Question

3

Shell Script to block Ip addresses

rated 0 times [ 3] [ 0] / answers: 1 / hits: 1561 / 1 Year ago, tue, april 18, 2023, 4:16:22

Is it possible to write a shell script that checks connections in an apache server and blocks suspicious ip addresses with large number of connections automatically and fires a mail for it to the system administrator. Please Help.

I have also heard about fail2ban. Will it be convenient to use fail2ban or a shell script as shell script need to be run on regular time intervals. any comments?

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

ledeball

Add To Favorites

Follow

Total Points: 434

Total Questions: 121

Total Answers: 120

Location: Antigua and Barbuda

Member since Sat, Apr 24, 2021

3 Years ago

answered 1 Year ago tionpromoti · Accepted Answer

As I was reading the first paragraph, I was thinking about fail2ban.

The biggest issue here is detecting a bad user. If you do that manually, skip fail2ban and use sudo ufw deny from 1.2.3.4. That will be a permanent block but there you go.

fail2ban works best when your system (any service, including a dynamic website) sends things to the logs (syslog or service specific). fail2ban then has a stack of things to look for and then what to do if it finds things.

For example, I'm currently employing a fail2ban plugin for Wordpress that sends events to syslog. fail2ban detects three incorrect tries and then blocks the IP for five minutes. It's genius stuff that has pretty much entirely blocked brute force attacks. I mention that plugin as it's a good example of a simple custom-written ruleset. It's easy to see how it works and adapt it for your own needs.

Email notification is pretty simple but you can go further and email nmap scans back. Thinking about it, it might be worth running the IP through a whois, extracting the abuse email and automatically sending an abuse report when you ban a user (explaining why).