Block list of ip addresses linux - linux

I'm running Kali on a computer that has port forwarding so I can access it while away from my desk. Upon looking at /var/log/auth.log I find a number of IP addresses that have been trying to log in which I don't recognise. I've managed to extract all the IPs and put them in a file, and want to run a script to block them using iptables. So far, I've come up with this, but it's not working:
#!/bin/bash
NUMBEROFIPS=cat "ipaddresses.txt" | wc -l
for i in `seq 0 $NUMBEROFIPS`;
do
IP=awk 'NR==$i' ipaddresses.txt
iptables -A INPUT -s $IP -j DROP
done
What am I doing wrong?

I suggest:
#!/bin/bash
while IFS= read -r ip; do
iptables -A INPUT -s "$ip" -j DROP
done < ipaddresses.txt
or
xargs -I {} iptables -A INPUT -s {} -j DROP < ipaddresses.txt

Related

How can i extract only the destination ports from a TCPDUMP file

i currently have a script in bash that extract the destination IPs and ports only from the Host IP ( me )
I need to sort the destination Ports in a separate File.
the command i use now for making the capture:
tcpdump -G 15 -W 1 -w myscript15s -i enp0s3 -nnvvS src 10.0.2.15 and dst portrange '1-65535'
Does anyone what command can i use to put in a separate document only the destination ports?
I found you can only sort IPs but maybe i didn't search throughly enough :(
Packet capture script
Packet capture output
// Script for making the capture
#!/bin/bash
clear
echo "Select your capture option: "
read capture
echo "You selected $catpure"
echo
if [ $capture == "Option1" ];
then
echo
tcpdump -G 15 -W 1 -w myscript15s -i enp0s3 -nnvvS src 10.0.2.15 and dst portrange '1-65535'
tcpdump -ttttnnr myscript15s
cp myscript15s captura
elif [ $capture == "Option2" ]
then
echo
tcpdump -G 600 -W 1 -w myscript600s -i enp0s3 -nnvvS src 10.0.2.15 and dst portrange '1-65535'
else
echo "Incorect option .."
fi
echo
echo "The end"
echo
/// output - placed only first 2 lines to get the ideea
2018-06-26 15:42:21.261263 IP 10.0.2.15.54178 > 10.18.0.22.53:19272 [1au] A? detectportal.firefox.com.(53)
2018-06-26 15:42:21.261418 IP 10.0.2.15.51118 > 10.18.0.22.53:31437+ [1au] AAAA? detectportal.firefox.com.(53)
One way that could achieve this would be using tshark to read the capture while applying display filters, sorting as needed then writing the output to a file:
tshark -r your_capture_file.pcap -T fields -e udp.dstport -e tcp.dstport | sort | uniq > results.txt
If you wish to also include the protocol name in your results you can add it in the filter as well:
tshark -r your_capture_file.pcap -T fields -e _ws.col.Protocol -e udp.dstport -e tcp.dstport | sort | uniq > results.txt
Note that using the above method will take care of everything in a single command however the output resulted will contain blank UDP port columns for TCP traffic and blank TCP port columns for UDP traffic which may pose an issue.
In order to avoid this, you can simply run the command twice, once per protocol:
TCP
tshark -r your_capture_file.pcap -T fields -e tcp.dstport | sort | uniq > results.txt
UDP
tshark -r your_capture_file.pcap -T fields -e udp.dstport | sort | uniq >> results.txt
Take note that the second run should use the >> operator instead of the > one to append data to the results file.

Bash Script Command Not Executing

I need help with the following Bash v4.1.2 script.
#!/bin/bash
IP=$1
IPTABLES=/sbin/iptables
$IPTABLES -I INPUT -s $IP -j DROP
echo $IPTABLES -I INPUT -s $IP -j DROP |wall
The variables, IP and IPTABLES, get populated in the echo but the line above is not executed. The echo outputs...
/sbin/iptables -I INPUT -s 1.2.3.4 -j DROP
...which is syntactically correct and works if executed manually.
I don't know Bash so I'm struggling to debug this elementary script. I see some scenarios where commands are left bare as I have mine and some that are wrapped in $() (with and without quotes). I've also tried using backticks and quoting various parts of the command. The echo piped through wall only exists for debugging.
I found a basically identical post at Bash script commands not working in cron. My script is not running from cron though.
=== EDIT ===
Added for #Barmar
[root#server tmp]# bash -x /bin/netfilter-drop.sh
+ IP=1.2.3.4
+ IPTABLES=/sbin/iptables
+ /sbin/iptables -I INPUT -s 1.2.3.4 -j DROP
+ wall
+ echo /sbin/iptables -I INPUT -s 1.2.3.4 -j DROP
[root#server tmp]#
Broadcast message from root#server (Thu Dec 29 12:46:44 2016):
/sbin/iptables -I INPUT -s 1.2.3.4 -j DROP
^C
[root#server tmp]#
I had initially only given sudo access to run the posted Bash script. The problem was not the script, rather it was permissions. I needed to give additional sudo access to run iptables in my sudoers. Fixed.

Adding my current IP to whitelist on iptables?

