iptablesmgr/iptablesmgr.sh at master · mgwebgroup/iptablesmgr · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
#! /bin/bash -

# INIT
APACHE_ENV_VARS='/etc/apache2/envvars'
PATHS_GET=paths_get
PATHS_POST=paths_post
APP_DIR=iptablesmgr
REQUESTS_MALICEOUS=requests_maliceous
IP_MALICEOUS=ip_maliceous
IP_LEGAL=ip_legal
CHAIN=IPGUARD

getopts 'i' INSPECT

# TODO: include help option

if [ $INSPECT == 'i' ]; then
  APACHE_LOG=$2
fi
if [ $INSPECT == '?' ]; then
  APACHE_LOG=$1
fi

print_error () {
  echo '--->ERROR:' $1
  echo $2
}

import_ip_maliceous () {
  echo Importing rules...
  while read; do
    iptables -I $1 -p all -j DROP -s ${REPLY}
    # echo iptables -I $1 -p all -j DROP -s ${REPLY}
  done < $2
}

dedup () {
  sort -o ${APP_DIR}/temp $1
  cat ${APP_DIR}/temp | uniq > $1
  rm ${APP_DIR}/temp
}


# CONFIGURE
# check if iptables is installed
command -v iptables >/dev/null 2>&1 || { print_error "Please install iptables. Aborting."; exit 1; }

# TODO: include check for user's capabilities, i.e. if they can run iptables

#if [ -f ${APACHE_ENV_VARS} ]; then
#  source $APACHE_ENV_VARS
#fi


if [ ! -f ${APP_DIR}/${PATHS_GET} ]; then
  print_error 'File paths_get could not be found' 'It is needed to define legal application paths for GET requests'
  exit
fi

if [ ! -f ${APP_DIR}/${PATHS_POST} ]; then
  print_error 'File paths_post could not be found' 'It is needed to define legal application paths for POST requests'
  exit
fi

if [ ! -f ${APP_DIR}/${PATHS_MALICEOUS} ]; then
  touch ${APP_DIR}/${PATHS_MALICEOUS}
fi

if [ -z ${APACHE_LOG} ]; then
  print_error 'Please specify full path to the apache log' 'Example: /var/log/apache2/access.log'
  exit 1
fi

if [ ! -f ${APACHE_LOG} ]; then
  print_error 'Could not find apache log.' "Looked for ${APACHE_LOG}"
  exit 1
fi

# Remove commented and empty lines
FILTER_GET='/^#/d;/^$/d;'
sed -re ${FILTER_GET} ${APP_DIR}/${PATHS_GET} > ${APP_DIR}/temp
while read; do
  FILTER_GET+="\-GET\s${REPLY}\s-d;"
done < ${APP_DIR}/temp

FILTER_POST='/^#/d;/^$/d;'
sed -re ${FILTER_POST} ${APP_DIR}/${PATHS_POST} > ${APP_DIR}/temp
while read; do
  FILTER_POST+="\-POST\s${REPLY}\s-d;"
done < ${APP_DIR}/temp

if [ ! -d ${APP_DIR} ]; then
  mkdir ${APP_DIR}
fi

if [ ! -f ${APP_DIR}/${REQUESTS_MALICEOUS} ]; then
  touch ${APP_DIR}/${REQUESTS_MALICEOUS}
else
  : > ${APP_DIR}/${REQUESTS_MALICEOUS}
fi


# EXECUTE
cp ${APACHE_LOG} ${APP_DIR}/${REQUESTS_MALICEOUS}

# Remove legal ip addresses from Apache log first. They can have any path
if [ -f ${APP_DIR}/${IP_LEGAL} ]; then
  while read; do
    # echo ${REPLY}
    sed -i -re "/^${REPLY}\s/d" ${APP_DIR}/${REQUESTS_MALICEOUS}
  done < ${APP_DIR}/${IP_LEGAL}
fi

# use sed and the created filter expressions for GET and POST requests  to remove legal paths, save the rest in assumed maliceous requests
sed -i -re $FILTER_GET ${APP_DIR}/${REQUESTS_MALICEOUS}
sed -i -re $FILTER_POST ${APP_DIR}/${REQUESTS_MALICEOUS}
# Further nix lines which request root path "/"
sed -i -e '\-GET\s/\sHTTP/1-d' ${APP_DIR}/${REQUESTS_MALICEOUS}
# Nix lines that don't have request type in them. These are requests from local services to apache.
sed -i -e '/"-"\s408/d' ${APP_DIR}/${REQUESTS_MALICEOUS}

if [ $INSPECT == 'i' ]; then
  echo '*** -------- ***'
  echo Please inspect the file ${APP_DIR}/${REQUESTS_MALICEOUS} for possible legal paths to be present
  echo 'You can use `grep -rne LEGAL_PATH_IN_QUESTION '${APP_DIR}/${REQUESTS_MALICEOUS}'`'
  echo '*** COMPLETE ***'
  exit 0
fi

# Create list of malicious IP addresses and remove duplicates:
cut -d ' ' -f1 ${APP_DIR}/${REQUESTS_MALICEOUS} | sort | uniq >> ${APP_DIR}/${IP_MALICEOUS}
dedup ${APP_DIR}/${IP_MALICEOUS}

# Check if chain exists in IP tables. If not, create it
iptables -S $CHAIN > /dev/null 2>&1
if [ $? -gt 0 ]; then
  echo No chain $CHAIN. Will create.
  iptables -N $CHAIN
  iptables -I INPUT 1 -j $CHAIN
else
  echo Found chain $CHAIN
fi
iptables -S $CHAIN | sed -e '1d' | cut -d ' ' -f4 | sed -e 's/\/32//g' | sort | uniq > ${APP_DIR}/temp

#make list of new ip addresses for this run
sdiff -sW ${APP_DIR}/temp ${APP_DIR}/${IP_MALICEOUS} | sed -re 's/^[ \t>]+//' > ${APP_DIR}/new
import_ip_maliceous $CHAIN ${APP_DIR}/new

# In the list identify which IP addresses were new for this run
iptables --line-numbers -v -nL $CHAIN | tr '*' 'x' > ${APP_DIR}/temp
echo '*** -------- ***'
echo Chain $CHAIN has these rules now:
while read NUM PKTS BYTES TARGET PROT OPT IN OUT SOURCE DESTINATION; do
  cat ${APP_DIR}/new | grep -e $SOURCE >/dev/null 2>&1
  if [ $? == 0 ]; then
    NEW=new;
  else
    NEW='';
  fi
  printf "%6s %4s %5s %-10s %4s %3s %6s %6s %-20s %-17s %-6s\n" $NUM $PKTS $BYTES $TARGET $PROT $OPT $IN $OUT $SOURCE $DESTINATION $NEW
done < ${APP_DIR}/temp
echo '*** COMPLETE ***'

rm ${APP_DIR}/temp