2 # Adds an IP to the iptables drop list (if linux)
3 # Adds an IP to the ipfilter drop list (if solaris, freebsd or netbsd)
4 # Adds an IP to the ipsec drop list (if aix)
5 # Requirements: Linux with iptables, Solaris/FreeBSD/NetBSD with ipfilter or AIX with IPSec
7 # Author: Ahmet Ozturk (ipfilter and IPSec)
8 # Author: Daniel B. Cid (iptables)
9 # Last modified: Feb 14, 2006
14 IPTABLES="/sbin/iptables"
16 GENFILT="/usr/sbin/genfilt"
17 LSFILT="/usr/sbin/lsfilt"
18 MKFILT="/usr/sbin/mkfilt"
19 RMFILT="/usr/sbin/rmfilt"
31 echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
35 if [ "x${IP}" = "x" ]; then
36 echo "$0: <action> <username> <ip>"
43 if [ "x${ACTION}" != "xadd" -a "x${ACTION}" != "xdelete" ]; then
44 echo "$0: invalid action: ${ACTION}"
50 # We should run on linux
51 if [ "X${UNAME}" = "XLinux" ]; then
52 if [ "x${ACTION}" = "xadd" ]; then
53 ARG1="-I INPUT -s ${IP} -j DROP"
54 ARG2="-I FORWARD -s ${IP} -j DROP"
56 ARG1="-D INPUT -s ${IP} -j DROP"
57 ARG2="-D FORWARD -s ${IP} -j DROP"
60 # Checking if iptables is present
61 ls ${IPTABLES} >> /dev/null 2>&1
63 IPTABLES="/usr"${IPTABLES}
64 ls ${IPTABLES} >> /dev/null 2>&1
70 # Executing and exiting
79 COUNT=`expr $COUNT + 1`;
80 echo "`date` Unable to run (iptables returning != $RES): $COUNT - $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
83 if [ $COUNT -gt 4 ]; then
95 COUNT=`expr $COUNT + 1`;
96 echo "`date` Unable to run (iptables returning != $RES): $COUNT - $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
99 if [ $COUNT -gt 4 ]; then
107 # FreeBSD, SunOS or NetBSD with ipfilter
108 elif [ "X${UNAME}" = "XFreeBSD" -o "X${UNAME}" = "XSunOS" -o "X${UNAME}" = "XNetBSD" ]; then
110 # Checking if ipfilter is present
111 ls ${IPFILTER} >> /dev/null 2>&1
116 # Checking if echo is present
117 ls ${ECHO} >> /dev/null 2>&1
122 if [ "x${ACTION}" = "xadd" ]; then
123 ARG1="\"@1 block out quick from any to ${IP}\""
124 ARG2="\"@1 block in quick from ${IP} to any\""
125 IPFARG="${IPFILTER} -f -"
127 ARG1="\"@1 block out quick from any to ${IP}\""
128 ARG2="\"@1 block in quick from ${IP} to any\""
129 IPFARG="${IPFILTER} -rf -"
133 eval ${ECHO} ${ARG1}| ${IPFARG}
134 eval ${ECHO} ${ARG2}| ${IPFARG}
139 elif [ "X${UNAME}" = "XAIX" ]; then
141 # Checking if genfilt is present
142 ls ${GENFILT} >> /dev/null 2>&1
147 # Checking if lsfilt is present
148 ls ${LSFILT} >> /dev/null 2>&1
152 # Checking if mkfilt is present
153 ls ${MKFILT} >> /dev/null 2>&1
158 # Checking if rmfilt is present
159 ls ${RMFILT} >> /dev/null 2>&1
164 if [ "x${ACTION}" = "xadd" ]; then
165 ARG1=" -v 4 -a D -s ${IP} -m 255.255.255.255 -d 0.0.0.0 -M 0.0.0.0 -w B -D \"Access Denied by OSSEC-HIDS\""
166 #Add filter to rule table
167 eval ${GENFILT} ${ARG1}
169 #Deactivate and activate the filter rules.
170 eval ${MKFILT} -v 4 -d
171 eval ${MKFILT} -v 4 -u
173 # removing a specific rule is not so easy :(
174 eval ${LSFILT} -v 4 -O | ${GREP} ${IP} |
177 RULEID=`${ECHO} ${LINE} | cut -f 1 -d "|"`
178 let RULEID=${RULEID}+1
179 ARG1=" -v 4 -n ${RULEID}"
180 eval ${RMFILT} ${ARG1}
182 #Deactivate and activate the filter rules.
183 eval ${MKFILT} -v 4 -d
184 eval ${MKFILT} -v 4 -u