#!/bin/bash #################################################### # blockauth: block auth connections using iptables # # Author: q3aql@duck.com # # License: GPL v2.0 # #################################################### # Check if process have root permissions mkdir -p /etc/root &> /dev/null administrador=$? if [ ${administrador} -eq 0 ] ; then rm -rf /etc/root else echo "blockauth: root permissions are required" exit fi # Check dependencies path_check="/usr/bin /bin /usr/local/bin /sbin ${HOME}/.local/bin /home/linuxbrew/.linuxbrew/bin" dependencies="iptables cat grep sort sed rm echo wc touch systemctl" dependencies_found="" dependencies_not_found="" for checkPath in ${path_check} ; do for checkDependencies in ${dependencies} ; do if [ -f ${checkPath}/${checkDependencies} ] ; then dependencies_found="${dependencies_found} ${checkDependencies}" fi done done for notFound in ${dependencies} ; do check_found_one=$(echo ${dependencies_found} | grep " ${notFound}") check_found_two=$(echo ${dependencies_found} | grep "${notFound} ") if_not_found="${check_found_one}${check_found_two}" if [ -z "${if_not_found}" ] ; then dependencies_not_found="${dependencies_not_found} ${notFound}" fi done # Show if all dependencies are installed if [ -z "${dependencies_not_found}" ] ; then echo > /dev/null else echo "blockauth: some required tools are not installed:${dependencies_not_found}" echo "blockauth: process stopped" exit fi # Function for reduce log function reduce_log() { if [ -z "${1}" ] ; then echo "blockauth: use: $0 " else if [ -f "${1}" ] ; then num_tmp=${RANDOM} tail -4000 "${1}" > "${num_tmp}.tmp" cat "${num_tmp}.tmp" > "${1}" rm -rf "${num_tmp}.tmp" else echo "blockauth: file ${1} does not exist" fi fi } # Check auth.log if [ ! -f /var/log/auth.log ] ; then echo "blockauth: file /var/log/auth.log does no exist" echo "blockauth: process stopped" exit fi # Read configuration file if [ -f /etc/blockauth/blockauth.conf ] ; then source /etc/blockauth/blockauth.conf else mkdir -p /etc/blockauth/ echo "# Blockauth configuration file" > /etc/blockauth/blockauth.conf echo "valid_users=\"test1 test2\"" >> /etc/blockauth/blockauth.conf echo "always_ip_allowed=\"192.168.0.1 192.168.0.2\"" >> /etc/blockauth/blockauth.conf echo "blocklist=\"/etc/blockauth/blocklist.list\"" >> /etc/blockauth/blockauth.conf echo "filelog=\"/etc/blockauth/blockauth.log\"" >> /etc/blockauth/blockauth.conf echo "max_ip_blocklist=\"500\"" >> /etc/blockauth/blockauth.conf echo "block_ports=\"22,80,443\"" >> /etc/blockauth/blockauth.conf fi # Check integrity of configuration file if [ -z "${valid_users}" ] ; then echo "valid_users=\"test1 test2\"" >> /etc/blockauth/blockauth.conf fi if [ -z "${always_ip_allowed}" ] ; then echo "always_ip_allowed=\"192.168.0.1 192.168.0.2\"" >> /etc/blockauth/blockauth.conf fi if [ -z "${blocklist}" ] ; then echo "blocklist=\"/etc/blockauth/blocklist.list\"" >> /etc/blockauth/blockauth.conf fi if [ -z "${filelog}" ] ; then echo "filelog=\"/etc/blockauth/blockauth.log\"" >> /etc/blockauth/blockauth.conf fi if [ -z "${max_ip_blocklist}" ] ; then echo "max_ip_blocklist=\"500\"" >> /etc/blockauth/blockauth.conf fi if [ -z "${block_ports}" ] ; then echo "block_ports=\"22,80,443\"" >> /etc/blockauth/blockauth.conf fi source /etc/blockauth/blockauth.conf # Force edit configuration file if [ "${valid_users}" == "test1 test2" ] ; then echo "blockauth: you must first configure the file /etc/blockauth/blockauth.conf" echo "blockauth: process stopped" exit fi echo "blockauth: running process" echo "blockauth: running process" >> ${filelog} blockauth=0 while [ ${blockauth} -eq 0 ] ; do sleep 60 # Read auth.log file and select blocked IPs for user in ${valid_users} ; do echo "blockauth: allowing access for ${user}" echo "blockauth: allowing access for ${user}" >> ${filelog} sed -i "s/Failed password for ${user} from/blockauth\[allowed\]\: invalid pass for ${user} from/g" /var/log/auth.log sed -i "s/Failed password for invalid user ${user} from/blockauth\[allowed\]\: invalid pass for ${user} from/g" /var/log/auth.log systemctl restart rsyslog &> /dev/null done # Reset blocklist when maximum is reached num_blocklist=$(cat ${blocklist} | wc -l) if [ "${num_blocklist}" -ge "${max_ip_blocklist}" ] ; then rm -rf ${blocklist} touch ${blocklist} echo "blockauth: resetting blocklist because maximum has been reached" echo "blockauth: resetting blocklist because maximum has been reached" >> ${filelog} iptables -F fi touch ${blocklist} cat ${blocklist} > ${blocklist}.temp echo "blockauth: creating blocklist" echo "blockauth: creating blocklist" >> ${filelog} cat /var/log/auth.log | grep "Failed password for" | grep -o -P '(?<=from).*(?=port)' >> ${blocklist}.temp sort -u ${blocklist}.temp > ${blocklist} rm -rf ${blocklist}.temp sed -i 's/Failed password for/blockauth\[blocked\]\: invalid pass for/g' /var/log/auth.log # Exclude allowed IPs if [ -z "${always_ip_allowed}" ] ; then echo "blockauth: running exclude allowed ips" echo "blockauth: running exclude allowed ips" >> ${filelog} else echo "blockauth: running exclude allowed ips" echo "blockauth: running exclude allowed ips" >> ${filelog} for allowed_ip in ${always_ip_allowed} ; do echo "blockauth: allowing ip ${allowed_ip}" echo "blockauth: allowing ip ${allowed_ip}" >> ${filelog} sed -i "/${allowed_ip}/d" ${blocklist} done fi # Block IPs using iptables for block_ip in $(cat ${blocklist}) ; do read_block_ip=$(iptables -n -L | grep "${block_ip}") if [ -z "${read_block_ip}" ] ; then echo "blockauth: blocking ip ${block_ip}" echo "blockauth: blocking ip ${block_ip}" >> ${filelog} iptables -A OUTPUT -p tcp -m multiport -d ${block_ip} --sports ${block_ports} -j DROP fi done # Reduce log reduce_log ${filelog} done