Asbra Firewall is a combination of scripts and tools for Firewall configuration and Intrusion Detection (NIDS). It uses sqlite3 to save information on blocked traffic and counts the occurrences of attacking hosts with optional blocking.
Create a new CHAIN named “BLOCKED” and add the “-j LOG” as your last INPUT and FORWARD rule. This will make sure that all traffic that doesn’t have a rule associated gets logged.
# IPTables BLOCKED Chain (All traffic not matching a rule) iptables -N BLOCKED &> /dev/null iptables -F BLOCKED iptables -A INPUT -j BLOCKED iptables -A BLOCKED -j LOG --log-prefix "[ABF_Blocked] " --log-level 4 iptables -A BLOCKED -j DROP
We want our firewall logs in separate files.
# vim /etc/rsyslog.d/30-abf.conf
# Log kernel generated ABF log messages to file :msg,contains,"[ABF_Blocked" /var/log/abf-blocked.log :msg,contains,"[ABF_Blacklist" /var/log/abf-blacklist.log # Uncomment the following to stop logging anything that matches the last rule. & stop
The reload rsyslog:
# /etc/init.d/rsyslog restart
Now lets create the logging script
# mkdir -p /opt/abf
# vim /opt/abf/log
#!/bin/bash case $1 in "start") logfile='/var/log/abf-blocked.log' [[ ! -e abf.db ]] && sqlite3 abf.db "create table ipt_drop (id INTEGER PRIMARY KEY,source TEXT,proto TEXT,dport INTEGER, time INTEGER );" while read -r line do SOURCE=$(sed -r 's/.*SRC=([^ ]+).*/\1/' <<< $line) PROTO=$(sed -r 's/.*PROTO=([^ ]+).*/\1/' <<< $line) DPORT=$(sed -r 's/.*DPT=([^ ]+).*/\1/' <<< $line) TIME=$(date +%s) DATETIME=$(date -d @$TIME) OCCURENCES=$(sqlite3 abf.db "SELECT source, count(source) FROM ipt_drop WHERE source = '$SOURCE' GROUP BY source" | cut -f2 -d'|') GEOIP=$(geoiplookup $SOURCE |cut -f2 -d":") sqlite3 abf.db "insert into ipt_drop (source,proto,dport,time) values ('$SOURCE','$PROTO', '$DPORT', $TIME);" printf "%-20s %7s %7s %7s %-20s\n" "$SOURCE" "$DPORT" "$PROTO" "$OCCURENCES" "$GEOIP" #[[ $OCCURENCES -gt 5 ]] && echo "More than 5 occurences, maybe block with (ipset -A abf_ip_blacklist $SOURCE)" [[ $OCCURENCES -gt 5 ]] && { echo "Blacklisting $SOURCE" ; ipset -A abf_ip_blacklist $SOURCE ; } done < <(tail -n 0 -f $logfile) ;; "list") echo -e ".mode column\n.width 5 15 4 5\n.headers on\nselect * from ipt_drop" | sqlite3 abf.db ;; "count") # Count occerences of ips in database echo -e ".mode column\n.width 15 5\n.headers on\n SELECT source, count(source) FROM ipt_drop GROUP BY source" | sqlite3 abf.db ;; "last") [[ $# < 3 ]] && { echo "Need an ip and number of seconds (86400=1day)"; exit 1; } unixtime=$(date +%s); echo -e ".mode column\n.width 15 5\n.headers on\n select source,dport FROM ipt_drop WHERE source = '$2' AND time BETWEEN $(( $unixtime - $3 )) AND $unixtime" | sqlite3 abf.db ;; *) echo "Syntax: $0 [start,list,count,last]" esac
More to come…