2 # Adds an IP to the iptables drop list (if linux)
3 # Adds an IP to the ipfilter drop list (if solaris, freebsd or netbsd)
4 # Adds an IP to the ipsec drop list (if aix)
5 # Requirements: Linux with iptables, Solaris/FreeBSD/NetBSD with ipfilter or AIX with IPSec
7 # Author: Ahmet Ozturk (ipfilter and IPSec)
8 # Author: Daniel B. Cid (iptables)
10 # Last modified: Oct 04, 2012
16 IP4TABLES="/sbin/iptables"
17 IP6TABLES="/sbin/ip6tables"
19 if [ "X$UNAME" = "XSunOS" ]; then
20 IPFILTER="/usr/sbin/ipf"
22 GENFILT="/usr/sbin/genfilt"
23 LSFILT="/usr/sbin/lsfilt"
24 MKFILT="/usr/sbin/mkfilt"
25 RMFILT="/usr/sbin/rmfilt"
38 filename=$(basename "$0")
41 LOCK_PID="${LOCK}/pid"
42 LOG_FILE="${PWD}/../logs/active-responses.log"
44 echo "`date` $0 $1 $2 $3 $4 $5" >> ${LOG_FILE}
48 if [ "x${IP}" = "x" ]; then
49 echo "$0: <action> <username> <ip>"
54 *:* ) IPTABLES=$IP6TABLES;;
55 *.* ) IPTABLES=$IP4TABLES;;
56 * ) echo "`date` Unable to run active response (invalid IP: '${IP}')." >> ${LOG_FILE} && exit 1;;
59 # This number should be more than enough (even if a hundred
60 # instances of this script is ran together). If you have
61 # a really loaded env, you can increase it to 75 or 100.
70 mkdir ${LOCK} > /dev/null 2>&1
72 if [ "${MSL}" = "0" ]; then
73 # Lock aquired (setting the pid)
74 echo "$$" > ${LOCK_PID}
78 # Getting currently/saved PID locking the file
79 C_PID=`cat ${LOCK_PID} 2>/dev/null`
80 if [ "x" = "x${S_PID}" ]; then
84 # Breaking out of the loop after X attempts
85 if [ "x${C_PID}" = "x${S_PID}" ]; then
89 # Sleep 1 after 10/25 interactions
90 if [ "$i" = "10" -o "$i" = "25" ]; then
96 # So i increments 2 by 2 if the pid does not change.
97 # If the pid keeps changing, we will increments one
98 # by one and fail after MAX_ITERACTION
100 if [ "$i" = "${MAX_ITERATION}" ]; then
102 for pid in `pgrep -f "${filename}"`; do
103 if [ "x${pid}" = "x${C_PID}" ]; then
104 # Unlocking and exiting
106 echo "`date` Killed process ${C_PID} holding lock." >> ${LOG_FILE}
115 if [ "x${kill}" = "xfalse" ]; then
116 echo "`date` Unable kill process ${C_PID} holding lock." >> ${LOG_FILE}
117 # Unlocking and exiting
134 if [ "x${ACTION}" != "xadd" -a "x${ACTION}" != "xdelete" ]; then
135 echo "$0: invalid action: ${ACTION}"
141 # We should run on linux
142 if [ "X${UNAME}" = "XLinux" ]; then
143 if [ "x${ACTION}" = "xadd" ]; then
144 ARG1="-I INPUT -s ${IP} -j DROP"
145 ARG2="-I FORWARD -s ${IP} -j DROP"
147 ARG1="-D INPUT -s ${IP} -j DROP"
148 ARG2="-D FORWARD -s ${IP} -j DROP"
151 # Checking if iptables is present
152 if [ ! -x ${IPTABLES} ]; then
153 IPTABLES="/usr"${IPTABLES}
154 if [ ! -x ${IPTABLES} ]; then
155 echo "$0: can not find iptables"
160 # Executing and exiting
167 if [ $RES = 0 ]; then
170 COUNT=`expr $COUNT + 1`;
171 echo "`date` Unable to run (iptables returning != $RES): $COUNT - $0 $1 $2 $3 $4 $5" >> ${LOG_FILE}
174 if [ $COUNT -gt 4 ]; then
183 if [ $RES = 0 ]; then
186 COUNT=`expr $COUNT + 1`;
187 echo "`date` Unable to run (iptables returning != $RES): $COUNT - $0 $1 $2 $3 $4 $5" >> ${LOG_FILE}
190 if [ $COUNT -gt 4 ]; then
199 # FreeBSD, SunOS or NetBSD with ipfilter
200 elif [ "X${UNAME}" = "XFreeBSD" -o "X${UNAME}" = "XSunOS" -o "X${UNAME}" = "XNetBSD" ]; then
202 # Checking if ipfilter is present
203 ls ${IPFILTER} >> /dev/null 2>&1
208 # Checking if echo is present
209 ls ${ECHO} >> /dev/null 2>&1
214 if [ "x${ACTION}" = "xadd" ]; then
215 ARG1="\"@1 block out quick from any to ${IP}\""
216 ARG2="\"@1 block in quick from ${IP} to any\""
217 IPFARG="${IPFILTER} -f -"
219 ARG1="\"@1 block out quick from any to ${IP}\""
220 ARG2="\"@1 block in quick from ${IP} to any\""
221 IPFARG="${IPFILTER} -rf -"
225 eval ${ECHO} ${ARG1}| ${IPFARG}
226 eval ${ECHO} ${ARG2}| ${IPFARG}
231 elif [ "X${UNAME}" = "XAIX" ]; then
233 # Checking if genfilt is present
234 ls ${GENFILT} >> /dev/null 2>&1
239 # Checking if lsfilt is present
240 ls ${LSFILT} >> /dev/null 2>&1
244 # Checking if mkfilt is present
245 ls ${MKFILT} >> /dev/null 2>&1
250 # Checking if rmfilt is present
251 ls ${RMFILT} >> /dev/null 2>&1
256 if [ "x${ACTION}" = "xadd" ]; then
257 ARG1=" -v 4 -a D -s ${IP} -m 255.255.255.255 -d 0.0.0.0 -M 0.0.0.0 -w B -D \"Access Denied by OSSEC-HIDS\""
258 #Add filter to rule table
259 eval ${GENFILT} ${ARG1}
261 #Deactivate and activate the filter rules.
262 eval ${MKFILT} -v 4 -d
263 eval ${MKFILT} -v 4 -u
265 # removing a specific rule is not so easy :(
266 eval ${LSFILT} -v 4 -O | ${GREP} ${IP} |
269 RULEID=`${ECHO} ${LINE} | cut -f 1 -d "|"`
270 let RULEID=${RULEID}+1
271 ARG1=" -v 4 -n ${RULEID}"
272 eval ${RMFILT} ${ARG1}
274 #Deactivate and activate the filter rules.
275 eval ${MKFILT} -v 4 -d
276 eval ${MKFILT} -v 4 -u