find2deny 0.1.10.post1558428830

find Bot IPs in log file to firewall them

Tools to build Firewall Command for UFW from List of (Apache)-Log-files.

It creates a file block-ip.sh which contains Linux UWF-Command to block IP-network, but it does not change any Firewall-rules on your computer.

Installation

To install the latest release on PyPI, simply run:

pip install find2deny

Or to install the latest development version, run:

git clone [TODO]
cd find2deny
python setup.py install

Quick Tutorial

For example, you have a set of Apache Logfile in directory apache2: access.log.1, access.log.2, … The python script find2deny-cli can create a shell-Script block-ip.sh which contains commands like:

#!/bin/bash
ufw deny from 1.2.3.4/0 to any
ufw deny from 1.2.3.4/1 to any
...

1. Make a Configuration-File: Simple copy this configuration to a file, say config.toml

verbosity = "INFO"
log_files = ["apache2/access.log.*"]
log_pattern = '%h %l %u %t "%r" %>s %O "%{Referer}i" "%{User-Agent}i"'
database_path="./blocked-ip.sqlite"


[[judgment]]
    name = "path-based-judgment"
    [judgment.rules]
        bot_request = [
            "/?XDEBUG_SESSION_START=phpstorm",
            "/phpMyAdmin/",
            "/pma/",
            "/myadmin/",
            "/MyAdmin/",
            "/mahua/",
            "/wp-login",
            "/webdav/",
            "/help.php",
            "/java.php",
            "/db_pma.php",
            "/logon.php",
            "/help-e.php",
            "/hell.php",
            "/defect.php",
            "/webslee.php",
            "http://www.123cha.com/",
            "http://www.wujieliulan.com/",
            "http://www.epochtimes.com/",
            "http://www.ip.cn/",
            "www.baidu.com:443"
        ]

[[judgment]]
    name = "time-based-judgment"
    [judgment.rules]
        max_request = 501
        interval_seconds = 59


[[execution]]
    name = "ufw_cmd_script"
    [execution.rules]
        script = "./block-ip.sh"

2. Run script

find2deny-init-db blocked-ip.sqlite

to create a Sqlite-Database in file blocked-ip.sqlite. The filename must match the configuration database_path in the file config.toml.

3. Run

find2deny-cli config.toml --verbosity=DEBUG

to create file block-ip.sh. Then you can examinate the file block-ip.sh and run it from your shell to update your firewall.

Configuration

The syntax used in configuration file ist Toml. There are three sections in a configuration files, as you see above

Common Configuration

This section defines common configurations, such as how much infos should be printed onto console, ect.

Judgment

This section defines a list of Judgments. They are identified by name. At this time there are only two judments: path-based-judgment and time-based-judgment. Each judgment has its owns configuration. Judments are class, which uses rules defined in configuration to decide which IPs should be blocked.

Execution

This section defines a list of executions. At this time there is only one execution. Executions are classes which create firewall-rules or execute something, which nessesary to block an IP, or , in this implementation, block the network, to which the ip belongs.