blocker 0.1

Introduction

"blocker" is a small awk script for blocking packets from malicious hosts. It blocks the IP addresses from which ssh connections are tried to be established with wrong authentication information several times.

The small script is designed to be used as:: tail --follow=name /var/log/messages | blocker

Requirements

System requirements are the followings:

Linux -- Since the script calls iptables to block packets, iptables must be enabled.
Awk -- Any POSIX awk can be usable, I expect, though I only tested against Gawk.

Install

Copy the script to /usr/sbin or somewhere you want to put in.

Make a directory /var/tmp/blocker and put white_list in.

Usage

Files

black_list

The black_list is a list of already blocked IP addresses. Each line of it consists of an IP address. No spaces or comments are allowed. The file is created automatically if there isn't.

white_list

The white_list is a list of absolutely safe net addresses. Each line of it consists of an IP address or net address like 10.0.0.0/8.

Execution

The small script is designed to be used as:: tail --follow=name /var/log/messages | blocker

You may want to run it once and for ever.

Modifications

There is no configuration mechanism, and thus you have to modify by yourself if it is needed. Do it on your own risk.

The script uses /var/tmp/blocker to put in the address list files. It is VAR_DIR in BEGIN clause of the script.

The address list file names can be changed through BLACK_LIST and WHITE_LIST variables.

The default behavior is that when more than 4 times failed attempts from the same host is detected then the host is blocked. The limit count 4 is configurable through the variable LIMIT.

If you want to use more delicate policy to block, then you have to program it into awk rule/action's.

blocker-0.1.tar.gz

blocker