95 lines
2.8 KiB
Bash
Executable File
95 lines
2.8 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
#
|
|
# Hello, lovely FastNetMon customer! I'm really happy to see you here!
|
|
# Pavel Odintsov, author
|
|
#
|
|
#
|
|
# Instructions:
|
|
#
|
|
# Copy this script to /usr/local/bin/
|
|
# Edit /etc/fastnetmon.conf and set:
|
|
# notify_script_path = /usr/local/bin/notify_with_slack.sh
|
|
#
|
|
# Add your email address to email_notify.
|
|
#
|
|
# Add your Slack incoming webhook to slack_url.
|
|
# slack_url="https://hooks.slack.com/services/TXXXXXXXX/BXXXXXXXXX/LXXXXXXXXX"
|
|
#
|
|
# Notes:
|
|
# hostname lookup requires the dig command.
|
|
# Debian: apt-get install dnsutils
|
|
# Redhat: yum install bind-utils
|
|
|
|
#
|
|
# For ban and attack_details actions we will receive attack details to stdin
|
|
# if option notify_script_pass_details enabled in FastNetMon's configuration file
|
|
#
|
|
# If you do not need this details, please set option notify_script_pass_details to "no".
|
|
#
|
|
# Please do not remove the following command if you have notify_script_pass_details enabled, because
|
|
# FastNetMon will crash in this case (it expect read of data from script side).
|
|
#
|
|
|
|
if [ "$4" = "ban" ] || [ "$4" = "attack_details" ]; then
|
|
fastnetmon_output=$(</dev/stdin)
|
|
fi
|
|
|
|
# This script will get following params:
|
|
# $1 client_ip_as_string
|
|
# $2 data_direction
|
|
# $3 pps_as_string
|
|
# $4 action (ban or unban)
|
|
|
|
# Target hostname
|
|
hostname=`dig -x ${1} +short`
|
|
|
|
# Email:
|
|
email_notify="root,please_fix_this_email@domain.ru"
|
|
|
|
# Slack:
|
|
slack_url=""
|
|
slack_title="FastNetMon Alert!"
|
|
slack_text="IP: ${1}\nHostname: ${hostname}\nAttack: ${2}\nPPS: ${3}\nAction: ${4}\n\n${fastnetmon_output}"
|
|
slack_action=${4}
|
|
|
|
function slackalert () {
|
|
if [ ! -z $slack_url ] && [ "$slack_action" = "ban" ]; then
|
|
local slack_color="danger"
|
|
elif [ ! -z $slack_url ] && [ "$slack_action" = "attack_details" ]; then
|
|
local slack_color="warning"
|
|
elif [ ! -z $slack_url ] && [ "$slack_action" = "unban" ]; then
|
|
local slack_color="good"
|
|
else
|
|
return 0
|
|
fi
|
|
local slack_payload="{\"attachments\": [ { \"title\": \"${slack_title}\", \"text\": \"${slack_text}\", \"color\": \"${slack_color}\" } ] }"
|
|
curl --connect-timeout 30 --max-time 60 -s -S -X POST -H 'Content-type: application/json' --data "${slack_payload}" "${slack_url}"
|
|
}
|
|
|
|
if [ "$4" = "unban" ]; then
|
|
# Slack Alert:
|
|
slackalert
|
|
# Unban actions if used
|
|
exit 0
|
|
fi
|
|
|
|
if [ "$4" = "ban" ]; then
|
|
# Email Alert:
|
|
echo "${fastnetmon_output}" | mail -s "FastNetMon Alert: IP $1 blocked because of $2 attack with power $3 pps" $email_notify;
|
|
# Slack Alert:
|
|
slackalert
|
|
# You can add ban code here!
|
|
# iptables -A INPUT -s $1 -j DROP
|
|
# iptables -A INPUT -d $1 -j DROP
|
|
exit 0
|
|
fi
|
|
|
|
if [ "$4" = "attack_details" ]; then
|
|
# Email Alert:
|
|
echo "${fastnetmon_output}" | mail -s "FastNetMon Analysis: IP $1 blocked because of $2 attack with power $3 pps" $email_notify;
|
|
# Slack Alert:
|
|
slackalert
|
|
exit 0
|
|
fi
|