0

I'm running a cron every minute to thwart brute-force attacks.

    awk '{print $2}' < ipkill.txt | while read ip; do

    #query geographical info IP address
    curl -o country.txt ipinfo.io/$ip

    #parse the JSON result pull the country
    country=$(cat country.txt | jq ".country")
    #echo $country

    #Get country & null-route IPs and quickstart the firewall
    if [ $country != '"US"' ] && [ $country != 'null' ] && [ $country != '"JP"' ] && [ $country != '"CA"' ]; then
      msg=" address blocked: "
      echo $country$msg$ip >> blocked.txt     

      #below command disabled
      #iptables -I INPUT -s $ip -j DROP


      #add IP to CSF rules
      csf -d $ip

      #kill all associated processes from offending IP
      process=`netstat -tuapn | grep $ip | awk {'print $7}' | awk -F '/' {'print $1'} | uniq`

        for hacker in $process
        do
            kill $hacker
        done

      #blackhole IP
      route add $ip gw 127.0.0.1 lo


      echo $(date) " $ip null-routed and corresponding process killed."
      load=`cat /proc/loadavg | awk '{print $1}'`
      echo $(date) ' Load is now: '$load

    fi

  #csf -r
csf -q
done

Which is working quite well. (limit requests made to ipinfo.io to 10,000)

The main problem is CSF is not adding the IPs to the firewall deny file. The command is

csf - d

Which adds the IP to the cfs.deny file. I use it regularly on the fly. Embedded in this script it is not working.

My hunch is that the server load is simply too high during the high load periods when the script is triggered (+200) and somehow the command never executes or the required file operation doesn't take place.

My next step is to add the IPs after the script is finished and the load has fallen. See if that makes a difference.

I expected the CSF command-line operations would be queued during high loads.

Horace
  • 13
  • 5

1 Answers1

0

You could try running the csf command with full path. /usr/sbin/csf

As far as I know csf does not implement any kind of queuing when running csf -d so blocking too many IPs really quick will cause load.

You could try adding the IPs directly to /etc/csf/csf.deny file (one IP per line with an optional comment after the IP) and then restart csf with csf -r

I am not sure if this has any less impact on the load. In any case when you block too many IPs it will slow down your system regardless of the method you use (it's all iptables anyway).

You could do a check on your script so that if the load is under a threshold then issue a csf restart to load the new csf.deny, otherwise sleep and retry later until the load is low enough.

Cha0s
  • 2,432
  • 2
  • 15
  • 26
  • I think you're on the right track there. I added some buffer time between the commands. It seems to be executing them now. – Horace Feb 16 '15 at 19:09
  • Ok just to update, buffering the commands does not work. It results in such a slow reaction to a bot attack that it brought us down for an hour today. – Horace Feb 17 '15 at 17:19
  • Something I forgot to mention is that when you run `csf -d` multiple times quickly enough it will try to run them in parallel (under heavy load that is) causing even more load. When loading the block list from the `csf.deny` file after a `csf -r` it will load all the rules in a serial fashion. Depending on how many IPs you are blocking this may take a lot of time - and it doesn't help if you already block say 2000 IPs and you want to block another 200, since restarting csf will load all the rules from scratch. – Cha0s Feb 17 '15 at 17:47