SirToffski/block_that.sh Secret

## block_that.sh
#!/usr/bin/env bash

#####################################
#Use Cases
#####################################
# You've got a router running OpenWRT or any other Unix-based OS
# The router is configured to log IPTABLES, login, etc. events in the syslog
# The router is also sending all the logs in real-time to a server (via syslog-ng for example)
# You'd like to extract useful information from this log daily

# As described above, this script runs on my server daily.
# It looks for "DROP" messages from IPTABLES and builds a master file with offending IPs

# There are two "master files". One labelled "top_assholes.txt" contains duplicates because it's structured as:
### 2019.06.05_05:35:01 - Today's top assholes are:
### .....
### 2019.06.05_12:40:02 - Today's top assholes are:
### .....

# Second "master file" master_blocklist.txt contains only unique IPv4 addresses collected by the script
# Similarly, this script can be made to track logins, DHCP, etc. - any info of interest in the syslog
#####################################

## VARIABLES ##
# This valriable may not be required, depending on your setup. In this case syslog-ng makes a new folder daily named as the variable describes.
today_dir=$(date +%Y.%m.%d)

today_expanded=$(date +%Y.%m.%d_%T)
router_IP=Bifrost
log_location=/var/log/network/"$router_IP"/"$today_dir"/messages
script_location="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)"
query_of_interest=DROP
###############

# Get list of rejected IPs from router logs
grep "$query_of_interest" "$log_location" >"$script_location"/$"today_dir"_assholes.txt

# Extract Source IP addresses only
grep -Eo "SRC=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" "$script_location"/$"today_dir"_assholes.txt >"$script_location"/$"today_dir"_assholes_ip.txt

# Add time and date to the top file
printf %b\\n "
-------------------------------------------
$today_expanded - Today's top assholes are:
-------------------------------------------
" >>"$script_location"/top_assholes.txt

# Remove dupes from today's list and append them to the top file
sort -n "$script_location"/$"today_dir"_assholes_ip.txt | uniq >>"$script_location"/top_assholes.txt

# Again filter top file by IPs only
grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' "$script_location"/top_assholes.txt | sort -n | uniq >"$script_location"/master_blocklist.txt

# Now we need to clean up

# Remove 0.0.0.0 from the list
sed -i 's/0\.0\.0\.0//g' "$script_location"/master_blocklist.txt

# Remove private LAN 192.168.1.0/24 and 192.168.2.0/24 from the list
sed -i -E 's/192\.168\.[1-2]\.[0-9]{1,3}//g' "$script_location"/master_blocklist.txt

# Finally remove 255.255.255.255
sed -i 's/255\.255\.255\.255//g' "$script_location"/master_blocklist.txt

# And last but not the least, remove empty lines from the master list
sed -i '/^$/d' "$script_location"/master_blocklist.txt
# Final sort and de-dup
cp "$script_location"/master_blocklist.txt "$script_location"/master_blocklist1.txt
grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' "$script_location"/master_blocklist1.txt | sort -n | uniq >"$script_location"/master_blocklist.txt

# Housekeeping - removing un-needed files
rm "$script_location"/{"$today_dir"_assholes.txt,"$today_dir"_assholes_ip.txt,master_blocklist1.txt}


# OPTIONAL: Setup cron to execute the script at certain time
# Three tasks to run the script daily at 23:30, 05:30, 12:40
#printf %b\\n "30 23   *   *   *    sudo bash $script_location/block_that.sh" | sudo tee -a "$crontab_file" > /dev/null
#printf %b\\n "30 05   *   *   *    sudo bash $script_location/block_that.sh" | sudo tee -a "$crontab_file" > /dev/null
#printf %b\\n "40 12   *   *   *    sudo bash $script_location/block_that.sh" | sudo tee -a "$crontab_file" > /dev/null
	#!/usr/bin/env bash

	#####################################
	#Use Cases
	#####################################
	# You've got a router running OpenWRT or any other Unix-based OS
	# The router is configured to log IPTABLES, login, etc. events in the syslog
	# The router is also sending all the logs in real-time to a server (via syslog-ng for example)
	# You'd like to extract useful information from this log daily

	# As described above, this script runs on my server daily.
	# It looks for "DROP" messages from IPTABLES and builds a master file with offending IPs

	# There are two "master files". One labelled "top_assholes.txt" contains duplicates because it's structured as:
	### 2019.06.05_05:35:01 - Today's top assholes are:
	### .....
	### 2019.06.05_12:40:02 - Today's top assholes are:
	### .....

	# Second "master file" master_blocklist.txt contains only unique IPv4 addresses collected by the script
	# Similarly, this script can be made to track logins, DHCP, etc. - any info of interest in the syslog
	#####################################

	## VARIABLES ##
	# This valriable may not be required, depending on your setup. In this case syslog-ng makes a new folder daily named as the variable describes.
	today_dir=$(date +%Y.%m.%d)

	today_expanded=$(date +%Y.%m.%d_%T)
	router_IP=Bifrost
	log_location=/var/log/network/"$router_IP"/"$today_dir"/messages
	script_location="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)"
	query_of_interest=DROP
	###############

	# Get list of rejected IPs from router logs
	grep "$query_of_interest" "$log_location" >"$script_location"/$"today_dir"_assholes.txt

	# Extract Source IP addresses only
	grep -Eo "SRC=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" "$script_location"/$"today_dir"_assholes.txt >"$script_location"/$"today_dir"_assholes_ip.txt

	# Add time and date to the top file
	printf %b\\n "
	-------------------------------------------
	$today_expanded - Today's top assholes are:
	-------------------------------------------
	" >>"$script_location"/top_assholes.txt

	# Remove dupes from today's list and append them to the top file
	sort -n "$script_location"/$"today_dir"_assholes_ip.txt \| uniq >>"$script_location"/top_assholes.txt

	# Again filter top file by IPs only
	grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' "$script_location"/top_assholes.txt \| sort -n \| uniq >"$script_location"/master_blocklist.txt

	# Now we need to clean up

	# Remove 0.0.0.0 from the list
	sed -i 's/0\.0\.0\.0//g' "$script_location"/master_blocklist.txt

	# Remove private LAN 192.168.1.0/24 and 192.168.2.0/24 from the list
	sed -i -E 's/192\.168\.[1-2]\.[0-9]{1,3}//g' "$script_location"/master_blocklist.txt

	# Finally remove 255.255.255.255
	sed -i 's/255\.255\.255\.255//g' "$script_location"/master_blocklist.txt

	# And last but not the least, remove empty lines from the master list
	sed -i '/^$/d' "$script_location"/master_blocklist.txt
	# Final sort and de-dup
	cp "$script_location"/master_blocklist.txt "$script_location"/master_blocklist1.txt
	grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' "$script_location"/master_blocklist1.txt \| sort -n \| uniq >"$script_location"/master_blocklist.txt

	# Housekeeping - removing un-needed files
	rm "$script_location"/{"$today_dir"_assholes.txt,"$today_dir"_assholes_ip.txt,master_blocklist1.txt}



	# OPTIONAL: Setup cron to execute the script at certain time
	# Three tasks to run the script daily at 23:30, 05:30, 12:40
	#printf %b\\n "30 23 * * * sudo bash $script_location/block_that.sh" \| sudo tee -a "$crontab_file" > /dev/null
	#printf %b\\n "30 05 * * * sudo bash $script_location/block_that.sh" \| sudo tee -a "$crontab_file" > /dev/null
	#printf %b\\n "40 12 * * * sudo bash $script_location/block_that.sh" \| sudo tee -a "$crontab_file" > /dev/null