bnmbertsdfsdfluiluiluiluiluiluiltdfg

hjkhhrteuiluiliuuiluiluiluilrtrt bnmbertsdfsdfluiluiluiluiluiluiltdfg

#!/bin/bash

export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin

collect_data() {

# IPs with more than 100 connections will be automatically blocked if more than 100 connections from an IP.
# CSF and Imunify are used for blocking IP
enable_ip_block=1;

netstat -alpn | grep -v tcp6 | awk '($4 ~ 443) || ($4 ~ 80) {print $4","$5}' | egrep ":80,|:443," | cut -d "," -f 2 |  sed '/^\s*$/d' | grep -v 0.0.0.0 | grep -v 127.0.0.1 | cut -d ":" -f 1 | sort -n > /usr/lib64/nagios/plugins/bc/bc_network_connection_details.txt;

netstat -W -alpn  | grep tcp6 | awk '($4 ~ 443) || ($4 ~ 80) {print $4","$5}' | egrep ":80,|:443," | cut -d "," -f 2  | sed 's/\:[0-9]*$//g' | sed '/:$/d' | sort -n | grep -v ':::' >> /usr/lib64/nagios/plugins/bc/bc_network_connection_details.txt;

find_local_ip(){
ip addr | grep inet | grep -v inet6 | awk '{print $2}' | cut -d "/" -f 1
}

get_cloudflare_ips(){
wget -O /usr/lib64/nagios/plugins/bc/cloudflare_networks.txt ims.bobcares.com/nagios/cloudflare_networks.txt;
}

print_cloudflare_ips(){

if [ -f /usr/lib64/nagios/plugins/bc/cloudflare_networks.txt ]
then

current_time=$(date +%s);
cf_ip_file_time=$(stat -c %Z /usr/lib64/nagios/plugins/bc/cloudflare_networks.txt);
cf_ip_file_age=$(( $current_time - $cf_ip_file_time  ));

if [ $cf_ip_file_age -gt 86400 ]
then
get_cloudflare_ips;
fi

cat /usr/lib64/nagios/plugins/bc/cloudflare_networks.txt;

else

get_cloudflare_ips;
cat /usr/lib64/nagios/plugins/bc/cloudflare_networks.txt;

}

for local_ip in in $(find_local_ip)
do
sed -i "/$local_ip/d" /usr/lib64/nagios/plugins/bc/bc_network_connection_details.txt;
done

for cf_ip in in $(print_cloudflare_ips)
do
sed -i "/$cf_ip/d" /usr/lib64/nagios/plugins/bc/bc_network_connection_details.txt;
done

# section to block IP automatically

if [ $enable_ip_block -eq 1 ]
then

network_connection_details=/usr/lib64/nagios/plugins/bc/bc_network_connection_details.txt;

if [ -f $network_connection_details ]
then

gen_high_connection_ip_list(){
cat $network_connection_details |  uniq -c | sort -n | awk '$1>=100 {print $2}' | egrep -v "^10\.|^172\.1[6-9]|^172\.2[0-9]|^172\.3[0-1]|^192\.168";
}

gen_high_connection_ip_rdns_list(){
for ip in $(gen_high_connection_ip_list)
do
echo $ip $(dig  +short  -x $ip);
done
}

gen_non_cdn_high_connection_ip_list(){
gen_high_connection_ip_rdns_list | egrep -i -v "akamaitechnologies|cloudfront.net|cdn|sucuri.net|uptimerobot.com|googlebot.com|search.msn.com" | egrep -i -v "aws|amazon|amazonaws.com";
}

detected_ip_list="";

for detected_ip in $(gen_high_connection_ip_rdns_list  | egrep -i -v "akamaitechnologies|cloudfront.net|cdn|sucuri.net|uptimerobot.com" |  egrep -i -v "aws|amazon|amazonaws.com" |awk '{print $1}'  |  tail -3 )
do
detected_ip_list="$(echo $detected_ip_list) $detected_ip";
done

measured_value=$(gen_non_cdn_high_connection_ip_list| wc -l);
critical_trigger_value=1;

if [ $measured_value -ge $critical_trigger_value ]
then

if [ -x /usr/sbin/csf ]
then
csf_count=$(csf -v | grep "csf and lfd have been disabled" | wc -l);
if [ $csf_count -eq 0 ]
then

for ip in $(echo "$detected_ip_list")
do
block_count=$(grep -w $ip /etc/csf/csf.deny | wc -l );
if [ $block_count -eq 0 ]
then
csf -d $ip "blocked due to more than 100 connections";
sed -i "/$ip/d" $network_connection_details;
fi
done

elif [ -x /usr/bin/imunify360-agent ]
then

for ip in $(echo "$detected_ip_list")
do
imunify360-agent blacklist ip add $ip;
sed -i "/$ip/d" $network_connection_details;
done

elif [ -x /sbin/ufw ]
then

for ip in $(echo "$detected_ip_list")
do
ufw deny from $ip;
sed -i "/$ip/d" $network_connection_details;
done

fi
fi

}

lock_file=/tmp/$(basename $0).lock;

if [ ! -f $lock_file ]
then

touch  $lock_file;
collect_data;
rm -vf $lock_file;

else

find $lock_file -maxdepth 1 -type f  -cmin +60 -exec rm -vf {} \;