ABF – AsBraFirewall

Asbra Firewall is a combination of scripts and tools for Firewall configuration and Intrusion Detection (NIDS). It uses sqlite3 to save information on blocked traffic and counts the occurrences of attacking hosts with optional blocking.

Create a new CHAIN named “BLOCKED” and add the “-j LOG” as your last INPUT and FORWARD rule. This will make sure that all traffic that doesn’t have a rule associated gets logged.

# IPTables BLOCKED Chain (All traffic not matching a rule)
iptables -N BLOCKED &> /dev/null
iptables -F BLOCKED
iptables -A INPUT -j BLOCKED
iptables -A BLOCKED -j LOG --log-prefix "[ABF_Blocked] " --log-level 4
iptables -A BLOCKED -j DROP

We want our firewall logs in separate files.
# vim /etc/rsyslog.d/30-abf.conf

# Log kernel generated ABF log messages to file
:msg,contains,"[ABF_Blocked" /var/log/abf-blocked.log
:msg,contains,"[ABF_Blacklist" /var/log/abf-blacklist.log

# Uncomment the following to stop logging anything that matches the last rule.
& stop

The reload rsyslog:
# /etc/init.d/rsyslog restart

Now lets create the logging script

# mkdir -p /opt/abf

# vim /opt/abf/log

#!/bin/bash

case $1 in

	"start")
		logfile='/var/log/abf-blocked.log'

		[[ ! -e abf.db ]] && sqlite3 abf.db  "create table ipt_drop (id INTEGER PRIMARY KEY,source TEXT,proto TEXT,dport INTEGER, time INTEGER );"

		while read -r line
		do
			SOURCE=$(sed -r 's/.*SRC=([^ ]+).*/\1/' <<< $line)
			PROTO=$(sed -r 's/.*PROTO=([^ ]+).*/\1/' <<< $line)
			DPORT=$(sed -r 's/.*DPT=([^ ]+).*/\1/' <<< $line)
			TIME=$(date +%s)
			DATETIME=$(date -d @$TIME)
			OCCURENCES=$(sqlite3 abf.db "SELECT source, count(source) FROM ipt_drop WHERE source = '$SOURCE' GROUP BY source" | cut -f2 -d'|')
			GEOIP=$(geoiplookup $SOURCE |cut -f2 -d":")

			sqlite3 abf.db  "insert into ipt_drop (source,proto,dport,time) values ('$SOURCE','$PROTO', '$DPORT', $TIME);"
			printf "%-20s %7s %7s %7s %-20s\n" "$SOURCE" "$DPORT" "$PROTO" "$OCCURENCES" "$GEOIP"

			#[[ $OCCURENCES -gt 5 ]] && echo "More than 5 occurences, maybe block with (ipset -A abf_ip_blacklist $SOURCE)"
			[[ $OCCURENCES -gt 5 ]] && { echo "Blacklisting $SOURCE" ; ipset -A abf_ip_blacklist $SOURCE ; }

		done < <(tail -n 0 -f $logfile)
		;;

	"list")
		echo -e ".mode column\n.width 5 15 4 5\n.headers on\nselect * from ipt_drop" | sqlite3 abf.db
		;;

	"count")
		# Count occerences of ips in database
		echo -e ".mode column\n.width 15 5\n.headers on\n SELECT source, count(source) FROM ipt_drop GROUP BY source" | sqlite3 abf.db
		;;

	"last")
		[[ $# < 3 ]] && { echo "Need an ip and number of seconds (86400=1day)"; exit 1; }
		unixtime=$(date +%s);
		echo -e ".mode column\n.width 15 5\n.headers on\n select source,dport FROM ipt_drop WHERE source = '$2' AND time BETWEEN $(( $unixtime - $3 )) AND $unixtime" | sqlite3 abf.db
		;;
	*)
		echo "Syntax: $0 [start,list,count,last]"
esac

More to come…