mirror of
https://github.com/pavel-odintsov/fastnetmon
synced 2024-05-10 04:26:11 +02:00
Compare commits
6 Commits
d44385daf4
...
1faae9e401
Author | SHA1 | Date | |
---|---|---|---|
Pavel Odintsov | 1faae9e401 | ||
Pavel Odintsov | 964f1f1e3f | ||
Pavel Odintsov | 495ecda9e4 | ||
Pavel Odintsov | 48f8504a22 | ||
Pavel Odintsov | b0f7fdb064 | ||
Pavel Odintsov | 7102f666b0 |
|
@ -53,7 +53,7 @@ if action == "unban":
|
|||
|
||||
sys.exit(0)
|
||||
|
||||
elif action == "ban" or action == "attack_details":
|
||||
elif action == "ban":
|
||||
|
||||
r = axapi_action(mitigator_base_url+ddos_dst_zone_path, method='GET', signature=signature)
|
||||
try:
|
||||
|
|
|
@ -61,7 +61,7 @@ $conn = new Device($cfg);
|
|||
switch($ACTION_ATTACK){
|
||||
case 'ban':
|
||||
try{
|
||||
$desc = 'FastNetMon Guard: IP '. $IP_ATTACK .' unblocked because '. $DIRECTION_ATTACK .' attack with power '. $POWER_ATTACK .' pps | at '.$fecha_now;
|
||||
$desc = 'FastNetMon Community: IP '. $IP_ATTACK .' unblocked because '. $DIRECTION_ATTACK .' attack with power '. $POWER_ATTACK .' pps | at '.$fecha_now;
|
||||
$conn->connect(); //Try conect or catch NetconfException (Wrong username, Timeout, Device not found, etc)
|
||||
$locked = $conn->lock_config(); //Equivalent of "configure exclusive" on Juniper CLI
|
||||
if($locked){
|
||||
|
@ -83,7 +83,7 @@ switch($ACTION_ATTACK){
|
|||
break;
|
||||
case 'unban':
|
||||
try{
|
||||
$desc = 'FastNetMon Guard: IP '. $IP_ATTACK .' remove from blacklist.';
|
||||
$desc = 'FastNetMon Community: IP '. $IP_ATTACK .' remove from blacklist.';
|
||||
$conn->connect(); //Try conect or catch NetconfException (Wrong username, Timeout, Device not found, etc)
|
||||
$locked = $conn->lock_config(); //Equivalent of "configure exclusive" on Juniper CLI
|
||||
if($locked){
|
||||
|
|
|
@ -65,7 +65,7 @@ $API = new RouterosAPI();
|
|||
if ( $API->connect( $cfg[ ip_mikrotik ], $cfg[ api_user ], $cfg[ api_pass ] ) ) {
|
||||
//add Blocking by route blackhole
|
||||
if ( $ACTION_ATTACK == "ban" ) {
|
||||
$comment_rule = 'FastNetMon Guard: IP ' . $IP_ATTACK . ' blocked because ' . $DIRECTION_ATTACK . ' attack with power ' . $POWER_ATTACK . ' pps | at '.$fecha_now;
|
||||
$comment_rule = 'FastNetMon Community: IP ' . $IP_ATTACK . ' blocked because ' . $DIRECTION_ATTACK . ' attack with power ' . $POWER_ATTACK . ' pps | at '.$fecha_now;
|
||||
$API->write( '/ip/route/add', false );
|
||||
$API->write( '=dst-address=' . $IP_ATTACK, false );
|
||||
$API->write( '=type=blackhole', false );
|
||||
|
@ -79,7 +79,7 @@ if ( $API->connect( $cfg[ ip_mikrotik ], $cfg[ api_user ], $cfg[ api_pass ] ) )
|
|||
}
|
||||
if ( $ACTION_ATTACK == "unban" ) {
|
||||
// remove the blackhole rule
|
||||
$comment_rule = 'FastNetMon Guard: IP ' . $IP_ATTACK . ' remove from blacklist ';
|
||||
$comment_rule = 'FastNetMon Community: IP ' . $IP_ATTACK . ' remove from blacklist ';
|
||||
$API->write( '/ip/route/print', false );
|
||||
$API->write( '?dst-address=' . $IP_ATTACK . "/32" );
|
||||
$ID_ARRAY = $API->read();
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
|
||||
email_notify="please_fix_this_email@domain.com"
|
||||
|
||||
# For ban and attack_details actions we will receive attack details to stdin
|
||||
# For ban action we will receive attack details to stdin
|
||||
# Please do not remove "cat" command because
|
||||
# FastNetMon will crash in this case as it expects read of data from script side
|
||||
#
|
||||
|
@ -19,7 +19,7 @@ email_notify="please_fix_this_email@domain.com"
|
|||
if [ "$4" = "ban" ]; then
|
||||
# This action receives multiple statistics about attack's performance and attack's sample to stdin
|
||||
|
||||
