Linux Dynamic IP Address Blocking Utility

 

I needed a way to dynamically block IP addresses that make attempts to hack my web server, so I developed a simple tool written in bash to implement this feature.  The tool is called Dynamic IP Blocker (DIB) Tool.  I am making the tool available to the public as an alternative to using Configserver Security & Firewall (CSF).  CSF is an excellent tool with lots of great features to help protect against hacking attacks.  However, installing, configuring, tuning, and maintaining CSF can be a daunting task for some folks.  The DIB Tool is a specialized, light-weight utility that can be integrated with custom scripts to monitor logs for malicious behavior and then feed unfriendly IP addresses to the tool for blocking (temporary block or permanent block).  Read on to determine if this tool is useful to you.  If you have any questions or would like to provide feedback on how to improve the tool please contact me at This email address is being protected from spambots. You need JavaScript enabled to view it..

DIB Design

DIB Tool Design

Design Features:

  1. Maintains a blacklist of IP addresses to block for a user-defined period of time.
  2. Maintains a blacklist of IP addresses to permanently block when a user-defined hack attempt threshold is reached.

Prerequisites:

  1. Enable iptables.  Add the following rules to your iptables rules file:
  2. Install the Linux ipset framework.  Refer to the ipset homepage for details.
  3. Implement a feature to detect malicious activity.
    I used ModSecurity, an open source web application firewall, to filter all web-based traffic.  I installed and configured Syslog-NG to monitor the ModSecurity logs tagged as CRITICAL and WARNING, using the following configuration rules:

    You may want to add a filter to disregard legitimate search bots such as Google that sometimes trigger ModSecurity alerts.  I then created the following bash script to parse the ModSecurity log messages collected by Syslog-NG and write unfriendly IP addresses to the file monitored by the DIB Tool. 
    The same concept for monitoring ModSecurity logs above can be applied to identify other suspicious behavior such as 404 responses contained in the Apache error_log.

How to Use the Tool:

  1. Copy the dib.sh file into a desired directory and make sure the file is owned by root with file permissions of 750.
  2. Open the dib.sh file using an editor and apply the desired settings to variables: DIBDIR, UNLOCK, and THRESHOLD.
  3. Add the following line to the root crontab to start the script at bootup: @reboot DIBDIR/dib.sh &.  Substitute the actual location specified as the DIBDIR variable you defined within the dib.sh file.  NOTICE the "&" at the end of the command to instruct Linux to run the script as a background process.  Another option is to enable dib.sh as a daemon using systemd (which is preferred if your OS supports systemd).
  4. Implement a process/function to detect hack attempts and write unfriendly IP addresses to $DIBDIR/ip.list.

Source Code Download: DIB Tool

Source Code Listing:

 

https://www.hueyise.com