Parses the authlog against a CIDR whitelist, automatically reloads pf with the brutes, prints and logs all threats added, sys logs, has a backup mode, and blocks all vulnerability scanners.
OTHER License
This functionless easy-to-read-is-security simple script with under a 100 lines of working code (minus comments and printing) is meant to provide the OpenBSD administrator with a tool to parse the authlog and insert threatening IP addresses into pf (packer filter) firewall to block those threats with logging and automatic pf table reload recognition to be used optionally in crontab.
An authlog that does not log IP addresses that cannot be either in the whitelist or the blacklist, XOR.
A whitelist that contains the IP Addresses that are allowed to authenticate
A pf.conf with at least 2 tables, one a whitelist and one for "badhosts"/"blacklist"
## Whitelist
table <whitelist> persist file "/etc/whitelist"
pass in quick from <whitelist>
## Badhosts
table <badhosts> persist file "/etc/badhosts"
block in quick from <badhosts>
See also this example and this example and the repo example.
/var/log/threats/
This script has 3 modes all singular, not combinable, and should be run in this order:
backup authlog-threats.py backup
.backup
file of the authlog/var/log/authlog.backup-Month-Day
, "badhosts" /etc/badhosts.backup-Month-Day
, and whitelist /etc/whitelist.backup-Month-Day
rm *.backup-*
test authlog-threats.py test
No arguments
pf authlog-threats.py pf
After writing to, for example, /etc/badhosts
pf mode will reload the pf.conf persist table from file with the new entries without reloading the entire ruleset. If there have been new insertions into that pf table other than from "badhosts" as in manually running for example pfctl -t badhosts -T add 162.142.125.0/24
this script will flush those entires if they are not also in the /etc/badhosts
Uses the command, with example "badhosts"
pfctl -t badhosts -T replace -f /etc/badhosts
Licensees are allowed only to customize the shebang for proper execution in your environment and settings.ini
settings.ini
to map the file paths for your systemchmod 750 authlog-threats.py
to prevent shell injection from another account or processchmod 640 settings.ini
to prevent shell injection from another account or processmkdir /var/log/threats
or whatever directory you choose to hold the script logs, matching settings.ini
./authlog-threats.py backup
./authlog-threats.py test
./authlog-threats.py
./authlog-threats.py pf
Check /var/log/messages
for confirmation
Quadhelion Engineering (QHE) has been very busy coalescing all the known IP Address blocks of all the Vulnerability Scanning Networks/Groups/Orgs/Corps in the world and is excited to pass on this first list to you for pf uptake. The comprehensive pf.conf in this repository uses this list. The ethical decision behind this release is that a good admin can easily run his own vulnerability scans with CISA, SCAP, Nuclei, and NMAP. This way, anyone with a credit card cannot buy your insecurity.
This list covers the following:
* Akamai
* Amazon
* BinaryEdge
* Censys
* Criminal IP, AiSpera
* Internet Census Group
* Internet-Measurement
* Microsoft
* Onyphe
* Palo Alto Networks
* Recyber
* Shadowserver
* Shodan
* ZoomEye
The technical reason is very apparent; performance. Quadhelion Engineering has observed in the wild on it's own server that unwanted, uninformed, unpermitted, ill timed, vulnerability scanning accounts for 10k hits per week and has a noticeable affect on visitor performance. The other half of the technical reason is that this Software repository is based on OpenBSD where vulnerabilities are extremely rare.
QHE has contacted every single known Vulnerability Seller and gotten the IP Addresses straight from their representatives where possible. In cases where that was not possible like Internet-Census, AiSpera Criminal IP, Shodan, and ZoomEye, great effort was taken to obtain IP information from every corner of awareness, including getting logs from other admins. Brutally painstaking work was done to double verify every single IP address and formatted it single column CIDR. There are no known false positives in the list as of June 1.
During this laborious process two teams stood out for their great attitude, technical excellence, and openness: Shadowserver and Onyphe.
This IP list is not static and will change. It is up to you to keep it updated until I release the tools to automatically do so in the future!!
Quadhelion Engineering's server also captured an enormous amount of scanning from Google's "safebrowing" servers and it was often double the rate of Vulnerability Scanning and from multiple IP addresses concurrently. Google has a rolling assignment address pool and does not disclose it's "safebrowsing" servers so it was quite a challenge to accumulate this data but much of it is from QHE server logs over a month period and using paid DNS tools searching for 1e100.net.
After a period of a month blocking Google Safebrowing and checking my website's "Google Status" no ill effects have occurred. You should periodically check your own website against Google's Website Database. My approach seems to have worked.
As well, QHE has observed that most of the malicious, intent on exploiting vulnerabilities, uniform and traceable hacker traffic, originated from newly created Digital Ocean (DO) Virtual Machines. As such, the menace list completely blocks the entire DO ASN pool. The DO menace list is broken down into City Datacenter so that if you are consuming or pushing a service whom relies on DO you can uncomment your Datacenter.
This IP list is not static and will change. It is up to you to keep it updated until I release the tools to automatically do so in the future!!
# Crontab with no output, no email, running at 1AM nigthly
crontab -e
0 1 * * * /path/to/authlog-threats.py > /dev/null 2>&1
# Crontab with output, running at 1AM nightly
0 1 * * * /path/to/authlog-threats.py >> /home/$USER/authlog-threats-output.log
# Crontab with backups every third day
45 0 1-28/3 * * /path/to/authlog-threats.py backup
Since this Software uses shell commands it is required to place it in a secure directory with permissions on the parent directory to have no permissions for other
/all/world group to execute and no network access.
Every Licensee is encouraged to implement the full range of guidelines in the accompanying Security Audit to make ensure the security of the Software and the System it runs on.
Please follow these guidelines should you find a vulnerability not addressed in the audit.
This script has no networking, accesses no sockets, uses only standard libraries, changes nor sets permissions, only performs one file operation per system file per mode, and does not access any system files in [full] "write" mode. It appends only to a single system file and will terminate under any error.
Although this script is using subprocess.run(shell=True)
the only possibility of shell injection is from the paths customized by the Licensee or unauthorized access to the filesystem the script resides on in order to perform unauthorized modifications to the commands.
Firewall icon created by Nikita Golubev