The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]
Scripts / handy tips
 New Topic  |  Go to Top  |  Go to Topic  |  Search  |  Log In   Newer Topic  |  Older Topic 
 Adding blocked hosts to multiple systems
Author: el_kab0ng 
Date:   22-01-02 01:10

Ever had a machine that used snort/portsentry and blackhole to maintain a list of blocked hosts on a machine?

I got tired of manually adding networks to the null route (blackhole), so I developed a decent way to automate this into one command.

First, some background:

normally the command is run like so:

route add -net IP -netmask IP 127.0.0.1 -blackhole

This in effect lists them in a netstat -arn as:

IP/32 127.0.01

In any event, I have 3 servers, all running different services for my network. What hits one machine, usually hits the rest as well. To make sure all machines have a current blocked list, I have developed the following script. It's simple, but effective.

#!/bin/sh
netstat -arn | grep 127 | awk '{print $1}' | sed 's/\/.*$//' | grep -v 127.0.0.1 > /path/to/blocked.txt
for IP in `cat /path/to/blocked.txt` ; do
route add -net $IP -netmask 255.255.255.255 127.0.0.1 -blackhole
done


I'm sure this very basic script can be improved upon, but I figured I'd post it anyway... just for those who wanted it.

Reply To This Message
 
 Re: Adding blocked hosts to multiple systems
Author: el_kab0ng 
Date:   22-01-02 01:13

for those who needed a removal of the blocked.txt:

#!/bin/sh
netstat -arn | grep 127 | awk '{print $1}' | sed 's/\/.*$//' | grep -v 127.0.0.1 > /home/el_kab0ng/blocked.txt
for IP in `cat /usr/home/el_kab0ng/blocked.txt` ; do
route add -net $IP -netmask 255.255.255.255 127.0.0.1 -blackhole
done
/bin/rm /path/to/blocked.txt
exit

Reply To This Message
 
 Re: Adding blocked hosts to multiple systems
Author: el_kab0ng 
Date:   22-01-02 01:17

heh... just realized you probably want to parse out the netstat command from one machine, then transfer the blocked.txt file to the others before running the rest of the script... muh bad, but you knew that already.

Reply To This Message
 
 Re: Adding blocked hosts to multiple systems
Author: william cooper 
Date:   22-01-02 15:00

suppose you could do some crontab jobs to scp the blocked.txt to the other hosts to keep them updated.

regards

william cooper

Reply To This Message
 
 Re: Adding blocked hosts to multiple systems
Author: el_kab0ng 
Date:   22-01-02 20:06

good point. scp + scheduled cronjob to run the script 5 or 10 minutes after transfer...

Reply To This Message
 
 Re: Adding blocked hosts to multiple systems
Author: Jeff Pabian 
Date:   23-01-02 07:54

And us "at" to remove the routes after X amount of time. I have a perk script that adds blackholes IP's, and creates an atjob to remove them after 8 hours. The perl script also checks the IP address against the existing route table, and if it's already in there, then it does nothing. But... if anyone is interested in the atjob part, here's the function that does it:

sub at_job ($){
my ($ip) = @_;
#open ATJOB,"|$AT \"now+3hours\" > /dev/null 2>&1 " || die "Can't open $AT: $!";
open ATJOB,"|$AT \"now+".$hours."hours\" > /dev/null 2>&1 " || die "Can't open $AT: $!";
print ATJOB "$ROUTE delete -blackhole $ip 127.0.0.1\n";
close ATJOB || die "Can't close $AT: $!";
}

Reply To This Message
 
 Re: Adding blocked hosts to multiple systems
Author: Jeff Pabian 
Date:   23-01-02 07:55

Man, can I type and spell tonight or what! Sorry folks!

Reply To This Message
 
 Re: Adding blocked hosts to multiple systems
Author: Sunil 
Date:   02-02-02 05:04

Question -- Instead of adding blackholed routes, why didn't you
just add an entry into the firewall deny'ing the ip?

Reply To This Message
 
 Re: Adding blocked hosts to multiple systems
Author: el_kab0ng 
Date:   12-04-02 16:25

Because most of us only run one or two servers... not worth all the trouble of NAT and firewalling.. it's just as easy to be selective in your blocking, and to let BSD do it automatically than to worry about firewall hassles.

Reply To This Message
 Forum List  |  Threaded View   Newer Topic  |  Older Topic 


 Forum List  |  Need a Login? Register Here 
 User Login
 User Name:
 Password:
 Remember my login:
   
 Forgot Your Password?
Enter your email address or user name below and a new password will be sent to the email address associated with your profile.
How to get the most out of the forum

phorum.org