Script to ban attackers using HostGator Firewall, CPHulk, and iptables.

hgfban

#!/usr/bin/env bash
# Script: hgfban
#
# Written By: Zach Jetson
#
# This script is intented to be used with webservers that
# consume flat files for banning hosts by IP.
#
# Copy this file in /opt/hgfban with execute permissions: chmod+x
#
# Add this to cPHulk Brute Force Protection "command to run"
# to auto-ban SSH abusers through HostGator firewall.
# /opt/hgfban %remote_ip%
#
BANFILE=/etc/firewall/IPDROP_GLOBAL

# Uncomment the line below to email notifications.
#EMAIL_ALERT="someone@sample.com"

if [ $(whoami) != "root" ]; then
    echo "$0 must be run as root... Aborting."; exit 192
fi

if [[ "$#" -eq 0 ]]; then
    echo "Missing host to ban!"; exit 1
fi

IP=$1
REASON=$2

if iptables -L -n -v | grep -q "$IP"; then
   echo "IP address already banned: $IP"
   exit 1
fi

if [[ $IP =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
    # This bans the IP address using HG chain, which is cleanest menthod.
    # Do not change this unless you stop using the HGF.
    /sbin/iptables -A ipdrop_global -s $IP -j DROP
    # Dump the banned IP into the ban file incase the the FW is restarted.
    echo "$IP" >> $BANFILE
    # dont restart firewall as the rule is already embedded into iptables
    # /etc/rc.d/init.d/firewall restart
else
    echo "invalid or no IP address given"
    exit 1
fi

if [ -z "${EMAIL_ALERT}" ]; then
    exit 0
fi

IP_INFO=$(curl --silent http://ipinfo.io/$IP 2>/dev/null)
# Use this method if hitting the 1000 api call limit.  This method 
# is not updated as frequently and requires geoip to be installed.
# install: sudo yum install geoip
#IP_INFO=$(geoiplookup $IP 2>/dev/null)

/bin/mail -s "HGFBAN: banned IP" -S from="no-reply<no-reply@$(hostname)>" $EMAIL_ALERT <<MSG_BODY
Banned IP:    $IP
Date:         $(date)

$REASON

$IP_INFO
MSG_BODY

updated for heredoc usage.