2f878495-07e0-48b1-99f4-0c0740ddee67

DShield through fw samp batch script

Discussion created by 2f878495-07e0-48b1-99f4-0c0740ddee67 on May 4, 2016
Latest reply on Nov 14, 2017 by Dameon Welch-Abernathy

Cross post from CPUG it was suggested I post this up here for a wider audience.

 

Hi all, I wanted to post this up in case anyone wanted to give it a go. It is a modification of the IP-blacklist.sh script from sk103154 but it takes advantage of the DShield block list without using the dynamic object. If you follow the sk for permissions and want to install in a lab environment let me know how it goes. Or if you see a glaring issue with my awk

 

dshield-blocklist.sh:

#!/bin/bash

 

url="http://feeds.dshield.org/block.txt"

 

function convert {

while read line; do

awk '/[^0-9]/ { printf "add -a d -l r -t 3600 -c dshield_blocklist quota service any source range:%s/%s pkt-rate 0\n",$1,$3 }'

done

echo "add -t 2 quota flush true"

}

 

curl_cli -s --cacert $CPDIR/conf/ca-bundle.crt --retry 10 --retry-delay 60 $url | dos2unix | convert | fw samp batch

 

 

dshield.sh:

#!/bin/bash

 

op="$1"

 

is_fw_module=$($CPDIR/bin/cpprod_util FwIsFirewallModule)

 

function remove_existing_sam_rules {

fw samp get | awk '/comment=dshield_blocklist/{sub("uid=","",$2);print "del "$2}' | fw samp batch 1>/dev/null 2>&1

fw samp add -t 2 quota flush true 1>/dev/null 2>&1

}

 

# Run only on GAIA gateways

if [[ "$is_fw_module" -eq 1 && -f /etc/appliance_config.xml ]]; then

 

echo "$(date): Starting" >> $FWDIR/log/custom_dshield.log

case "$op" in

 

on)

$CPDIR/bin/cpd_sched_config add dshield -c "$CPDIR/bin/dshield-blocklist.sh" -e 3600 -r -s

echo "dshield: Known malicious IP blocking mechanism is ON"

;;

 

off)

$CPDIR/bin/cpd_sched_config delete dshield -r

remove_existing_sam_rules

echo "dshield: Known malicious IP blocking mechanism is OFF"

;;

 

stat)

cpd_sched_config print | awk 'BEGIN{res="OFF"}/Task/{flag=0}/dshield/{flag=1}/Active: true/{if(flag)res="ON"}END{print "dshield: Known malicious IP blocking mechanism status is "res}'

;;

 

*)

echo 'Usage:'

echo ' dshield.sh <option>'

echo 'Option:'

echo ' on: blocks malicious IPs'

echo ' off: stops malicious IPs blocking'

echo ' stat: prints the status of malicious IP blocking'

 

esac

 

else

 

echo "dshield: This utility is supported on GAIA Security Gateway only"

 

fi

 

**USE AT YOUR OWN RISK!!**

 

Also, check out https://cpdbl.net/ for a better solution!

Outcomes