cat | mail -s "FastNetMon Guard: IP $1 blocked because $2 attack with power $3 pps" $email_notify;
|
||||
cat | mail -s "FastNetMon Community: IP $1 blocked because $2 attack with power $3 pps" $email_notify;
|
||||
|
||||
# Please add actions to run when we ban host
|
||||
exit 0
|
||||
|
|
|
@ -53,7 +53,7 @@ def mail(subject, body):
|
|||
|
||||
|
||||
if action == "unban":
|
||||
subject = "Fastnetmon Guard: IP %(client_ip_as_string)s unblocked because %(data_direction)s attack with power %(pps_as_string)d pps" % {
|
||||
subject = "FastNetMon Community: IP %(client_ip_as_string)s unblocked because %(data_direction)s attack with power %(pps_as_string)d pps" % {
|
||||
'client_ip_as_string': client_ip_as_string,
|
||||
'data_direction': data_direction,
|
||||
'pps_as_string' : pps_as_string,
|
||||
|
@ -63,7 +63,7 @@ if action == "unban":
|
|||
mail(subject, "unban")
|
||||
sys.exit(0)
|
||||
elif action == "ban":
|
||||
subject = "Fastnetmon Guard: IP %(client_ip_as_string)s blocked because %(data_direction)s attack with power %(pps_as_string)d pps" % {
|
||||
subject = "FastNetMon Community: IP %(client_ip_as_string)s blocked because %(data_direction)s attack with power %(pps_as_string)d pps" % {
|
||||
'client_ip_as_string': client_ip_as_string,
|
||||
'data_direction': data_direction,
|
||||
'pps_as_string' : pps_as_string,
|
||||
|
@ -73,18 +73,6 @@ elif action == "ban":
|
|||
body = "".join(sys.stdin.readlines())
|
||||
mail(subject, body)
|
||||
|
||||
sys.exit(0)
|
||||
elif action == "attack_details":
|
||||
subject = "Fastnetmon Guard: IP %(client_ip_as_string)s blocked because %(data_direction)s attack with power %(pps_as_string)d pps" % {
|
||||
'client_ip_as_string': client_ip_as_string,
|
||||
'data_direction': data_direction,
|
||||
'pps_as_string' : pps_as_string,
|
||||
'action' : action
|
||||
}
|
||||
body = "".join(sys.stdin.readlines())
|
||||
|
||||
|
||||
mail(subject, body)
|
||||
sys.exit(0)
|
||||
else:
|
||||
sys.exit(0)
|
||||
|
|
|
@ -31,10 +31,6 @@ if [ "$fastnetmon_action" = "ban" ]; then
|
|||
# Read data from stdin
|
||||
cat > /dev/null
|
||||
color="14425373"
|
||||
elif [ "$fastnetmon_action" = "attack_details" ]; then
|
||||
# Read data from stdin
|
||||
cat > /dev/null
|
||||
color="16765184"
|
||||
elif [ "$fastnetmon_action" = "unban" ]; then
|
||||
color="3857437"
|
||||
else
|
||||
|
|
|
@ -21,12 +21,12 @@
|
|||
# Redhat: yum install bind-utils
|
||||
|
||||
#
|
||||
# For ban and attack_details actions we will receive attack details to stdin
|
||||
# For ban action we will receive attack details to stdin
|
||||
# Please do not remove the following command because
|
||||
# FastNetMon will crash in this case (it expect read of data from script side).
|
||||
#
|
||||
|
||||
if [ "$4" = "ban" ] || [ "$4" = "attack_details" ]; then
|
||||
if [ "$4" = "ban" ]; then
|
||||
fastnetmon_output=$(</dev/stdin)
|
||||
fi
|
||||
|
||||
|
@ -51,8 +51,6 @@ slack_action=${4}
|
|||
function slackalert () {
|
||||
if [ ! -z $slack_url ] && [ "$slack_action" = "ban" ]; then
|
||||
local slack_color="danger"
|
||||
elif [ ! -z $slack_url ] && [ "$slack_action" = "attack_details" ]; then
|
||||
local slack_color="warning"
|
||||
elif [ ! -z $slack_url ] && [ "$slack_action" = "unban" ]; then
|
||||
local slack_color="good"
|
||||
else
|
||||
|
@ -79,11 +77,3 @@ if [ "$4" = "ban" ]; then
|
|||
# iptables -A INPUT -d $1 -j DROP
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$4" = "attack_details" ]; then
|
||||
# Email Alert:
|
||||
echo "${fastnetmon_output}" | mail -s "FastNetMon Analysis: IP $1 blocked because of $2 attack with power $3 pps" $email_notify;
|
||||
# Slack Alert:
|
||||
slackalert
|
||||
exit 0
|
||||
fi
|
||||
|
|
Loading…
Reference in New Issue