--- /dev/null
+#!/bin/sh
+# Adds an IP to the iptables drop list (if linux)
+# Adds an IP to the ipfilter drop list (if solaris, freebsd or netbsd)
+# Adds an IP to the ipsec drop list (if aix)
+# Requirements: Linux with iptables, Solaris/FreeBSD/NetBSD with ipfilter or AIX with IPSec
+# Expect: srcip
+# Author: Ahmet Ozturk (ipfilter and IPSec)
+# Author: Daniel B. Cid (iptables)
+# Author: cgzones
+# Last modified: Oct 04, 2012
+
+UNAME=`uname`
+ECHO="/bin/echo"
+GREP="/bin/grep"
+IPTABLES=""
+IP4TABLES="/sbin/iptables"
+IP6TABLES="/sbin/ip6tables"
+IPFILTER="/sbin/ipf"
+if [ "X$UNAME" = "XSunOS" ]; then
+ IPFILTER="/usr/sbin/ipf"
+fi
+GENFILT="/usr/sbin/genfilt"
+LSFILT="/usr/sbin/lsfilt"
+MKFILT="/usr/sbin/mkfilt"
+RMFILT="/usr/sbin/rmfilt"
+ARG1=""
+ARG2=""
+RULEID=""
+ACTION=$1
+USER=$2
+IP=$3
+PWD=`pwd`
+LOCK="${PWD}/fw-drop"
+LOCK_PID="${PWD}/fw-drop/pid"
+IPV4F="/proc/sys/net/ipv4/ip_forward"
+IPV6F="/proc/sys/net/ipv6/conf/all/forwarding"
+
+LOCAL=`dirname $0`;
+cd $LOCAL
+cd ../
+filename=$(basename "$0")
+
+LOG_FILE="${PWD}/../logs/active-responses.log"
+
+echo "`date` $0 $1 $2 $3 $4 $5" >> ${LOG_FILE}
+
+
+# Checking for an IP
+if [ "x${IP}" = "x" ]; then
+ echo "$0: <action> <username> <ip>"
+ exit 1;
+fi
+
+case "${IP}" in
+ *:* ) IPTABLES=$IP6TABLES;;
+ *.* ) IPTABLES=$IP4TABLES;;
+ * ) echo "`date` Unable to run active response (invalid IP: '${IP}')." >> ${LOG_FILE} && exit 1;;
+esac
+
+# This number should be more than enough (even if a hundred
+# instances of this script is ran together). If you have
+# a really loaded env, you can increase it to 75 or 100.
+MAX_ITERATION="50"
+
+# Lock function
+lock()
+{
+ i=0;
+ # Providing a lock.
+ while [ 1 ]; do
+ mkdir ${LOCK} > /dev/null 2>&1
+ MSL=$?
+ if [ "${MSL}" = "0" ]; then
+ # Lock acquired (setting the pid)
+ echo "$$" > ${LOCK_PID}
+ return;
+ fi
+
+ # Getting currently/saved PID locking the file
+ C_PID=`cat ${LOCK_PID} 2>/dev/null`
+ if [ "x" = "x${S_PID}" ]; then
+ S_PID=${C_PID}
+ fi
+
+ # Breaking out of the loop after X attempts
+ if [ "x${C_PID}" = "x${S_PID}" ]; then
+ i=`expr $i + 1`;
+ fi
+
+ sleep $i;
+
+ i=`expr $i + 1`;
+
+ # So i increments 2 by 2 if the pid does not change.
+ # If the pid keeps changing, we will increments one
+ # by one and fail after MAX_ITERACTION
+
+ if [ "$i" = "${MAX_ITERATION}" ]; then
+ kill="false"
+ for pid in `pgrep -f "${filename}"`; do
+ if [ "x${pid}" = "x${C_PID}" ]; then
+ # Unlocking and exiting
+ kill -9 ${C_PID}
+ echo "`date` Killed process ${C_PID} holding lock." >> ${LOG_FILE}
+ kill="true"
+ unlock;
+ i=0;
+ S_PID="";
+ break;
+ fi
+ done
+
+ if [ "x${kill}" = "xfalse" ]; then
+ echo "`date` Unable kill process ${C_PID} holding lock." >> ${LOG_FILE}
+ # Unlocking and exiting
+ unlock;
+ exit 1;
+ fi
+ fi
+ done
+}
+
+# Unlock function
+unlock()
+{
+ rm -rf ${LOCK}
+}
+
+
+
+# Blocking IP
+if [ "x${ACTION}" != "xadd" -a "x${ACTION}" != "xdelete" ]; then
+ echo "$0: invalid action: ${ACTION}"
+ exit 1;
+fi
+
+
+
+# We should run on linux
+if [ "X${UNAME}" = "XLinux" ]; then
+ if [ "x${ACTION}" = "xadd" ]; then
+ ARG1="-I INPUT -s ${IP} -j DROP"
+ ARG2="-I FORWARD -s ${IP} -j DROP"
+ else
+ ARG1="-D INPUT -s ${IP} -j DROP"
+ ARG2="-D FORWARD -s ${IP} -j DROP"
+ fi
+
+ # Checking if iptables is present
+ if [ ! -x ${IPTABLES} ]; then
+ IPTABLES="/usr"${IPTABLES}
+ if [ ! -x ${IPTABLES} ]; then
+ echo "$0: can not find iptables"
+ exit 0;
+ fi
+ fi
+
+ # Executing and exiting
+ COUNT=0;
+ lock;
+ while [ 1 ]; do
+ ${IPTABLES} ${ARG1}
+ RES=$?
