2 # Adds an IP to the iptables drop list (if linux)
3 # Adds an IP to the ipfilter drop list (if solaris, freebsd or netbsd)
4 # Adds an IP to the ipsec drop list (if aix)
5 # Requirements: Linux with iptables, Solaris/FreeBSD/NetBSD with ipfilter or AIX with IPSec
7 # Author: Ahmet Ozturk (ipfilter and IPSec)
8 # Author: Daniel B. Cid (iptables)
10 # Last modified: Oct 04, 2012
16 IP4TABLES="/sbin/iptables"
17 IP6TABLES="/sbin/ip6tables"
19 if [ "X$UNAME" = "XSunOS" ]; then
20 IPFILTER="/usr/sbin/ipf"
22 GENFILT="/usr/sbin/genfilt"
23 LSFILT="/usr/sbin/lsfilt"
24 MKFILT="/usr/sbin/mkfilt"
25 RMFILT="/usr/sbin/rmfilt"
34 LOCK_PID="${PWD}/fw-drop/pid"
35 IPV4F="/proc/sys/net/ipv4/ip_forward"
36 IPV6F="/proc/sys/net/ipv6/conf/all/forwarding"
41 filename=$(basename "$0")
43 LOG_FILE="${PWD}/../logs/active-responses.log"
45 echo "`date` $0 $1 $2 $3 $4 $5" >> ${LOG_FILE}
49 if [ "x${IP}" = "x" ]; then
50 echo "$0: <action> <username> <ip>"
55 *:* ) IPTABLES=$IP6TABLES;;
56 *.* ) IPTABLES=$IP4TABLES;;
57 * ) echo "`date` Unable to run active response (invalid IP: '${IP}')." >> ${LOG_FILE} && exit 1;;
60 # This number should be more than enough (even if a hundred
61 # instances of this script is ran together). If you have
62 # a really loaded env, you can increase it to 75 or 100.
71 mkdir ${LOCK} > /dev/null 2>&1
73 if [ "${MSL}" = "0" ]; then
74 # Lock acquired (setting the pid)
75 echo "$$" > ${LOCK_PID}
79 # Getting currently/saved PID locking the file
80 C_PID=`cat ${LOCK_PID} 2>/dev/null`
81 if [ "x" = "x${S_PID}" ]; then
85 # Breaking out of the loop after X attempts
86 if [ "x${C_PID}" = "x${S_PID}" ]; then
94 # So i increments 2 by 2 if the pid does not change.
95 # If the pid keeps changing, we will increments one
96 # by one and fail after MAX_ITERACTION
98 if [ "$i" = "${MAX_ITERATION}" ]; then
100 for pid in `pgrep -f "${filename}"`; do
101 if [ "x${pid}" = "x${C_PID}" ]; then
102 # Unlocking and exiting
104 echo "`date` Killed process ${C_PID} holding lock." >> ${LOG_FILE}
113 if [ "x${kill}" = "xfalse" ]; then
114 echo "`date` Unable kill process ${C_PID} holding lock." >> ${LOG_FILE}
115 # Unlocking and exiting
132 if [ "x${ACTION}" != "xadd" -a "x${ACTION}" != "xdelete" ]; then
133 echo "$0: invalid action: ${ACTION}"
139 # We should run on linux
140 if [ "X${UNAME}" = "XLinux" ]; then
141 if [ "x${ACTION}" = "xadd" ]; then
142 ARG1="-I INPUT -s ${IP} -j DROP"
143 ARG2="-I FORWARD -s ${IP} -j DROP"
145 ARG1="-D INPUT -s ${IP} -j DROP"
146 ARG2="-D FORWARD -s ${IP} -j DROP"
149 # Checking if iptables is present
150 if [ ! -x ${IPTABLES} ]; then
151 IPTABLES="/usr"${IPTABLES}
152 if [ ! -x ${IPTABLES} ]; then
153 echo "$0: can not find iptables"
158 # Executing and exiting
164 if [ $RES = 0 ]; then
167 COUNT=`expr $COUNT + 1`;
168 echo "`date` Unable to run (iptables returning != $RES): $COUNT - $0 $1 $2 $3 $4 $5" >> ${LOG_FILE}
171 if [ $COUNT -gt 4 ]; then
180 # Looking for IPV4 and IPV6 FORWARD
184 IPV4KEY="$(cat "$IPV4F")"
190 IPV6KEY="$(cat "$IPV6F")"
195 if [ "$IPV4KEY" = "0" ] && [ "$IPV6KEY" = "0" ]
202 if [ $RES = 0 ]; then
205 COUNT=`expr $COUNT + 1`;
206 echo "`date` Unable to run (iptables returning != $RES): $COUNT - $0 $1 $2 $3 $4 $5" >> ${LOG_FILE}
209 if [ $COUNT -gt 4 ]; then
218 # FreeBSD, SunOS or NetBSD with ipfilter
219 elif [ "X${UNAME}" = "XFreeBSD" -o "X${UNAME}" = "XSunOS" -o "X${UNAME}" = "XNetBSD" ]; then
221 # Checking if ipfilter is present
222 ls ${IPFILTER} >> /dev/null 2>&1
227 # Checking if echo is present
228 ls ${ECHO} >> /dev/null 2>&1
233 if [ "x${ACTION}" = "xadd" ]; then
234 ARG1="\"@1 block out quick from any to ${IP}\""
235 ARG2="\"@1 block in quick from ${IP} to any\""
236 IPFARG="${IPFILTER} -f -"
238 ARG1="\"@1 block out quick from any to ${IP}\""
239 ARG2="\"@1 block in quick from ${IP} to any\""
240 IPFARG="${IPFILTER} -rf -"
244 eval ${ECHO} ${ARG1}| ${IPFARG}
245 eval ${ECHO} ${ARG2}| ${IPFARG}
250 elif [ "X${UNAME}" = "XAIX" ]; then
252 # Checking if genfilt is present
253 ls ${GENFILT} >> /dev/null 2>&1
258 # Checking if lsfilt is present
259 ls ${LSFILT} >> /dev/null 2>&1
263 # Checking if mkfilt is present
264 ls ${MKFILT} >> /dev/null 2>&1
269 # Checking if rmfilt is present
270 ls ${RMFILT} >> /dev/null 2>&1
275 if [ "x${ACTION}" = "xadd" ]; then
276 ARG1=" -v 4 -a D -s ${IP} -m 255.255.255.255 -d 0.0.0.0 -M 0.0.0.0 -w B -D \"Access Denied by OSSEC-HIDS\""
277 #Add filter to rule table
278 eval ${GENFILT} ${ARG1}
280 #Deactivate and activate the filter rules.
281 eval ${MKFILT} -v 4 -d
282 eval ${MKFILT} -v 4 -u
284 # removing a specific rule is not so easy :(
285 eval ${LSFILT} -v 4 -O | ${GREP} ${IP} |
288 RULEID=`${ECHO} ${LINE} | cut -f 1 -d "|"`
289 let RULEID=${RULEID}+1
290 ARG1=" -v 4 -n ${RULEID}"
291 eval ${RMFILT} ${ARG1}
293 #Deactivate and activate the filter rules.
294 eval ${MKFILT} -v 4 -d
295 eval ${MKFILT} -v 4 -u