#! /usr/bin/perl use strict; use warnings; use IPC::System::Simple qw(capturex); use Data::Validate::IP; my %ip4s = (); my %ip6s = (); my @blrule4s = (); my @blrule6s = (); my $whitelist = qr/^(?:127.|5.9.143.173|85.68.182.45|195.25.233.49|::1|2a01:4f8:190:22a6:)/; my @userlist = ('rapsys'); # Extract sshd.service scan map { if (/Failed password for (?:invalid user )?(.+) from (.+) port [0-9]+ ssh2/ && grep($_ ne $1, @userlist) && $2 !~ /$whitelist/) { if (Data::Validate::IP::is_ipv4($2)) { $ip4s{$2}=1; } elsif (Data::Validate::IP::is_ipv6($2)) { $ip6s{$2}=1; } } } capturex('journalctl', '-u', 'sshd.service'); # Extract kernel port scan map { if (/Shorewall:net-fw:DROP:.* SRC=([^\s]+) DST=.*/ && $1 !~ /$whitelist/) { if (Data::Validate::IP::is_ipv4($1)) { $ip4s{$1}=1; } elsif (Data::Validate::IP::is_ipv6($1)) { $ip6s{$1}=1; } } } capturex('journalctl', '-k'); # Open blrule4s file for reading open (my $fh, '<', '/etc/shorewall/blrules') or die "Can't open < /etc/shorewall/blrules: $!"; # Populate with comments @blrule4s = map { chomp($_); if (/^#/) { $_; } else { (); } } <$fh>; # Prepend header push @blrule4s, "WHITELIST\tnet:5.9.143.173\tall"; push @blrule4s, "WHITELIST\tnet:85.68.182.45\tall"; push @blrule4s, "WHITELIST\tnet:195.25.233.49\tall"; # Build blacklist map { push @blrule4s, "DROP\t\tnet:".$_.(length lt 12?"\t":'')."\tfw"; } sort keys %ip4s; # Close blrule4s file close $fh or die "Can't close fh: $!"; # Open blrule4s file for writing open ($fh, '>', '/etc/shorewall/blrules') or die "Can't open > /etc/shorewall/blrules: $!"; # Inject content of blacklist map { print $fh $_."\n"; } @blrule4s; # Close blrule4s file close $fh or die "Can't close fh: $!"; # Print ipv6 to update hash #XXX; right now it don't seems scanned at all... for (sort keys %ip6s) { print $_."\n"; } # Restart shorewall service capturex('systemctl', 'restart', 'shorewall.service');