Login
Important alert: (current site time 7/15/2013 9:18:18 PM EDT)
 

VB icon

oApacheGuard 1.5

 Email
Submitted on: 4/23/2002 10:19:57 PM
By: TJ Meadows  
Level: Advanced
User Rating: Unrated
Compatibility: 5.0 (all versions), 4.0 (all versions)
Views: 7635
(About the author)
 
     (This was formaly known as fw_scan) oApacheGuard will scan your apache access_logs for iis exploits and if it see's x amount of exploits it will set an ipchains deny rule for that ip address / hostname on port 80 ONLY. You can also download a formated copy of this code from http://www.orbssoftware.com/
 
Can't Copy and Paste this?
Click here for a copy-and-paste friendly version of this code!
=**************************************
= for :oApacheGuard 1.5
=**************************************
©2002-2003 TJ Meadows
code:
Can't Copy and Paste this?
Click here for a copy-and-paste friendly version of this code!
 
Terms of Agreement:   
By using this code, you agree to the following terms...   
  1. You may use this code in your own programs (and may compile it into a program and distribute it in compiled format for languages that allow it) freely and with no charge.
  2. You MAY NOT redistribute this code (for example to a web site) without written permission from the original author. Failure to do so is a violation of copyright laws.   
  3. You may link to this code from another website, but ONLY if it is not wrapped in a frame. 
  4. You will abide by any additional copyright restrictions which the author may have placed in the code or code's description. 
				
=**************************************
= Name: oApacheGuard 1.5
= Description:(This was formaly known as fw_scan) oApacheGuard will scan your apache access_logs for iis exploits and if it see's x amount of exploits it will set an ipchains deny rule for that ip address / hostname on port 80 ONLY.
You can also download a formated copy of this code from http://www.orbssoftware.com/
= By: TJ Meadows
=
= Assumes:*nix Server with root Perl 5+ and ipchains 2+
=
=This code is copyrighted and has= limited warranties.Please see http://www.Planet-Source-Code.com/vb/scripts/ShowCode.asp?txtCodeId=316&lngWId=6=for details.=**************************************

use strict;
use strict;
use warnings;
use Socket;
# $path2log is the path to your httpd log directory
my $path2Log = "/var/log/httpd/";
# $path2save is where you would like to save the database
my $path2save = "/opt/oApacheGuard/guard.db";
# $path2ipchains is the full path to the ipchains executable
my $path2ipchains = "/sbin/";
# $path2html is the path where you would like the store the html safe output
# for live logging on your web site. set this to nothing if you dont want to
# use this feature (I.E. my $path2html = "";)
my $path2html = "/var/www/html/bin/oApacheGuard.out";
# $trys is the number of atempts before a ban is placed
my $trys = 5;
# ---- DO NOT EDIT PAST HERE UNLESS YOU KNOW WHAT YOU ARE DOING ----
opendir(DIR, $path2Log) or die("Unable to open $path2Log: $!");
my @hackArray;
my @ipArray;
my @dataArray;
my $c = 0;
my $me = "none";
my $iaddr;
my $peer_addr;
foreach(readdir(DIR)) 
{
my $file = $_;
if ($file && /[A-Za-z]/) {
 if ($file =~ /access_log/) {
open(LOG, $path2Log . $file) or die("Cannot open $file");
while(my $line = <LOG>)
{
my @logArray = split("] " . chr(34) . "GET ", $line);
my $arrayCount = scalar @logArray;
if ($logArray[0]) {
 $logArray[0] =~ s/\[//; 
 @ipArray = split(" ", $logArray[0]);
 }
 if ($logArray[1]) {
 my @urlArray = split("HTTP/1.", $logArray[1]);
 if ($urlArray[0]) {
 if (((index($urlArray[0], "root.exe", 0) > 0) || (index($urlArray[0], "cmd.exe", 0) > 0) || index($urlArray[0], ".ida", 0) > 0)) {
$hackArray[$c] = "IIS Exploit->" . $ipArray[0] . "->" . $urlArray[0];
$c++;
 }
 }
} 
}
close(LOG) or die("Cannot close $file\n");
 }
}
}
@hackArray = sort (@hackArray);
my $old = "empty";
my $z = 1;
foreach (@hackArray) {
@dataArray = split("->", $_);
#print($dataArray[0] . $dataArray[1] . $dataArray[2] . "\n\n");
if ($old eq $dataArray[1]) {
 $z++; 
 next; 
}
$old = $dataArray[1];
if ($z >= $trys) {
 open(banIn, $path2save) or die("Cannot open $path2save: $!\n");
 while (my $line = <banIn>) {
 my @checkArray = split("->", $line);
 if ($dataArray[1] eq $checkArray[1]){
 $me = "tj";
 }
 }
 if ($me eq "tj") {
 $me = "none";
 } else {
 open(banOut, ">>$path2save") or die("Cannot open $path2save: $!\n");
 $iaddr = gethostbyname($dataArray[1]);
 if ($iaddr) {$peer_addr = inet_ntoa($iaddr)}; 
 print(banOut $dataArray[0] . "->" . $dataArray[1]. "->" . $peer_addr . "->" . $dataArray[2] . "->" . $z . "\n");
 close(banOut) or die("Cannot close $path2save: $!\n");
 my $shell = $path2ipchains . 'ipchains -A input -p tcp -s ' . $peer_addr . ' -d 0/0 80 -j DENY';
 system $shell;
 #print ("$shell\n");
 } 
 close(banIn) or die("Cannot close $path2save: $!\n");
}
$z = 1;
}
if ($path2html) {
 open(htmlOut, ">$path2html") or die("Cannot open $path2html: $!\n");
 print(htmlOut "<table width='100%' border=0>");
 print(htmlOut "<tr><td><b>IP Address / Hostname</b></td><td><b>Attempts</b></td><td><b>Reason</b></td></tr>");
 open(htmlIn, $path2save) or die("Cannot open $path2save: $!\n");
 while (my $logLine = <htmlIn>) {
 my @itemArray = split("->", $logLine);
 print(htmlOut "<tr><td>" . $itemArray[1] . "</td><td>" . $itemArray[4] . "</td><td>" . $itemArray[0] . "</td></tr>\n");
 }
 close(htmlIn) or die("Cannot close $path2save: $!\n");
 print(htmlOut "<tr><td colspan=3>Last Updated: " . lUpdated() . "</td></tr>");
 print(htmlOut "</table>");
 close(htmlOut) or die("Cannot close $path2html: $!\n");
}
sub lUpdated {
my $ampm = "AM";
my $datetime = localtime($^T);
my $otime = substr($datetime, 11, 8);
my $oday = substr($datetime, 8, 2);
my $omonth = substr($datetime, 4, 3);
my $oyear = substr($datetime, 20, 4);
my @timeArray;
@timeArray = split(/:/, $otime);
if($timeArray[0] >= 12) {
$ampm = "PM";
if($timeArray[0] > 12) {
 $timeArray[0] -= 12;
}
}
$otime = join(":", @timeArray);
my $tmp = "$oday $omonth, $oyear $otime $ampm";
return $tmp;
}


