sysadmin/scripts/blackhole.py

#!/usr/bin/python3

# simple ip blackhole list :)
# afx Nov 2016
#
# requires Pygtail
# should be installed to iptables filtered machine with DROP and LOG policy
# the idea is that any traffic coming to this serviceless machine can be assumed 
# as bad and then listed for further processing

from pygtail import Pygtail

import sys
import signal
import re
import time
import json

kernlog = '/var/log/kern.log'
dbfile = '/var/www/html/blacklist.txt'

#add whitelisted ips here:
whitelist = [ '1.2.3.4',
              '5.6.7.8' ]

######

def signal_handler(signal, frame):
    print('You\'ve pressed Ctrl+C. Listing stats and exiting...')
    print('')
    print(json.dumps(stats))
    sys.exit(0)

signal.signal(signal.SIGINT, signal_handler)

print('.o.oOo.o. blackhole.py by afx .o.oOo.o.')
print('^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^')
print('Whitelist: {}'.format(whitelist))
blacklist = []
stats = {}
try:
    blackfile = open(dbfile, 'r')
    for item in blackfile:
        blacklist.append(item.strip())
    blackfile.close()
    print('Blacklist: {}'.format(blacklist))
except Exception as e:
    print(e)
    print('Blacklist empty.')
print('')

while True:
    time.sleep(1)
    for line in Pygtail(kernlog):
        query = re.findall( r'SRC=[0-9]+(?:\.[0-9]+){3}', line )
        newip = query[0][4:]
        if newip in whitelist:
            print('{} whitelisted'.format(newip))
            continue
        elif newip in blacklist:
            try:
                oldcounter = stats[newip]
            except:
                oldcounter = 0
            counter = oldcounter + 1
            stats.update({ newip: counter })
            print('{} -> {}'.format(newip, str(stats[newip])))
        else:
            print('{} blackholed'.format(newip))
            blacklist.append(newip)
            blackfile = open(dbfile, 'w')
            for item in blacklist:
                blackfile.write("%s\n" % item)
            blackfile.close()
            
#EOF
initial commit 2017-09-15 14:11:31 -04:00			`#!/usr/bin/python3`

			`# simple ip blackhole list :)`
			`# afx Nov 2016`
			`#`
			`# requires Pygtail`
			`# should be installed to iptables filtered machine with DROP and LOG policy`
			`# the idea is that any traffic coming to this serviceless machine can be assumed`
			`# as bad and then listed for further processing`

			`from pygtail import Pygtail`

			`import sys`
			`import signal`
			`import re`
			`import time`
			`import json`

			`kernlog = '/var/log/kern.log'`
			`dbfile = '/var/www/html/blacklist.txt'`

			`#add whitelisted ips here:`
			`whitelist = [ '1.2.3.4',`
			`'5.6.7.8' ]`

			`######`

			`def signal_handler(signal, frame):`
			`print('You\'ve pressed Ctrl+C. Listing stats and exiting...')`
			`print('')`
			`print(json.dumps(stats))`
			`sys.exit(0)`

			`signal.signal(signal.SIGINT, signal_handler)`

			`print('.o.oOo.o. blackhole.py by afx .o.oOo.o.')`
			`print('^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^')`
			`print('Whitelist: {}'.format(whitelist))`
			`blacklist = []`
			`stats = {}`
			`try:`
			`blackfile = open(dbfile, 'r')`
			`for item in blackfile:`
			`blacklist.append(item.strip())`
			`blackfile.close()`
			`print('Blacklist: {}'.format(blacklist))`
			`except Exception as e:`
			`print(e)`
			`print('Blacklist empty.')`
			`print('')`

			`while True:`
			`time.sleep(1)`
			`for line in Pygtail(kernlog):`
			`query = re.findall( r'SRC=[0-9]+(?:\.[0-9]+){3}', line )`
			`newip = query[0][4:]`
			`if newip in whitelist:`
			`print('{} whitelisted'.format(newip))`
			`continue`
			`elif newip in blacklist:`
			`try:`
			`oldcounter = stats[newip]`
			`except:`
			`oldcounter = 0`
			`counter = oldcounter + 1`
			`stats.update({ newip: counter })`
			`print('{} -> {}'.format(newip, str(stats[newip])))`
			`else:`
			`print('{} blackholed'.format(newip))`
			`blacklist.append(newip)`
			`blackfile = open(dbfile, 'w')`
			`for item in blacklist:`
			`blackfile.write("%s\n" % item)`
			`blackfile.close()`

			`#EOF`