fisherwei/README.md

## README.md

      
    Raw
  

              README.md
            
          
    usage

ban.py
`kubectl logs --all-containers=true --tail=20 -f -l workload.user.cattle.io/workloadselector=web | python2 ./ban.py`

ratecounter.py
`kubectl logs --all-containers=true --tail=20 -f -l workload.user.cattle.io/workloadselector=web | python2 ratecounter.py web`
`kubectl logs --all-containers=true --tail=20 -f -l workload.user.cattle.io/workloadselector=tracker | python2 ratecounter.py tracker`

sample

02:14:09 web Avg,All: 0.0,1.9/s, T5: 36.157.x.x: 0.1/s, 220.184.x.x: 0.0/s, 124.78.x.x: 0.0/s, 117.30.x.x: 0.0/s, 113.118.x.x: 0.0/s
02:15:28 tracker Avg,All: 0.1,147.5/s, T5: 27.184.x.x: 1.7/s, 180.111.x.x: 1.7/s, 49.80.x.x: 1.6/s, 220.17.x.x: 1.3/s, 112.32.x.x: 1.2/s
ban ('164.68.107.152', '302', '/torrents.php') 16

  
## fail2ban.py
#!/usr/bin/env python2
import sys

from collections import Counter
import requests


counter = Counter()

import requests

headers = {
    'X-Auth-Email': '',
    'X-Auth-Key': '',
    'Content-Type': 'application/json',
}

data_tmp = '{"mode":"block","configuration":{"target":"ip","value":"%s"},"notes":"Banned by Fail2Ban:%s"}'

# response = requests.post('https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules', headers=headers, data=data)

banned = set()

for line in sys.stdin:
  s = line.split()
  if len(s) <= 8:
  	continue
  ip, code, url = s[0], s[8], s[6]
  if ip in banned:
  	continue
  # print s
  if s[8] != "200":
    counter[(ip,code,url)] += 1
    if counter[(ip,code,url)] > 15:
      print "ban", (ip,code,url), counter[(ip,code,url)]
      data = data_tmp % (ip, "%s-%sx%s" % (url,code, counter[(ip,code,url)]))
      response = requests.post('https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules', headers=headers, data=data)
      print response.json()
      # break
      del counter[(ip,code,url)]
      banned.add(ip)

## ratecounter.py
#!/usr/bin/env python2
import sys
import time
from collections import deque, Counter
import logging

logging.basicConfig(level=logging.DEBUG, datefmt="%H:%M:%S", format='%(asctime)s %(name)s%(message)s')
logger = logging.getLogger((sys.argv[1] + " ") if len(sys.argv) > 1 else "")

c = Counter()
q = deque() #("ip", timestamp)
dur = 60
ban = set()
interval = 3

last_report = 0
for line in sys.stdin:
	now = time.time()
	ip = line.split()[0]
	# popleft if too old
	while q:
		lastip, ts = q[0]
		if now - ts > dur:
			q.popleft()
			c.subtract((lastip,))
			if c[lastip] <= 0:
				del c[lastip]
			continue
		break
	# append and add to counter
	q.append((ip, now))
	c.update((ip,))
	if now - last_report > interval:
		rates = []
		if now > q[0][1]:
			for ip, count in c.most_common(5):
				rates.append("%s: %0.1f/s" % (ip, count/(now-q[0][1])))
			all_ = len(q) / (now-q[0][1])
			avg = all_ / len(c)
			logger.debug("Avg,All: %0.1f,%0.1f/s, T5: %s", avg, all_, ", ".join(rates))
		last_report = now

## unban.py
import CloudFlare

def main():
    cf = CloudFlare.CloudFlare(email=", token="")
    zone_info = cf.zones.get(params={'name': 'xxx.com'})
    # print zone_info
    rules = (cf.user.firewall.access_rules.rules.get(params = {'per_page':1000}))
    print "rules:", len(rules)
    for rule in rules[410:]:
    	print "deleting", rule
    	print "delete", cf.user.firewall.access_rules.rules.delete(rule["id"])


if __name__ == '__main__':
    main()
	#!/usr/bin/env python2
	import sys

	from collections import Counter
	import requests


	counter = Counter()

	import requests

	headers = {
	'X-Auth-Email': '',
	'X-Auth-Key': '',
	'Content-Type': 'application/json',
	}

	data_tmp = '{"mode":"block","configuration":{"target":"ip","value":"%s"},"notes":"Banned by Fail2Ban:%s"}'

	# response = requests.post('https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules', headers=headers, data=data)

	banned = set()

	for line in sys.stdin:
	s = line.split()
	if len(s) <= 8:
	continue
	ip, code, url = s[0], s[8], s[6]
	if ip in banned:
	continue
	# print s
	if s[8] != "200":
	counter[(ip,code,url)] += 1
	if counter[(ip,code,url)] > 15:
	print "ban", (ip,code,url), counter[(ip,code,url)]
	data = data_tmp % (ip, "%s-%sx%s" % (url,code, counter[(ip,code,url)]))
	response = requests.post('https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules', headers=headers, data=data)
	print response.json()
	# break
	del counter[(ip,code,url)]
	banned.add(ip)
	#!/usr/bin/env python2
	import sys
	import time
	from collections import deque, Counter
	import logging

	logging.basicConfig(level=logging.DEBUG, datefmt="%H:%M:%S", format='%(asctime)s %(name)s%(message)s')
	logger = logging.getLogger((sys.argv[1] + " ") if len(sys.argv) > 1 else "")

	c = Counter()
	q = deque() #("ip", timestamp)
	dur = 60
	ban = set()
	interval = 3

	last_report = 0
	for line in sys.stdin:
	now = time.time()
	ip = line.split()[0]
	# popleft if too old
	while q:
	lastip, ts = q[0]
	if now - ts > dur:
	q.popleft()
	c.subtract((lastip,))
	if c[lastip] <= 0:
	del c[lastip]
	continue
	break
	# append and add to counter
	q.append((ip, now))
	c.update((ip,))
	if now - last_report > interval:
	rates = []
	if now > q[0][1]:
	for ip, count in c.most_common(5):
	rates.append("%s: %0.1f/s" % (ip, count/(now-q[0][1])))
	all_ = len(q) / (now-q[0][1])
	avg = all_ / len(c)
	logger.debug("Avg,All: %0.1f,%0.1f/s, T5: %s", avg, all_, ", ".join(rates))
	last_report = now
	import CloudFlare

	def main():
	cf = CloudFlare.CloudFlare(email=", token="")
	zone_info = cf.zones.get(params={'name': 'xxx.com'})
	# print zone_info
	rules = (cf.user.firewall.access_rules.rules.get(params = {'per_page':1000}))
	print "rules:", len(rules)
	for rule in rules[410:]:
	print "deleting", rule
	print "delete", cf.user.firewall.access_rules.rules.delete(rule["id"])


	if __name__ == '__main__':
	main()