I'm running a cron every minute to thwart brute-force attacks.
awk '{print $2}' < ipkill.txt | while read ip; do
#query geographical info IP address
curl -o country.txt ipinfo.io/$ip
#parse the JSON result pull the country
country=$(cat country.txt | jq ".country")
#echo $country
#Get country & null-route IPs and quickstart the firewall
if [ $country != '"US"' ] && [ $country != 'null' ] && [ $country != '"JP"' ] && [ $country != '"CA"' ]; then
msg=" address blocked: "
echo $country$msg$ip >> blocked.txt
#below command disabled
#iptables -I INPUT -s $ip -j DROP
#add IP to CSF rules
csf -d $ip
#kill all associated processes from offending IP
process=`netstat -tuapn | grep $ip | awk {'print $7}' | awk -F '/' {'print $1'} | uniq`
for hacker in $process
do
kill $hacker
done
#blackhole IP
route add $ip gw 127.0.0.1 lo
echo $(date) " $ip null-routed and corresponding process killed."
load=`cat /proc/loadavg | awk '{print $1}'`
echo $(date) ' Load is now: '$load
fi
#csf -r
csf -q
done
Which is working quite well. (limit requests made to ipinfo.io to 10,000)
The main problem is CSF is not adding the IPs to the firewall deny file. The command is
csf - d
Which adds the IP to the cfs.deny file. I use it regularly on the fly. Embedded in this script it is not working.
My hunch is that the server load is simply too high during the high load periods when the script is triggered (+200) and somehow the command never executes or the required file operation doesn't take place.
My next step is to add the IPs after the script is finished and the load has fallen. See if that makes a difference.
I expected the CSF command-line operations would be queued during high loads.