#!/usr/bin/python3

# simple ip blackhole list :)
# afx Nov 2016
#
# requires Pygtail
# should be installed to iptables filtered machine with DROP and LOG policy
# the idea is that any traffic coming to this serviceless machine can be assumed 
# as bad and then listed for further processing

from pygtail import Pygtail

import sys
import signal
import re
import time
import json

kernlog = '/var/log/kern.log'
dbfile = '/var/www/html/blacklist.txt'

#add whitelisted ips here:
whitelist = [ '1.2.3.4',
              '5.6.7.8' ]

######

def signal_handler(signal, frame):
    print('You\'ve pressed Ctrl+C. Listing stats and exiting...')
    print('')
    print(json.dumps(stats))
    sys.exit(0)

signal.signal(signal.SIGINT, signal_handler)

print('.o.oOo.o. blackhole.py by afx .o.oOo.o.')
print('^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^')
print('Whitelist: {}'.format(whitelist))
blacklist = []
stats = {}
try:
    blackfile = open(dbfile, 'r')
    for item in blackfile:
        blacklist.append(item.strip())
    blackfile.close()
    print('Blacklist: {}'.format(blacklist))
except Exception as e:
    print(e)
    print('Blacklist empty.')
print('')

while True:
    time.sleep(1)
    for line in Pygtail(kernlog):
        query = re.findall( r'SRC=[0-9]+(?:\.[0-9]+){3}', line )
        newip = query[0][4:]
        if newip in whitelist:
            print('{} whitelisted'.format(newip))
            continue
        elif newip in blacklist:
            try:
                oldcounter = stats[newip]
            except:
                oldcounter = 0
            counter = oldcounter + 1
            stats.update({ newip: counter })
            print('{} -> {}'.format(newip, str(stats[newip])))
        else:
            print('{} blackholed'.format(newip))
            blacklist.append(newip)
            blackfile = open(dbfile, 'w')
            for item in blacklist:
                blackfile.write("%s\n" % item)
            blackfile.close()
            
#EOF