diff options
| author | Freemor <freemor@freemor.ca> | 2019-10-31 09:37:11 -0300 |
|---|---|---|
| committer | Freemor <freemor@freemor.ca> | 2019-10-31 09:37:11 -0300 |
| commit | 04ba633e30dab8c525d835c1a90d4243d621a171 (patch) | |
| tree | bcfa5e787e520deacb326fbdd72f481887597121 | |
| parent | bb7e31ea96956f6e95475ce1eb154e136ad0a23b (diff) | |
Now watches and block /24s, max_ho raised to adjust to watching /24s
| -rwxr-xr-x | theDrain | 10 |
1 files changed, 5 insertions, 5 deletions
@@ -3,10 +3,10 @@ # Watch for floods and blacklist # Lets get some Variables defined -readonly max_ho=8 # Max # of Half Open Connections +readonly max_ho=12 # Max # of Half Open Connectionsi from any /24 readonly host_ip="" # IP addy of host machine readonly log_file="/home/user/Drain.txt" # Directory to log to. -readonly alert_to="foo@example.com" # Who to mail Alerts to +readonly alert_to="user@example.com" # Who to mail Alerts to readonly alert_level=50 # How man Half Open before we send an e-mail readonly server_name="$(hostname)" # Name of your server. For E-mail alerts, defaults to hostmane readonly whitelist_file="/home/user/whitelist" # location of a list of IPs not to block 1 per live @@ -15,7 +15,7 @@ readonly whitelist_file="/home/user/whitelist" # location of a list of IPs not # and outputs a list of: # <# of half open> <IP Address> function floodCheck () { - netstat -tn | awk '$6 == "SYN_RECV" {print $5}' | rev | cut -d\: -f 2- | rev | sort | uniq -c -d + netstat -tn | awk '$6 == "SYN_RECV" {print $5}' | rev | cut -d\: -f 2- | rev | cut -d\. -f 1-3 | sort | uniq -c -d } @@ -60,7 +60,7 @@ fi if [[ "$number_of_ho" -gt "1" ]]; then echo "Number of half open connections: $number_of_ho" echo "-------------------------------------" - netstat -tn | grep SYN_RECV # Show the list so we can see distributed. + floodCheck ; echo # Show the list so we can see distributed. echo -e "$(date), $number_of_ho half open. From: $(netstat -tn | awk '$6 == "SYN_RECV" {print $5}' | rev | cut -d\: -f 2- | rev | sort -u | wc -l) IP Addies." >> "$log_file" if [[ "$number_of_ho" -gt "$max_ho" ]]; then echo -e "$(netstat -tn | grep SYN_RECV)\n" >> "$log_file" @@ -72,6 +72,6 @@ fi for ip_addy in $( floodCheck | awk -v allowed_ho=$max_ho '$1 > allowed_ho {print $2}' ) ; do if [[ "$(whoami)" == "root" ]]; then - blackList $ip_addy + blackList "$ip_addy.0/24" fi done |