forked from ossec/ossec-hids
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfirewalld-drop.sh
executable file
·169 lines (141 loc) · 3.86 KB
/
firewalld-drop.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
#!/bin/sh
# Adds an IP to the firewalld drop list
# Requirements: Linux with firewalld
# Expect: srcip
# Author: Daniel B. Cid (iptables)
# Author: cgzones
# Author: ChristianBeer
# Last modified: Apr 10, 2015
UNAME=`uname`
ECHO="/bin/echo"
GREP="/bin/grep"
FWDCMD="/bin/firewall-cmd"
RULE=""
ARG1=""
# ARG2 can be used to specify the zone where the rich rule should be added otherwise it adds it to the default zone
ARG2=""
#ARG2="--zone=external"
RULEID=""
ACTION=$1
USER=$2
IP=$3
PWD=`pwd`
LOCK="${PWD}/fw-drop"
LOCK_PID="${PWD}/fw-drop/pid"
LOCAL=`dirname $0`;
cd $LOCAL
cd ../
filename=$(basename "$0")
LOG_FILE="${PWD}/../logs/active-responses.log"
echo "`date` $0 $1 $2 $3 $4 $5" >> ${LOG_FILE}
# Checking for an IP
if [ "x${IP}" = "x" ]; then
echo "$0: <action> <username> <ip>"
exit 1;
fi
case "${IP}" in
*:* ) RULE="rule family='ipv6' source address='${IP}' drop";;
*.* ) RULE="rule family='ipv4' source address='${IP}' drop";;
* ) echo "`date` Unable to run active response (invalid IP: '${IP}')." >> ${LOG_FILE} && exit 1;;
esac
# This number should be more than enough (even if a hundred
# instances of this script is ran together). If you have
# a really loaded env, you can increase it to 75 or 100.
MAX_ITERATION="50"
# Lock function
lock()
{
i=0;
# Providing a lock.
while [ 1 ]; do
mkdir ${LOCK} > /dev/null 2>&1
MSL=$?
if [ "${MSL}" = "0" ]; then
# Lock acquired (setting the pid)
echo "$$" > ${LOCK_PID}
return;
fi
# Getting currently/saved PID locking the file
C_PID=`cat ${LOCK_PID} 2>/dev/null`
if [ "x" = "x${S_PID}" ]; then
S_PID=${C_PID}
fi
# Breaking out of the loop after X attempts
if [ "x${C_PID}" = "x${S_PID}" ]; then
i=`expr $i + 1`;
fi
sleep $i;
i=`expr $i + 1`;
# So i increments 2 by 2 if the pid does not change.
# If the pid keeps changing, we will increments one
# by one and fail after MAX_ITERACTION
if [ "$i" = "${MAX_ITERATION}" ]; then
kill="false"
for pid in `pgrep -f "${filename}"`; do
if [ "x${pid}" = "x${C_PID}" ]; then
# Unlocking and exiting
kill -9 ${C_PID}
echo "`date` Killed process ${C_PID} holding lock." >> ${LOG_FILE}
kill="true"
unlock;
i=0;
S_PID="";
break;
fi
done
if [ "x${kill}" = "xfalse" ]; then
echo "`date` Unable kill process ${C_PID} holding lock." >> ${LOG_FILE}
# Unlocking and exiting
unlock;
exit 1;
fi
fi
done
}
# Unlock function
unlock()
{
rm -rf ${LOCK}
}
# Blocking IP
if [ "x${ACTION}" != "xadd" -a "x${ACTION}" != "xdelete" ]; then
echo "$0: invalid action: ${ACTION}"
exit 1;
fi
# We should run on linux
if [ "X${UNAME}" = "XLinux" ]; then
if [ "x${ACTION}" = "xadd" ]; then
ARG1="--add-rich-rule="
else
ARG1="--remove-rich-rule="
fi
# Checking if firewall-cmd is present
if [ ! -x ${FWDCMD} ]; then
FWDCMD="/usr"${FWDCMD}
if [ ! -x ${FWDCMD} ]; then
echo "$0: can not find firewall-cmd"
exit 1;
fi
fi
# Executing and exiting
COUNT=0;
lock;
while [ 1 ]; do
${FWDCMD} ${ARG1}"${RULE}" ${ARG2} >/dev/null
RES=$?
if [ $RES = 0 ]; then
break;
else
COUNT=`expr $COUNT + 1`;
echo "`date` Unable to run (firewall-cmd returning != $RES): $COUNT - $0 $1 $2 $3 $4 $5" >> ${LOG_FILE}
sleep $COUNT;
if [ $COUNT -gt 4 ]; then
break;
fi
fi
done
unlock;
exit 0;
else
exit 0;
fi