Create IP black-list

Usage

  • You've got a router running OpenWRT or any other Unix-based OS
  • The router is configured to log IPTABLES, login, etc. events in the syslog
  • The router is also sending all the logs in real-time to a server (via syslog-ng for example)
  • You'd like to extract useful information from this log daily

As described above, this script runs on my server daily. It looks for "DROP" messages from IPTABLES and builds a master file with offending IPs

There are two "master files". One labelled "top_assholes.txt" contains duplicates because it's structured as:

2019.06.05_05:35:01 - Today's top assholes are:
.....
2019.06.05_12:40:02 - Today's top assholes are:
.....

Second "master file" master_blocklist.txt contains only unique IPv4 addresses collected by the script Similarly, this script can be made to track logins, DHCP, etc. - any info of interest in the syslog.

Code

#!/usr/bin/env bash
## VARIABLES ##
# This valriable may not be required, depending on your setup. In this case syslog-ng makes a new folder daily named as the variable describes.
today_dir=$(date +%Y.%m.%d)
today_expanded=$(date +%Y.%m.%d_%T)
router_IP=Bifrost
log_location=/var/log/network/"$router_IP"/"$today_dir"/messages
script_location=$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)
query_of_interest="DROP"
###############
# Get list of rejected IPs from router logs
grep "$query_of_interest" "$log_location" >"$script_location"/$"today_dir"_assholes.txt
# Extract Source IP addresses only
grep -Eo "SRC=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" "$script_location"/$"today_dir"_assholes.txt >"$script_location"/$"today_dir"_assholes_ip.txt
# Add time and date to the top file
printf %b\\n "
-------------------------------------------
$today_expanded - Today's top assholes are:
-------------------------------------------
" >>"$script_location"/top_assholes.txt
# Remove dupes from today's list and append them to the top file
sort -n "$script_location"/$"today_dir"_assholes_ip.txt | uniq >>"$script_location"/top_assholes.txt
# Again filter top file by IPs only
grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' "$script_location"/top_assholes.txt | sort -n | uniq >"$script_location"/master_blocklist.txt
# Now we need to clean up
# Remove 0.0.0.0 from the list
sed -i 's/0\.0\.0\.0//g' "$script_location"/master_blocklist.txt
# Remove private LAN 192.168.1.0/24 and 192.168.2.0/24 from the list
sed -i -E 's/192\.168\.[1-2]\.[0-9]{1,3}//g' "$script_location"/master_blocklist.txt
# Finally remove 255.255.255.255
sed -i 's/255\.255\.255\.255//g' "$script_location"/master_blocklist.txt
# And last but not the least, remove empty lines from the master list
sed -i '/^$/d' "$script_location"/master_blocklist.txt
# Final sort and de-dup
cp "$script_location"/master_blocklist.txt "$script_location"/master_blocklist1.txt
grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' "$script_location"/master_blocklist1.txt | sort -n | uniq >"$script_location"/master_blocklist.txt
# Housekeeping - removing un-needed files
rm "$script_location"/{"$today_dir"_assholes.txt,"$today_dir"_assholes_ip.txt,master_blocklist1.txt}
# OPTIONAL: Setup cron to execute the script at certain time
# Three tasks to run the script daily at 23:30, 05:30, 12:40
#printf %b\\n "30 23 * * * sudo bash $script_location/block_that.sh" | sudo tee -a "$crontab_file" > /dev/null
#printf %b\\n "30 05 * * * sudo bash $script_location/block_that.sh" | sudo tee -a "$crontab_file" > /dev/null
#printf %b\\n "40 12 * * * sudo bash $script_location/block_that.sh" | sudo tee -a "$crontab_file" > /dev/null