Poor Man's Intrusion Detection System (IDS)
by PROBLEMCHYLD from LinuxQuestions.org on (#4WX5M)
So, I'm using fwlogwatch to alert me when someone tries to enter my computer, it then creates a BLOCKLIST of the offending IPs.
It has a script that does all of this. What I need now is to modify the script and send the Banned IPs to iptables with ipset.
I would like ipset to act in realtime if possible by constantly checking the hash or the file size of the blocklist and then update accordingly.
Code:#!/bin/sh
# Copyright (C) 2000-2016 Boris Wesslowski
# $Id: fwlw_notify 741 2016-02-19 14:35:50Z bw $
# fwlogwatch realtime notification script
# You can invoke a custom action through this script when fwlogwatch
# issues an alert. A few commented examples are shown below.
# The available arguments (if activated in the configuration, if not the
# fields will contain a '-') are:
# $1 count
$2 source IP
# $3 destination IP
# $4 protocol
# $5 source port
# $6 destination port
### Use the following lines for email notifications, $EMAIL is the recipient
#
#EMAIL=root@localhost
#
#/bin/echo "fwlogwatch ALERT on $HOSTNAME: $1 packet(s) from $2 to $3" | /bin/mail -s "fwlogwatch ALERT: $1 packet(s) from $2" $EMAIL
### Use the following lines for SMB notifications, $SMBHOST is the host the
### alert should appear
#
#SMBHOST=hostname
#
#/bin/echo "fwlogwatch ALERT on $HOSTNAME: $1 packet(s) from $2" | /usr/bin/smbclient -M $SMBHOST
### Use the following line to generate a custom log entry
#
#/usr/bin/logger -p security.alert -t "fwlogwatch ALERT" "$1 packet(s) from $2"
### You may also want to log alerts to a file
#
#NOW=`date +'%Y-%m-%d-%H-%M-%S'`
#/bin/echo "$NOW: $1 packet(s) from $2 to $3" >> /tmp/fwlw.log
/bin/echo "$2" >> /home/problemchyld/.blocklist/blocklist.log
### Insert your own ideas here, anything is possible. :-)
DISPLAY=:0.0 XAUTHORITY=/home/problemchyld/.Xauthority notify-send -t 5000 -i /usr/share/icons/Tango/scalable/emblems/emblem-important.svg -c network "Firewall Warning Alert" "Intrusion Detected from $2"
Attached Thumbnails
It has a script that does all of this. What I need now is to modify the script and send the Banned IPs to iptables with ipset.
I would like ipset to act in realtime if possible by constantly checking the hash or the file size of the blocklist and then update accordingly.
Code:#!/bin/sh
# Copyright (C) 2000-2016 Boris Wesslowski
# $Id: fwlw_notify 741 2016-02-19 14:35:50Z bw $
# fwlogwatch realtime notification script
# You can invoke a custom action through this script when fwlogwatch
# issues an alert. A few commented examples are shown below.
# The available arguments (if activated in the configuration, if not the
# fields will contain a '-') are:
# $1 count
$2 source IP
# $3 destination IP
# $4 protocol
# $5 source port
# $6 destination port
### Use the following lines for email notifications, $EMAIL is the recipient
#
#EMAIL=root@localhost
#
#/bin/echo "fwlogwatch ALERT on $HOSTNAME: $1 packet(s) from $2 to $3" | /bin/mail -s "fwlogwatch ALERT: $1 packet(s) from $2" $EMAIL
### Use the following lines for SMB notifications, $SMBHOST is the host the
### alert should appear
#
#SMBHOST=hostname
#
#/bin/echo "fwlogwatch ALERT on $HOSTNAME: $1 packet(s) from $2" | /usr/bin/smbclient -M $SMBHOST
### Use the following line to generate a custom log entry
#
#/usr/bin/logger -p security.alert -t "fwlogwatch ALERT" "$1 packet(s) from $2"
### You may also want to log alerts to a file
#
#NOW=`date +'%Y-%m-%d-%H-%M-%S'`
#/bin/echo "$NOW: $1 packet(s) from $2 to $3" >> /tmp/fwlw.log
/bin/echo "$2" >> /home/problemchyld/.blocklist/blocklist.log
### Insert your own ideas here, anything is possible. :-)
DISPLAY=:0.0 XAUTHORITY=/home/problemchyld/.Xauthority notify-send -t 5000 -i /usr/share/icons/Tango/scalable/emblems/emblem-important.svg -c network "Firewall Warning Alert" "Intrusion Detected from $2"
Attached Thumbnails