#!/bin/bash #Scott Sullivan #1 is true, 0 is false uid=`id -u` root_uid=0 E_NOTROOT=87 if [ "$uid" -ne "$root_uid" ] then echo "You must be root to run this script..." exit $E_NOTROOT else function checkCSF { if ! type csf >/dev/null 2>&1 then echo "csf command not found" csf="0" else csf="1" fi } function checkAPF { if ! type apf >/dev/null 2>&1 then echo "apf command not found" apf="0" else apf="1" fi } function checkIptables { if ! type iptables >/dev/null 2>&1 then echo "iptables command not found" iptables="0" else iptables="1" fi } checkIptables checkCSF checkAPF #CSF logic if [ $csf -eq 1 ] then echo "/////////////////////////////////////////////" echo "//CSF detected...blocking violaters with CSF!" echo "/////////////////////////////////////////////" countCSF="0" for blockMeCSF in `cat /etc/httpd/logs/error_log | grep -i modsecurity | cut -d c -f 2 | grep [0-9] | sed 's/lient//g' | sed 's/ModSe//g' | sed 's/]//g' | sed 's/error//g' | sed 's/noti//g' | sed 's/[a-z]//g' | sed 's/://g' | cut -d [ -f 1 | egrep -v '^[0-9 ]*[0-9][0-9 ]*$' | uniq -d`; do csf -d $blockMeCSF "blocked for ModSec violation"; countCSF=$(($countCSF+1)) done echo "////////////////////////////////////////////////////////////" echo "//blocked $countCSF IP's with CSF for ModSecurity violations" echo "////////////////////////////////////////////////////////////" #APF logic elif [ $apf -eq 1 ] then echo "/////////////////////////////////////////////" echo "//APF detected...blocking violaters with APF!" echo "/////////////////////////////////////////////" countAPF="0" for blockMeAPF in `cat /etc/httpd/logs/error_log | grep -i modsecurity | cut -d c -f 2 | grep [0-9] | sed 's/lient//g' | sed 's/ModSe//g' | sed 's/]//g' | sed 's/error//g' | sed 's/noti//g' | sed 's/[a-z]//g' | sed 's/://g' | cut -d [ -f 1 | egrep -v '^[0-9 ]*[0-9][0-9 ]*$' | uniq -d`; do apf -d $blockMeAPF "blocked.for.ModSec.violation"; countAPF=$(($countAPF+1)) done echo "////////////////////////////////////////////////////////////" echo "//blocked $countAPF IP's with APF for ModSecurity violations" echo "////////////////////////////////////////////////////////////" #IPTABLES logic elif [ "$csf" -eq 0 ] && [ "$apf" -eq 0 ] && [ "$iptables" -eq 1 ] then echo "//////////////////////////////////////////////////////////////" echo "//Neither APF or CSF found...blocking violaters with iptables!" echo "//////////////////////////////////////////////////////////////" countIptables="0" for blockMeIptables in `cat /etc/httpd/logs/error_log | grep ModSecurity | cut -d c -f 2 | grep [0-9] | sed 's/lient//g' | sed 's/ModSe//g' | sed 's/]//g' | sed 's/error//g' | sed 's/noti//g' | sed 's/[a-z]//g' | sed 's/://g' | cut -d [ -f 1 | egrep -v '^[0-9 ]*[0-9][0-9 ]*$' | uniq -d`; do iptables -I INPUT -s $blockMeIptables -j DROP; countIptables=$(($countIptables+1)) done echo "//////////////////////////////////////////////////////////////////////" echo "//blocked $countIptables IP's with iptables for ModSecurity violations" echo "//////////////////////////////////////////////////////////////////////" elif [ $iptables -eq 0 ] then echo "////////////////////////////////////////////////////////////////////////////////////////////////////" echo "//Neither APF,CSF, or Iptables can be found on your server. What firewall software are you running??" echo "////////////////////////////////////////////////////////////////////////////////////////////////////" exit 1 fi fi if [ "$csf" -eq 1 ] then echo "Restarting CSF firewall..." csf -r >/dev/null 2>&1 echo "...Done!" elif [ "$apf" -eq 1 ] then echo "Restarting APF firewall..." apf -r >/dev/null 2>&1 echo "...Done!" fi echo "" echo "///////////////////////////" echo " Top Ten RuleID's Tripped: " echo "///////////////////////////" cat /etc/httpd/logs/error_log |grep -i modsecurity|grep -e '\[id\ ' | sed 's/^.*\[id\ "//g' | sed 's/".*$//' | uniq -c | sort -rn | head -n10