+ if [ $RES = 0 ]; then
+ break;
+ else
+ COUNT=`expr $COUNT + 1`;
+ echo "`date` Unable to run (iptables returning != $RES): $COUNT - $0 $1 $2 $3 $4 $5" >> ${LOG_FILE}
+ sleep $COUNT;
+
+ if [ $COUNT -gt 4 ]; then
+ break;
+ fi
+ fi
+ done
+
+ COUNT=0;
+ while [ 1 ]; do
+ #
+ # Looking for IPV4 and IPV6 FORWARD
+ #
+ if [ -e "$IPV4F" ]
+ then
+ IPV4KEY="$(cat "$IPV4F")"
+ else
+ IPV4KEY="0"
+ fi
+ if [ -e "$IPV6F" ]
+ then
+ IPV6KEY="$(cat "$IPV6F")"
+ else
+ IPV6KEY="0"
+ fi
+
+ if [ "$IPV4KEY" = "0" ] && [ "$IPV6KEY" = "0" ]
+ then
+ break
+ fi
+
+ ${IPTABLES} ${ARG2}
+ RES=$?
+ if [ $RES = 0 ]; then
+ break;
+ else
+ COUNT=`expr $COUNT + 1`;
+ echo "`date` Unable to run (iptables returning != $RES): $COUNT - $0 $1 $2 $3 $4 $5" >> ${LOG_FILE}
+ sleep $COUNT;
+
+ if [ $COUNT -gt 4 ]; then
+ break;
+ fi
+ fi
+ done
+ unlock;
+
+ exit 0;
+
+# FreeBSD, SunOS or NetBSD with ipfilter
+elif [ "X${UNAME}" = "XFreeBSD" -o "X${UNAME}" = "XSunOS" -o "X${UNAME}" = "XNetBSD" ]; then
+
+ # Checking if ipfilter is present
+ ls ${IPFILTER} >> /dev/null 2>&1
+ if [ $? != 0 ]; then
+ exit 0;
+ fi
+
+ # Checking if echo is present
+ ls ${ECHO} >> /dev/null 2>&1
+ if [ $? != 0 ]; then
+ exit 0;
+ fi
+
+ if [ "x${ACTION}" = "xadd" ]; then
+ ARG1="\"@1 block out quick from any to ${IP}\""
+ ARG2="\"@1 block in quick from ${IP} to any\""
+ IPFARG="${IPFILTER} -f -"
+ else
+ ARG1="\"@1 block out quick from any to ${IP}\""
+ ARG2="\"@1 block in quick from ${IP} to any\""
+ IPFARG="${IPFILTER} -rf -"
+ fi
+
+ # Executing it
+ eval ${ECHO} ${ARG1}| ${IPFARG}
+ eval ${ECHO} ${ARG2}| ${IPFARG}
+
+ exit 0;
+
+# AIX with ipsec
+elif [ "X${UNAME}" = "XAIX" ]; then
+
+ # Checking if genfilt is present
+ ls ${GENFILT} >> /dev/null 2>&1
+ if [ $? != 0 ]; then
+ exit 0;
+ fi
+
+ # Checking if lsfilt is present
+ ls ${LSFILT} >> /dev/null 2>&1
+ if [ $? != 0 ]; then
+ exit 0;
+ fi
+ # Checking if mkfilt is present
+ ls ${MKFILT} >> /dev/null 2>&1
+ if [ $? != 0 ]; then
+ exit 0;
+ fi
+
+ # Checking if rmfilt is present
+ ls ${RMFILT} >> /dev/null 2>&1
+ if [ $? != 0 ]; then
+ exit 0;
+ fi
+
+ if [ "x${ACTION}" = "xadd" ]; then
+ ARG1=" -v 4 -a D -s ${IP} -m 255.255.255.255 -d 0.0.0.0 -M 0.0.0.0 -w B -D \"Access Denied by OSSEC-HIDS\""
+ #Add filter to rule table
+ eval ${GENFILT} ${ARG1}
+
+ #Deactivate and activate the filter rules.
+ eval ${MKFILT} -v 4 -d
+ eval ${MKFILT} -v 4 -u
+ else
+ # removing a specific rule is not so easy :(
+ eval ${LSFILT} -v 4 -O | ${GREP} ${IP} |
+ while read -r LINE
+ do
+ RULEID=`${ECHO} ${LINE} | cut -f 1 -d "|"`
+ let RULEID=${RULEID}+1
+ ARG1=" -v 4 -n ${RULEID}"
+ eval ${RMFILT} ${ARG1}
+ done
+ #Deactivate and activate the filter rules.
+ eval ${MKFILT} -v 4 -d
+ eval ${MKFILT} -v 4 -u
+ fi
+
+else
+ exit 0;
+fi