I'm pretty new to setting up game server but I want to block rcon to every ip except the ones that are whitelisted.
First I'm gonna use this trhough SSH:
iptables -A INPUT -p tcp --destination-port 27015 -j LOG --log-prefix "SRCDS-RCON " -m limit --limit 1/m --limit-burst 1
iptables -A INPUT -p tcp --destination-port 27015 -j DROP
After that I want that when a user runs a bash script or something similar, it detects the user IP and add it to the whitelist automatically.
How can I do this?
Assuming :
the bash script is run on the server
the users logs in using ssh
You could create an ipset :
First, add this rule in iptables :
iptables -A INPUT -i eth0 -m set --match-set whitelist src -p tcp --destination-port 27015 -j ACCEPT
Then create a set :
sudo ipset -N whilelist iphash
Finally, add a script like this, using SSH_CONNECTION environment variable :
#!/bin/bash
USER_IP=$(echo $SSH_CONNECTION | cut -f1 -d' ')
sudo ipset -A whitelist $USER_IP
You could even add those two lines at the end of /root/.bash_profile so it gets done automagically when someone connects as root.
However, this assumes your friends are connecting as root via ssh. Since this is not desirable, you could use a temporary directory to hold the ip addresses, and add a cron job to fill the ipset hash :
Create /etc/cron.d/check_ipset with :
* * * * * root /usr/local/bin/check_ipset
Create /usr/local/bin/check_ipset (and chmod 700) :
#!/bin/bash
for i in `cat /tmp/ipset_pending | sort -u`; do
ipset -A whitelist $i
done
cat /dev/null > /tmp/ipset_pending
Add this to every user's .bash_profile :
...
echo $SSH_CONNECTION | cut -f1 -d' ' >> /tmp/ipset_pending
...
Didn't test, so YMMV, but this should be close enough.

Using variables to direct output to different files

I am trying to use variables to direct program output to different locations based on some user config settings.
if [ -f "vars/debug.var" ]; then
DUMP=''
else
DUMP='&> logs/dump.log'
fi
...
ping -I eth0 -c 10 www.google.com $DUMP
...
So, if the file debug.var exists, DUMP is an empty string, but if it does not exist I want to pipe the output to the dump.log file.
I have tried a lot of different combinations of the variable and command and nothing has worked out... I keep getting the error
ping: unknown host &>
Anybody have an idea? Or is it just not possible?
eval "ping -I eth0 -c 10 www.google.com $DUMP"
Instead of messing around with eval (which is a security hole)
if [ -f "vars/debug.var" ]; then
: # nothing
else
exec &> logs/dump.log
fi
ping -I eth0 -c 10 www.google.com
What exec does is allowing you to redirect output as needed, and you can do that in a sub-shell (...) as well to limit the scope of the re-direct.
Here is another safer variant that allows you to have arbitrary paths.
DU='&>'
MP='logs/ * /du mp.log'
eval "xargs ping -I eth0 -c 3 www.google.com $DU \"\$MP\""
Or you can use an array:
DUMP=('&>' 'logs/ * /du mp.log')
eval "xargs ping -I eth0 -c 3 www.google.com $DUMP \"\${DUMP[1]}\""
And you can quote it like this to save 1 character
eval "xargs ping -I eth0 -c 3 www.google.com $DUMP "'"${DUMP[1]}"'

bash - add additional IF statement

I have a script which parses a varnish varnishncsa log file. The purpose of the script is that if anyone accesses a certain url on the server, it adds their ip address to iptables to lock them out.
In my script I have a statement which ignores my static office ip address (so that I dont lock myself out of the server).
I am trying to add more ip addresses to exclude them from being locked out, but when I do, it seems to break the script.
#!/bin/bash
for address in `cat /var/log/brute.txt | grep -v -f /var/log/applied_brute.txt`; do
/bin/echo $address >> /var/log/applied_brute.txt
if [ "$address" != "my.of.fi.ce.ip" ]; then
IPTABLE=`echo $address | awk '{ print "/sbin/iptables -A INPUT -s "$0" -j DROP -m state --state NEW,ESTABLISHED,RELATED\n"}'`
fi
echo $IPTABLE
$IPTABLE
done
unset address
unset IPTABLE
What I would like is where the statement
if [ "$address" != "my.of.fi.ce.ip" ]; then
to add a few more ip addresses to it.
How about:
#!/bin/bash
for address in `grep -v -f /var/log/applied_brute.txt < /var/log/brute.txt`; do
echo $address >> /var/log/applied_brute.txt
if ! grep -q -F -x $address /etc/my-office-addresses.txt; then
IPTABLE="/sbin/iptables -A INPUT -s "$address" -j DROP -m state --state NEW,ESTABLISHED,RELATED"
echo $IPTABLE
$IPTABLE
fi
done
Store your office addresses in /etc/my-office-addresses.txt
grep options used:
-F : Fixed strings (treat pattern literally, not as regex. This option is not really required in this case, since the input data in all the files used is assumed to be in standard format.)
-x : line match (address = 192.168.0.1 would have matched line = 192.168.0.100 , if this option is missed.)
-q : Do not print result to stdout.
You could use grep or fgrep and have
if fgrep -q "$address" /etc/files-of-addresses-to-avoid ; then
# $address should be avoided
else
# $address should not be avoided
fi
(Perhaps you want /var/log/brute.txt instead of /etc/files-of-addresses-to-avoid etc...)
You may be interested by fail2ban which does what you want to achieve.
If you have a very limited amount of ip addresses, you can use a AND:
if [ "$address" != "my.of.fi.ce.ip" -a "$address" != "my.other.of.fi.ce.ip" -a "$address" != "my.la.st.ip" ]; then
how about creating an Array of local ip addresses, and then go through them in a inner "for loop".

Resources