2 # Adds an IP to the iptables drop list (if linux)
3 # Adds an IP to the ipfilter drop list (if solaris, freebsd or netbsd)
4 # Adds an IP to the ipsec drop list (if aix)
5 # Requirements: Linux with iptables, Solaris/FreeBSD/NetBSD with ipfilter or AIX with IPSec
7 # Author: Ahmet Ozturk (ipfilter and IPSec)
8 # Author: Daniel B. Cid (iptables)
9 # Last modified: Feb 14, 2006
14 IPTABLES="/sbin/iptables"
16 if [ "X$UNAME" = "XSunOS" ]; then
17 IPFILTER="/usr/sbin/ipf"
19 GENFILT="/usr/sbin/genfilt"
20 LSFILT="/usr/sbin/lsfilt"
21 MKFILT="/usr/sbin/mkfilt"
22 RMFILT="/usr/sbin/rmfilt"
34 echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
38 if [ "x${IP}" = "x" ]; then
39 echo "$0: <action> <username> <ip>"
46 if [ "x${ACTION}" != "xadd" -a "x${ACTION}" != "xdelete" ]; then
47 echo "$0: invalid action: ${ACTION}"
53 # We should run on linux
54 if [ "X${UNAME}" = "XLinux" ]; then
55 if [ "x${ACTION}" = "xadd" ]; then
56 ARG1="-I INPUT -s ${IP} -j DROP"
57 ARG2="-I FORWARD -s ${IP} -j DROP"
59 ARG1="-D INPUT -s ${IP} -j DROP"
60 ARG2="-D FORWARD -s ${IP} -j DROP"
63 # Checking if iptables is present
64 ls ${IPTABLES} >> /dev/null 2>&1
66 IPTABLES="/usr"${IPTABLES}
67 ls ${IPTABLES} >> /dev/null 2>&1
73 # Executing and exiting
82 COUNT=`expr $COUNT + 1`;
83 echo "`date` Unable to run (iptables returning != $RES): $COUNT - $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
86 if [ $COUNT -gt 4 ]; then
98 COUNT=`expr $COUNT + 1`;
99 echo "`date` Unable to run (iptables returning != $RES): $COUNT - $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
102 if [ $COUNT -gt 4 ]; then
110 # FreeBSD, SunOS or NetBSD with ipfilter
111 elif [ "X${UNAME}" = "XFreeBSD" -o "X${UNAME}" = "XSunOS" -o "X${UNAME}" = "XNetBSD" ]; then
113 # Checking if ipfilter is present
114 ls ${IPFILTER} >> /dev/null 2>&1
119 # Checking if echo is present
120 ls ${ECHO} >> /dev/null 2>&1
125 if [ "x${ACTION}" = "xadd" ]; then
126 ARG1="\"@1 block out quick from any to ${IP}\""
127 ARG2="\"@1 block in quick from ${IP} to any\""
128 IPFARG="${IPFILTER} -f -"
130 ARG1="\"@1 block out quick from any to ${IP}\""
131 ARG2="\"@1 block in quick from ${IP} to any\""
132 IPFARG="${IPFILTER} -rf -"
136 eval ${ECHO} ${ARG1}| ${IPFARG}
137 eval ${ECHO} ${ARG2}| ${IPFARG}
142 elif [ "X${UNAME}" = "XAIX" ]; then
144 # Checking if genfilt is present
145 ls ${GENFILT} >> /dev/null 2>&1
150 # Checking if lsfilt is present
151 ls ${LSFILT} >> /dev/null 2>&1
155 # Checking if mkfilt is present
156 ls ${MKFILT} >> /dev/null 2>&1
161 # Checking if rmfilt is present
162 ls ${RMFILT} >> /dev/null 2>&1
167 if [ "x${ACTION}" = "xadd" ]; then
168 ARG1=" -v 4 -a D -s ${IP} -m 255.255.255.255 -d 0.0.0.0 -M 0.0.0.0 -w B -D \"Access Denied by OSSEC-HIDS\""
169 #Add filter to rule table
170 eval ${GENFILT} ${ARG1}
172 #Deactivate and activate the filter rules.
173 eval ${MKFILT} -v 4 -d
174 eval ${MKFILT} -v 4 -u
176 # removing a specific rule is not so easy :(
177 eval ${LSFILT} -v 4 -O | ${GREP} ${IP} |
180 RULEID=`${ECHO} ${LINE} | cut -f 1 -d "|"`
181 let RULEID=${RULEID}+1
182 ARG1=" -v 4 -n ${RULEID}"
183 eval ${RMFILT} ${ARG1}
185 #Deactivate and activate the filter rules.
186 eval ${MKFILT} -v 4 -d
187 eval ${MKFILT} -v 4 -u