Other 2 submission(s) by this author

 
Report Bad Submission
Use this form to tell us if this entry should be deleted (i.e contains no code, is a virus, etc.).
This submission should be removed because:
Your Vote

What do you think of this code (in the Advanced category)?
(The code with your highest vote will win this month's coding contest!)
Excellent  Good  Average  Below Average  Poor (See voting log ...)
 
Other User Comments

4/23/2002 10:21:30 PMTJ Meadows

Im working on 2.0 which will have the ability to set timed bans not just perm bans.
(If this comment was disrespectful, please report it.)
 
4/23/2002 10:45:26 PMTJ Meadows

FYI depending on your *nix security you may have to create the database file before you can start using this if you get an error about not being able to find the database file simply create an empty text file in the database path.
(If this comment was disrespectful, please report it.)
 
10/5/2002 11:49:17 PMmagikh0e

should also never allow blocking of the host dns or localhost so no one could spoof and use the nice script against you (;
(If this comment was disrespectful, please report it.)
 
10/6/2002 12:23:34 AMTJ Meadows

Aye, i have thought of this but thanks for pointing it out. I have a very advanced version i am using now still working out some encryption bugs and other things before release of this one. Any other features you might want?
(If this comment was disrespectful, please report it.)
 
7/28/2011 1:45:36 PMMike

thanks for posting , can i use this code for my finally year project? i mean you don't mind if i use it ?
(If this comment was disrespectful, please report it.)
 
Add Your Feedback
Your feedback will be posted below and an email sent to the author. Please remember that the author was kind enough to share this with you, so any criticisms must be stated politely, or they will be deleted. (For feedback not related to this particular code, please click here instead.)
 

To post feedback, first please login.

Search:

Newest postings for Perl.

Add this ticker to my site

Daily code email

Click here to join the 'Code of the Day' mailing list!

This site on CD

Over 7,000 submissions on a super fast CD!

Code/Articles

Top Code

Community

Jobs

Other

Goto…

Copyright© 1997-2013 by Exhedra Solutions, Inc. All Rights Reserved.
By using this site you agree to its Terms and Conditions. Planet Source Code™ and the phrase "Dream It. Code It"™ are trademarks of Exhedra Solutions, Inc.