#!/usr/bin/sudo /bin/bash
## safety instructions: ##
## chown root:root ##
## chmod 0755 ##
#
## fwblock4time
# need root-rights, see below
# need at ( e.g. apt install at)
# need sudo (e.g. apt install sudo)
# need iptables
# need fwblock
# need fwunblock
## Using with mod_evasive:
# copy this script to "/opt/fastix/fwblock4time"
# do: "chown root:root /opt/fastix/fwblock4time"
# do: "chmod 700 /opt/fastix/fwblock4time"
# do: ln -s /opt/fastix/fwblock4time /usr/local/sbin/fwblock4time
# install sudo and/or at
# use "sudo visudo" to insert a row "www-data ALL=NOPASSWD: /usr/local/sbin/fwblock4time" into /etc/sudoers
# set 'DOSSystemCommand "sudo /usr/local/sbin/fwblock4time %s 10"' (to block the ip for 10 minutes) in /etc/apache2/mods-available/evasive.conf
## Args:
# First: String, The IP (If unset the skript will exit with error 1)
# Second: Integer minutes to unblock (If unset the default is 1 minute.
# Hint: show `man at` for formates)
# Hint: show /etc/apache2/mods-available/evasive.conf for the time (DOSBlockingPeriod)
## Settings:
fwblock='/usr/local/sbin/fwblock';
fwunblock='/usr/local/sbin/fwunblock';
DOSLogDir='/tmp'; # show in /etc/apache2/mods-available/evasive.conf
## RUN!
if [ ! -f /var/run/atd.pid ]; then
echo "Fatal: The at-demon is not running!" >&2;
fi
if [ -z "${1}" ]; then
echo "No IP given. This is a Error." >&2;
exit 1;
fi
ip=$(echo -n "${1}" | tr -cd '0123456789./');
bt=$(echo -n "${2}" | tr -cd '0123456789');
if [ 0 -eq $(($bt)) ]; then
bt='now +1minutes';
else
bt="now +${bt}minutes";
fi
echo "IP ${ip} will blocked temporary. Block end in '${bt}'" | logger -t 'fwblock4time';
if ${fwblock} ${ip}; then
cmd="${fwunblock} '${ip}'; rm '/var/log/apache2/dos-${ip}'";
ret=$(echo ${cmd} | at ${bt} 1>/dev/null 2>/dev/null; echo $?);
if [ 0 -ne ${ret} ]; then
echo -en "Sorry. Error ${ret} by putting the job to the atd. You have to delete the IP ${ip} manually.\nUse ${cmd} to do that.\n";
fi
else
echo "Sorry. calling '${fwblock}' exits with error ${?}";
fi