From 4d099f908de2d526b2ec03384a13ee2b74194817 Mon Sep 17 00:00:00 2001 From: Jack-Benny Persson Date: Thu, 26 Jan 2012 03:05:49 +0100 Subject: [PATCH] First push of files --- README | 8 +++ bluewebpro.sh | 145 ++++++++++++++++++++++++++++++++++++++++++ bluewebpro_wrapper.sh | 46 ++++++++++++++ 3 files changed, 199 insertions(+) create mode 100644 README create mode 100755 bluewebpro.sh create mode 100755 bluewebpro_wrapper.sh diff --git a/README b/README new file mode 100644 index 0000000..93cac02 --- /dev/null +++ b/README @@ -0,0 +1,8 @@ +BlueWebPro + +A really simple Bash script to search Apache log files for known attack +patterns and then block the IP number of the potential attacker. +I wrote this script as a simple proof-of-concept for a company many years ago. + +Jack-Benny Persson + diff --git a/bluewebpro.sh b/bluewebpro.sh new file mode 100755 index 0000000..6011806 --- /dev/null +++ b/bluewebpro.sh @@ -0,0 +1,145 @@ +#!/bin/bash + +################################################################################ +# # +# Copyright (C) 2008 Jack-Benny Persson # +# # +# This program is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +################################################################################ + + +# This is a small Bash script to find patterns for known webattacks. +# The scriptet searches for strings in the Apache logfiles and write +# a deny from statement to the .htaccess file. +# This is for Apache only. + +### ---Change for your system--- ### +SLEEP_TIME=15 # Run every NN second +HTACCESS=/www/webmail/.htaccess +ACCESS_FILE=/var/log/httpd-access.log +ERROR_FILE=/var/log/httpd-error.log +### ---------------------------- ### + + + +### Test if everything is readable/writeable ### + +if test ! -r ${ACCESS_FILE} ; then + echo "Can't read ${ACCESS_FILE} - aborting" + exit 1 +fi + +if test ! -r ${ERROR_FILE} ; then + echo "Can't read ${ERROR_FILE} - aborting" + exit 1 +fi + +if test ! -f ${HTACCESS} ; then + touch ${HTACCESS} + if [ $? = 1 ] ; then + echo "Unable to create ${HTACCESS} - aborting" + exit 1 + fi +fi + +if test -f ${HTACCESS} ; then + if test ! -w ${HTACCESS} ; then + echo "Can't write to ${HTACCESS} - aborting" + exit 1 + fi +fi + + +### How to extract IP numbers ### + +get_access_ip() +{ + awk '{print $1}' | uniq | egrep -o '[0-9]{1,3}(\.[0-9]{1,3}){3}' +} + +get_error_ip() +{ + awk '{print $8}' | uniq | egrep -o '[0-9]{1,3}(\.[0-9]{1,3}){3}' +} + + +### Here we define all our searches ### + +suspect_dirs() +{ + egrep "/etc/|/home/|/proc/|/tmp|/bin/|/conf/\ + |/usr/|/opt/|/sbin/|/dev/|/kern/|/boot/|/root/|\ + /sys/|/system/" $ACCESS_FILE +} + +suspect_dirs_hexcoded() +{ + egrep "%2fetc%2f|%2fhome%2f|%2fproc%2f|%2ftmp|\ + %2fbin%2f|%2fconf%2f|%2fusr%2f|%2fopt%2f|%2fsbin%2f|\ + %2fdev%2f|%2fkern%2f|%2fboot%2f|%2froot%2f|%2fsys%2f|\ + %2fsystem%2f" $ACCESS_FILE +} + +dir_travel() +{ + egrep "\.\./\.\./" $ACCESS_FILE +} + +win_files() +{ + egrep "*\.exe|*\.bat|*\.cmd" $ACCESS_FILE +} + +bad_commands() +{ + egrep "cmd=|wget|chmod|echo|netcat" $ACCESS_FILE +} + +hex_codes() +{ + egrep "%2f%2e%2e%2f%2e%2e%2f" $ACCESS_FILE ### /../../ +} + +misc() +{ + egrep "cd%20/|%2flisten%3b" $ACCESS_FILE +} + +w00t() +{ + egrep "w00tw00t.at.ISC.SANS.DFind" $ERROR_FILE +} + + +### Main ### + +( +while true +do + suspect_dirs | get_access_ip > temp_file + suspect_dirs_hexcoded | get_access_ip >> temp_file + dir_travel | get_access_ip >> temp_file + win_files | get_access_ip >> temp_file + bad_commands | get_access_ip >> temp_file + hex_codes | get_access_ip >> temp_file + misc | get_access_ip >> temp_file + w00t | get_error_ip >> temp_file + cat temp_file | sort | uniq | sed -e 's/^/deny from /' > \ + $HTACCESS + cp temp_file /files_cyberwall/webhackers.txt + sleep ${SLEEP_TIME} +done +) diff --git a/bluewebpro_wrapper.sh b/bluewebpro_wrapper.sh new file mode 100755 index 0000000..cdba26b --- /dev/null +++ b/bluewebpro_wrapper.sh @@ -0,0 +1,46 @@ +#!/bin/bash + +################################################################################ +# # +# Copyright (C) 2008 Jack-Benny Persson # +# # +# This program is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +################################################################################ + +### This is the wrapper for BlueWebProtect ### + +DAEMON=bluewebpro.sh +DAEMON_LOG=bluewebpro_daemon.log + +if test ! -x ${DAEMON} ; then + echo "Couldn't execute ${DAEMON}" + exit 1 +fi + +if test -f ${DAEMON_LOG} ; then + if test ! -w ${DAEMON_LOG} ; then + echo "Unable to write logfile - aborted" + exit + fi +fi + + +exec 1>$DAEMON_LOG +exec 2>&1 + +nohup bash $DAEMON & +echo "Daemon $DAEMON started" +exit 0