Welcome! Log In Create A New Profile

Advanced

XAMPP w/ PeerBlock

Posted by Anonymous User 
Anonymous User
XAMPP w/ PeerBlock
April 23, 2014 09:51PM
I created a perl script that basically scans the apache logs for definable conditions that stand out as a bot. The purpose of this script is to strip PeerBlock down naked and create a block list that pertains only to my system from the attacks that are hitting my system. I'm using Drupal 7 on XAMPP w/ Cygwin. The script supports both Windows Firewall and PeerBlock. This is configured for PeerBlock as shown, I've disabled all other lists and have instead written a perl script to generate a list based on banned uri strings in the apache logs. PeerBlock is set to update the list once per day. I have a cronjob entry to execute this perl script once a day which updates the existing list with uri violations. There are some areas to configure in the script. Enjoy, if you optimize it, please share.

---SCRIPT START--
#!/usr/bin/perl

#@AUTHOR = Satalink
#@DATE = 04/22/2014
#@VERSION = 1.0
#@Requires = Perl v5.8+

use strict;
use feature "switch";

# Auto Block bots from attacking site
my $logs = 'C:/xampp/htdocs/logs'; #Apache logs dir (filename format *access.log
my @whitelist = ('127.0.0.1','192.168.1.254'); #localhost exceptions just to be safe
my $fw = 'p2p'; # use for PeerBlock = (p2p), for WindowsFW = (win) #configure to use PeerBlock or Windows Firewall

my $list = '';
if($fw == 'p2p'){
# if p2p, set custom block list to use.
$list = 'C:/xampp/htdocs/logs/peerblock.p2b'; #set this to your desired PeerBlock List, load it in PeerBlock
}

#Banned URI keywords

#Regardless of what CMS you're using, you can set the banned strings to meet your needs. double escape the escape char "\\"
my @banned_uri = (
"\\?q\\=", #my sites use cleanUrls, no such query strings on site. If I see this in the logs, it's a bot fishing for uri formating
"\\/RS\\=", #bot crap in the /user/register/RS=0/RK=!DSA1203098512ASDCRAP... uri -- not naturally from my site.
"\\/RK\\=", #ditto
);
my $expr = join('|', @banned_uri);

# Get Logs
chdir("$logs");
opendir DIR, "$logs" or warn "Can't open directory $logs: $!\n";
my @LOGS = readdir(DIR);
my @LOGS = grep(/access\.log$/,@LOGS);
closedir(DIR);

# Get blocked list
my @blocked_ips = ();
given($fw){
when (/^p2p$/) {@blocked_ips = &p2p_get_blocked($list);}
when (/^win$/) {@blocked_ips = &win_get_blocked($list);}
}

# Process Logs
foreach my $logfile (@LOGS){
open LOG, "$logfile";
my @LOG = ;
close(LOG);
foreach (@LOG){
my $ip = (split(/\s/,$_))[2];
chomp($ip);
unless(grep(/$ip/,@whitelist)||grep(/$ip/,@blocked_ips)){
if(grep(/$expr/,$_)){
unless(grep(/$ip/,@blocked_ips)){
print "Blocking $ip\n";
given($fw){
when (/^p2p$/) {&p2p_block($ip,$list)};
when (/^win$/) {&win_block($ip)};
}
@LOG = grep(!/$ip/,@LOG);
}
}
}
}
}


##### SUBROUTINES

# Windows Firewall
sub win_get_blocked($){
my @data = `netsh advfirewall firewall show rule name=Blocked`;
@data = grep(/RemoteIP/,@data);
my @blocked = ();
foreach (@data){
my $tmpdata = (split(/\s+/,$_))[1];
$tmpdata = (split(/\//,$tmpdata))[0];
push @blocked, "$tmpdata";
}
return(@blocked);
}

# PeerBlock Firewall
sub p2p_get_blocked($){
my @data = ();
my @blocked = ();
open P2P, "$list";
@data = ;
close(P2P);
foreach (@data){
my $range = (split(/:/,$_))[1];
(my $from, my $to) = (split(/\-/,$range));
(my $a_from, my $b_from, my $c_from, my $d_from) = (split(/\./,$from));
(my $a_to, my $b_to, my $c_to, my $d_to) = (split(/\./,$to));
while ($a_from <= $a_to){
while ($b_from <= $b_to){
while ($c_from <= $c_to){
while ($d_from <= $d_to){
push @blocked, "$a_from\.$b_from\.$c_from\.$d_from";
$d_from++;
}
$c_from++;
}
$b_from++;
}
$a_from++;
}
}
return(@blocked);
}



sub win_block($){
my ($ip) = @_;
my $status = `netsh advfirewall firewall add rule name=Blocked dir=in action=block remoteip=$ip enable=yes`;
return($status);
}


sub p2p_block($$){
my ($ip, $list) = @_;
open(P2P, '>>', $list) or die "Could not open file $list $!";
#get domain
my @data = `nslookup $ip`;
@data = grep(/\=/,@data);
chomp(@data); #remove CRLF from @data
chop(@data); #remove tailing '.' from @data
my $domain;
foreach (@data){
$domain = (split(/\=/,$_))[1];
$domain =~ s/\s+|\r//;
}

#ban entire block if domain keyword matched
my @bans = (
"\\.jp\$", #nslookup returns .jp japan
"\\.tw\$", #returns .tw taiwan
"\\.ru\$", #returns .ru russia
"vpn", #reflected from a vpn service
"vps", #originating from a vps hosted site (not a real user)
"anonymous", #real or not, anonymous is up to no good on my site.
"quadranet" #another vps host
);
my $expr = join('|', @bans);
if (grep(/$expr/, $domain)) {
my ($a,$b,$c,$d) = split(/\./,$ip);
print P2P "$domain".":"."$a\.$b\.$c\.1"."-"."$a\.$b\.$c\.254\n";
} else {
print P2P ":".$ip."-".$ip."\n";
}
close(P2P);
}
----SCRIPT END-----
Sorry, only registered users may post in this forum.

Click here to login