sysadmin/scripts/blackhole.py

77 lines
1.9 KiB
Python
Raw Normal View History

2017-09-15 14:11:31 -04:00
#!/usr/bin/python3
# simple ip blackhole list :)
# afx Nov 2016
#
# requires Pygtail
# should be installed to iptables filtered machine with DROP and LOG policy
# the idea is that any traffic coming to this serviceless machine can be assumed
# as bad and then listed for further processing
from pygtail import Pygtail
import sys
import signal
import re
import time
import json
kernlog = '/var/log/kern.log'
dbfile = '/var/www/html/blacklist.txt'
#add whitelisted ips here:
whitelist = [ '1.2.3.4',
'5.6.7.8' ]
######
def signal_handler(signal, frame):
print('You\'ve pressed Ctrl+C. Listing stats and exiting...')
print('')
print(json.dumps(stats))
sys.exit(0)
signal.signal(signal.SIGINT, signal_handler)
print('.o.oOo.o. blackhole.py by afx .o.oOo.o.')
print('^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^')
print('Whitelist: {}'.format(whitelist))
blacklist = []
stats = {}
try:
blackfile = open(dbfile, 'r')
for item in blackfile:
blacklist.append(item.strip())
blackfile.close()
print('Blacklist: {}'.format(blacklist))
except Exception as e:
print(e)
print('Blacklist empty.')
print('')
while True:
time.sleep(1)
for line in Pygtail(kernlog):
query = re.findall( r'SRC=[0-9]+(?:\.[0-9]+){3}', line )
newip = query[0][4:]
if newip in whitelist:
print('{} whitelisted'.format(newip))
continue
elif newip in blacklist:
try:
oldcounter = stats[newip]
except:
oldcounter = 0
counter = oldcounter + 1
stats.update({ newip: counter })
print('{} -> {}'.format(newip, str(stats[newip])))
else:
print('{} blackholed'.format(newip))
blacklist.append(newip)
blackfile = open(dbfile, 'w')
for item in blacklist:
blackfile.write("%s\n" % item)
blackfile.close()
#EOF