Script Shell pour bloquer les adresses IP


2

Est-il possible d'écrire un script shell qui vérifie les connexions dans un serveur Apache et bloque automatiquement les adresses IP suspectes avec un grand nombre de connexions et envoie automatiquement un e-mail à l'administrateur système.Veuillez aider.

J'ai également entendu parler de fail2ban.Sera-t-il pratique d'utiliser fail2ban ou un script shell car le script shell doit être exécuté à des intervalles de temps réguliers.des commentaires?

0

fail2ban will do exactly what you have described.

It checks for connections wich try to connect too often. You can do some configurations with fail2ban to check different situations an ban an IP-adress for a specific time or forever. And of course it can send you a mail report.

I'm using it with logcheck wich gives me a better readable output of the fail2ban messages.


3

As I was reading the first paragraph, I was thinking about fail2ban.

The biggest issue here is detecting a bad user. If you do that manually, skip fail2ban and use sudo ufw deny from 1.2.3.4. That will be a permanent block but there you go.

fail2ban works best when your system (any service, including a dynamic website) sends things to the logs (syslog or service specific). fail2ban then has a stack of things to look for and then what to do if it finds things.

For example, I'm currently employing a fail2ban plugin for Wordpress that sends events to syslog. fail2ban detects three incorrect tries and then blocks the IP for five minutes. It's genius stuff that has pretty much entirely blocked brute force attacks. I mention that plugin as it's a good example of a simple custom-written ruleset. It's easy to see how it works and adapt it for your own needs.

Email notification is pretty simple but you can go further and email nmap scans back. Thinking about it, it might be worth running the IP through a whois, extracting the abuse email and automatically sending an abuse report when you ban a user (explaining why).


0

You can also use AIPA (https://aipa.elineo.eu) to block IP listed on blacklists as abuseipdb.com, blocklist.de or myip.ms