My other scripts

The BAN-HACKERS script

Actual version

1.04 (21 May 2008)

Description

The BAN-HACKERS is a PERL script which enables blocking access to your WWW server for potential hackers. It cooperates with the ModSecurity web application firewall. Every IP address catched by the firewall is automatically added to the "iptables" netfilter and to a SQLite database. This database also remebers when the IP was added, so after specified time every IP address can be purged from the database and from "iptables". You can also define a "whitelist" - its elements are never added to the DB and to iptables.

Installation

Notice: I assume that your WWW server is run as the "apache" user and you want to install my script in /usr/local/apache2/bin directory

Download the ban-hackers.pl script and copy it to /usr/local/apache2/bin directory (Windows2k version made by Dave Arrowsmith) - see Apache Lounge forum
As the root user
1. Install the DBD::SQLite module (see the command below)
  cpan DBD::SQLite
2. Execute visudo and append the following line
  apache ALL=(root) NOPASSWD:/sbin/iptables -I INPUT -p tcp --dport 80 -s * -j DROP
3. Run crontab -e and append the following line
```
MAILTO=root
# Every minute check the database for new ip# to ban
* * * * *       root    /usr/local/apache2/bin/ban-hackers.pl add

# Every hour purge expired entries
0 * * * *       root    /usr/local/apache2/bin/ban-hackers.pl purge
```
4. - (Modesurity version 1.9.*)
    In your mod_security config file find a line which contains the SecFilterDefaultAction directive and append to its value the following string ,exec:/usr/local/apache2/bin/ban-hackers.pl
  - (Modesurity version 2.*)
    Append to your mod_security config file the following line
```
SecRule RESPONSE_STATUS "^418$" "exec:/usr/local/apache2/bin/ban-hackers.pl,msg:'Address has been blocked',severity:5,phase:5"
```
    where 418 is defined the response status code to use with actions deny and redirect - it can be defined by SecDefaultAction directive.

Configuration

Default, IP addresses which were added to the database 120 hours (5 days) ago or ealier are purged from the DB and from iptables, when the number of elements in the DB doesn't exceed 200. If the number of elements in the DB exceeds 200, then IP addresses which were added 24 hour or ealier are purged. If you want to disable the first possibility, edit my script and assign value 0 to the $standard_period variable. Purging when the number of elements exceeds the limit can be disabled by assignment value 0 to the $max_elements variable. If you want to change the limit, assign a value greater than 0.

Database is stored in /usr/local/apache2/logs/hackers.sqlite file. If you want to change it, edit my script and change the value of the $dbname variable.

If you want to define the whitelist, edit my script and modify the content of the %whitelist hash. Every IP address which shouldn't be added to the DB (iptables) must be a key in the hash and the value can be whatever.

Document last modified:

Stanislaw Polak,