TUCoPS :: Linux :: Discontinued :: ipfreeze.pl

ipfreeze v0.4.5 Ipfreeze is a program that listens to the netlink device. It takes the source address from every incoming packet and adds it to a Netfilter "blacklist" chain. The address is removed from this chain after a user-definable period of time. This allows you to create rules that detect and halt certain odd behaviors, such as ports scans, syn floods, or connection attempts on forbidden ports. The attacker's IP address is blacklisted using the QUEUE target. There is also a whitelist where you can declare hosts that you never want to be blacklisted.

#!/usr/bin/perl -w
# IPFREEZE v 0.4.5
# Copyright (C) 2003 gregoire HUBERT.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
#
# Author : gregoire HUBERT <greg@coolkeums.org>

use strict;
use IPTables::IPv4::IPQueue qw(:constants);
use NetPacket::IP;
use NetPacket::TCP;

# You shouldn't change this value
use constant TIMEOUT => 1000000;

# This is the blacklist time in second
use constant BL_TIME => 600;

use sigtrap qw(handler release_handler INT QUIT);
use sigtrap qw(handler hup HUP);

my $packet;
my $ip;
my $tcp;
my $src_ip_addr;
my $dst_tcp_port;
my $return;
my %blacklist;
my @whitelist;
my $flag=0;
my $localtime;
my $queue;

# Clean exit procedure to release the queue handler correctly

sub release_handler {
	undef $queue;
	open MONFIC, ">>/var/log/ipfreeze.log";
	$localtime = time();
	print MONFIC localtime($localtime)." @@ SIGINT or SIGQUIT received ... exiting @@\n";
	close MONFIC;
	exit(0);
	}

sub update {
	$return=`iptables -F blacklist;`;
	foreach (keys %blacklist) {
		$return=`iptables -A blacklist -s $_ -j DROP;`;
		}
	}
	

# Reset and load configuration from files
sub hup {
	open MONFIC, ">>/var/log/ipfreeze.log";
	$localtime = time();
	print MONFIC localtime($localtime)." @@ [re]loading configuration... @@\n";
	undef %blacklist;
	undef @whitelist;
	open WHTLST, "</etc/ipfreeze/ip_whitelist";
	open BLKLST, "</etc/ipfreeze/ip_blacklist";
	$localtime = time();
	while ($return=<WHTLST>) { 
		chomp $return;
		next if ((length $return) < 6);  
		$whitelist[++$#whitelist]=$return;
		}	
	close WHTLST;
	while ($return=<BLKLST>) {
		chomp $return;
		next if ((length $return) < 6);
		$blacklist{$return}=-20;
		}
	close BLKLST;
	close MONFIC;
	&update();
	}
	
printf("starting firewall blacklist manager v 0.4.5 Grégoire HUBERT 28-07-2003\n");
$queue = new IPTables::IPv4::IPQueue(copy_mode  => IPQ_COPY_PACKET,
					copy_range => 65535) 
	    or die IPTables::IPv4::IPQueue->errstr;
open MONFIC, ">>/var/log/ipfreeze.log";
$localtime = time();
print MONFIC localtime($localtime)." \@\@ Start daemon ipfreeze 0.4.5.\@\@\n";
close MONFIC;
&hup();
while (1) {
  if (!defined($packet = $queue->get_message(TIMEOUT))) {
  	    if (IPTables::IPv4::IPQueue->errstr=~/Timeout/) {
	    	foreach (keys %blacklist) {
			if (($blacklist{$_}>0) && (!(--$blacklist{$_}))) {
				delete  $blacklist{$_};
				open MONFIC, ">>/var/log/ipfreeze.log";
				$localtime = time();
				print MONFIC localtime($localtime)." -- $_\n";
				close MONFIC;
				$flag=1;
				}
	    		}
	    	if ($flag) {
	    		&update();
			$flag=0;
			}
		}
	    else {
	    	die("ERREUR : '".IPTables::IPv4::IPQueue->errstr."'");
		}
	    }
  else {	    
	  $ip = NetPacket::IP->decode($packet->payload());
	  $tcp = NetPacket::TCP->decode($ip->{data});
	  $src_ip_addr = $ip->{src_ip};
	  $dst_tcp_port = $tcp->{dest_port};
	  if (!($return = grep {/$src_ip_addr/} @whitelist)) {
	  	$blacklist{$src_ip_addr}=BL_TIME;
 		&update(); 
		open MONFIC, ">>/var/log/ipfreeze.log";
		$localtime = time();
		print MONFIC localtime($localtime)." ++ $src_ip_addr (dst port=$dst_tcp_port).\n";
		close MONFIC;
		}
	  else {
		open MONFIC, ">>/var/log/ipfreeze.log";
		$localtime = time();
		print MONFIC localtime($localtime)." == Got packet from whitelisted address $src_ip_addr (dst_port=$dst_tcp_port).\n";
		close MONFIC;
		}
	  $queue->set_verdict($packet->packet_id(), NF_DROP)
	  }
  }


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH