cdpb/gist:7aabf3f0d600e794ee19

## gistfile1.txt
#!/bin/ksh

LOG="/tmp/access_pot.log"
BLACKLIST="/root/config/pf/persistent-block.list"
set -A RFCS 10 172 192

while true; do

if [[ -a $LOG ]]; then
        tail -f $LOG | while read LINE; do
                IP=$(echo $LINE | awk '{ print $1 }')
                grep -e "$IP" $BLACKLIST
                if [[ $? == 0 ]]; then
                        echo "already blocked $IP"
                else
                        RFC=true
                        WHITE=true
                        IP1=$(host example1.com | awk '{print $4}')
                        IP2=$(host example2.com | awk '{print $4}')
                        set -A WHITELISTS $IP1 $IP2
                        for WHITELIST in ${WHITELISTS[@]}; do
                                if [[ $WHITELIST == $IP ]]; then
                                        echo "ignore whitelist $IP"
                                else
                                        WHITE=false
                                        break
                                fi
                        done

                        for RFC in ${RFCS[@]}; do
                                OCT1=$(echo $IP | cut -d'.' -f1)
                                if [[ $OCT1 == $RFC ]]; then
                                        echo "ignore rfc $IP"
                                else
                                        RFC=false
                                        break
                                fi
                        done

                        if [[ $RFC == false && $WHITE == false ]]; then
                                echo "block $IP"
                                echo $IP >> $BLACKLIST
                                pfctl -t pblock -T add $IP
                                MSG=$(curl --silent ipinfo.io/$IP)
                                mail -s "new blocked" example@123.com
                        fi
                fi
        done
        break
else
        sleep 300
fi


done

## gistfile2.txt
# nginx config
user  www;
worker_processes  1;
worker_rlimit_nofile 1024;

events {
    worker_connections  800;
}

http {
        server {
                listen                          192.168.3.200;
                access_log                      /tmp/access_pot.log;
        }
}

## gistfile3.txt
# pf config

...
table <pblock> persist file "/root/config/pf/persistent-block.list"
block quick log from <pblock>
...
	#!/bin/ksh

	LOG="/tmp/access_pot.log"
	BLACKLIST="/root/config/pf/persistent-block.list"
	set -A RFCS 10 172 192

	while true; do

	if [[ -a $LOG ]]; then
	tail -f $LOG \| while read LINE; do
	IP=$(echo $LINE \| awk '{ print $1 }')
	grep -e "$IP" $BLACKLIST
	if [[ $? == 0 ]]; then
	echo "already blocked $IP"
	else
	RFC=true
	WHITE=true
	IP1=$(host example1.com \| awk '{print $4}')
	IP2=$(host example2.com \| awk '{print $4}')
	set -A WHITELISTS $IP1 $IP2
	for WHITELIST in ${WHITELISTS[@]}; do
	if [[ $WHITELIST == $IP ]]; then
	echo "ignore whitelist $IP"
	else
	WHITE=false
	break
	fi
	done

	for RFC in ${RFCS[@]}; do
	OCT1=$(echo $IP \| cut -d'.' -f1)
	if [[ $OCT1 == $RFC ]]; then
	echo "ignore rfc $IP"
	else
	RFC=false
	break
	fi
	done

	if [[ $RFC == false && $WHITE == false ]]; then
	echo "block $IP"
	echo $IP >> $BLACKLIST
	pfctl -t pblock -T add $IP
	MSG=$(curl --silent ipinfo.io/$IP)
	mail -s "new blocked" example@123.com
	fi
	fi
	done
	break
	else
	sleep 300
	fi


	done
	# nginx config
	user www;
	worker_processes 1;
	worker_rlimit_nofile 1024;

	events {
	worker_connections 800;
	}

	http {
	server {
	listen 192.168.3.200;
	access_log /tmp/access_pot.log;
	}
	}
	# pf config

	...
	table <pblock> persist file "/root/config/pf/persistent-block.list"
	block quick log from <pblock>
	...