[1,2]=`; if [ "${c}" -gt "0" ]; then echo "${FTP_PORTS}"; return 0; fi; # SSH c=`echo "${data}" | grep -c ssh[1,2]=`; if [ "${c}" -gt "0" ]; then echo "${SSH_PORTS}"; return 0; fi; # WEB c=`echo "${data}" | grep -c wordpress[1,2]=`; if [ "${c}" -gt "0" ]; then echo "${WEB_PORTS}"; return 0; fi; # EXIM c=`echo "${data}" | grep -c exim[1,2]=`; if [ "${c}" -gt "0" ]; then echo "${EXIM_PORTS}"; return 0; fi; # DOVECOT c=`echo "${data}" | grep -c dovecot[1,2]=`; if [ "${c}" -gt "0" ]; then echo "${DOVECOT_PORTS}"; return 0; fi; # DIRECTADMIN c=`echo "${data}" | grep -c directadmin[1,2]=`; if [ "${c}" -gt "0" ]; then echo "${DIRECTADMIN_PORTS}"; return 0; fi; echo "0"; return 1; } if [ -z "${ip}" ]; then echo "[ERROR] We've got no IP to block! Terminating..."; exit 1; fi; if [ ! -x "${CSF}" ] || [ ! -f "${CDF}" ]; then echo "[ERROR] CSF/LFD was not found on your server! Terminating..."; exit 2; fi; [ -e "${BF}" ] || touch "${BF}"; [ -e "${EF}" ] || touch "${EF}"; # SHOULD WE NEED TO BLOCK ACCESS ONLY TO SELECTED PORTS # WE NEED FIRST DETECT WHAT SERVICE IS UNDER A BRUTEFORCE ATTACK if [ "${USE_PORT_SELECTED_BLOCK}" == "1" ]; then TTL=`/usr/local/directadmin/directadmin c | grep unblock_brute_ip_time= | cut -d\= -f2`; if [ ${TTL} == "0" ]; then TTL="1825d"; # If TTL=0 then IP should be blocked forever # here we set TTL to 5 years = 365d * 5 else TTL=$((TTL*3*60)); # It is Directadmin which unblocks IP, so we need to have enough long TTL # so that Directadmin have a chance to unblock it # Additionaly convert minutes to seconds *60 fi; BLOCK_PORTS=""; # We should have data= from Directadmin in order to detect # what service was bruteforced # If there was no data= passed to the script we set USE_PORT_SELECTED_BLOCK to 0 if [ -z "${data}" ]; then USE_PORT_SELECTED_BLOCK=0; else BLOCK_PORTS=`detect_attacked_service`; if [ "$?" -ne 0 ] || [ "${BLOCK_PORTS}" == "0" ]; then USE_PORT_SELECTED_BLOCK=0; BLOCK_PORTS=""; fi; fi; fi; # Is the IP whitelisted by Directadmin? c=`grep -c "^${ip}\$" ${EF}`; if [ "${c}" -gt 0 ]; then echo "[WARNING] The IP ${ip} is whitelisted in ${EF}. Not going to block it..."; exit 3; fi; # Is the IP added into a skiplist by Directadmin? if [ -f ${SLF} ]; then c=`grep -c "^${ip}=" ${SLF}`; if [ "${c}" -gt 0 ]; then echo "[WARNING] The IP ${ip} is whitelisted in ${SLF}. Not going to block it..."; exit 4; fi; fi; # Is the IP whitelisted permamently by CSF? c=`egrep -c "(^|=)${ip}($|\s|#)" ${CAF}`; if [ "${c}" -gt 0 ]; then echo "[WARNING] The IP ${ip} is whitelisted in ${CAF}. Not going to block it..."; exit 5; fi; # Is the IP whitelisted temporary by CSF? c=`grep -c "|${ip}|" ${CATF}`; if [ "${c}" -gt 0 ]; then echo "[WARNING] The IP ${ip} is whitelisted in ${CATF}. Not going to block it..."; exit 5; fi; # If the IP is already blocked in CSF/LFD # We do not want the IP to be managed by BFM in this case if [ "${CSF_GREP_API_CALL}" == "0" ]; then # MORE SPEEDY egrep "^${ip}($|\s)" ${CDF} -q || grep "|${ip}|" ${CDTF} -q; RVAL=$?; c=0; else # MORE ACCURATE c=`${CSF} -g "${ip}" | egrep 'csf.deny|Temporary Blocks' -c`; fi; if [ "${c}" -gt 0 ] || [ "${RVAL}" == "0" ]; then echo -n "[WARNING] The IP ${ip} is already blocked: "; if [ "${CSF_GREP_API_CALL}" == "0" ]; then details=`egrep "^${ip}($|\s)" ${CDF} | cut -d\# -f2 | head -1 | xargs`; [ -z "${details}" ] && details=`grep "|${ip}|" ${CDTF} | cut -d\| -f6 | head -1 | xargs`; echo "${details}"; else ${CSF} -g "${ip}" | egrep 'csf.deny|Temporary Blocks' | cut -d\# -f2 | head -1; fi; exit 6; fi; TF=$(mktemp); if [ -z "${BLOCK_PORTS}" ]; then ${CSF} -d ${ip} "Blocked with Directadmin Brute Force Manager" > ${TF} 2>&1; else for port in `echo "${BLOCK_PORTS}"`; do ${CSF} --tempdeny ${ip} ${TTL} -p ${port} -d inout "Blocked port ${port} with Directadmin Brute Force Manager for ${TTL} seconds" >> ${TF} 2>&1; done; fi; c=`grep " DENY_IP_LIMIT " ${TF} -c`; if [ "${c}" -gt 0 ]; then ip2=`cat ${TF} | grep " DENY_IP_LIMIT " --after=1 | tail -1 | awk '{print $1}'`; echo -n "[WARNING] DENY_IP_LIMIT was met in CSF. "; if [ ! -z "${ip2}" ]; then cat ${BF} | grep -v "^${ip2}=" > ${BF}.temp; mv ${BF}.temp ${BF}; echo "The IP ${ip2} was removed from ban list."; else echo ""; fi; fi; if [ "${CSF_GREP_API_CALL}" == "0" ]; then egrep "^${ip}($|\s)" ${CDF} -q || grep "|${ip}|" ${CDTF} -q; RVAL=$?; c=0; else c=`${CSF} -g "${ip}" | egrep 'csf.deny|Temporary Blocks' -c`; fi; if [ "${c}" -gt 0 ] || [ "${RVAL}" == "0" ]; then echo "[OK] The IP ${ip} was blocked with CSF."; #echo "${ip}=dateblocked=`date +%s`" >> ${BF}; fi; [ ! -f "${TF}" ] || rm -f ${TF}; exit 0;