deployment-web/roles/deploy-web/files/blacklist.sh

#!/bin/bash
MAIL=/tmp/mail
SERVER_LOG=/var/log/nginx
HOST=($(cat /etc/sentinel/virtualhost))
BLACKLIST=/etc/sentinel/blacklist
chain_count=$(iptables -L BLACKLIST | wc -l)
if [ ${chain_count} -eq 0 ]; then
	iptables -N BLACKLIST
	iptables -A INPUT -p tcp -m tcp --dport 80 -j BLACKLIST
	iptables -A INPUT -p tcp -m tcp --dport 443 -j BLACKLIST

fi
if [ ! -f ${BLACKLIST} ]; then
	touch ${BLACKLIST}
fi
if [ ${chain_count} -gt 2 ]; then
	chain_count=$(echo ${chain_count}-2 |bc)
	iptables_ip=($(iptables -nvL BLACKLIST | tail -n ${chain_count}  | awk '{print $8}'))
	for i in $(cat ${BLACKLIST})
	do
		block_ip=1
		for j in ${iptables_ip[@]}
		do
			if [ "${i}" == "${j}" ]; then
				block_ip=0
			fi
		done
		if [ ${block_ip} -eq 1 ]; then
			iptables -A BLACKLIST -s ${i} -j DROP
		fi
	done
else
	for i in $(cat ${BLACKLIST})
	do
		iptables -A BLACKLIST -s ${i} -j DROP
	done
fi

for i in ${HOST[@]}
do
	log_access=${SERVER_LOG}/${i}_access.log
	tail -n 50 $log_access | awk -F "|" '{ if($2 == "404") print $1}' > /tmp/404_$i
	tail -n 50 $log_access | awk -F "|" '{ if($2 == "400") print $1}' > /tmp/400_$i
	cat /tmp/404_$i | sort | uniq -c | awk '{ if($1 >= 5) print $2}' > /tmp/blacklist_404
	cat /tmp/400_$i |sort | uniq -c |awk '{ if($1 >= 5) print $2}' > /tmp/blacklist_400
	count=$(cat /tmp/blacklist_404 /tmp/blacklist_400 |grep -f ${BLACKLIST} -v |sort |uniq |wc -l)
	if [ ${count} -ne 0 ]; then
		echo "Nouvelle IP blacklisté" > ${MAIL}
		list_ip=($(cat /tmp/blacklist_400 /tmp/blacklist_404 |grep -f ${BLACKLIST} -v  |sort |uniq))
		for i in ${list_ip[@]}
		do
			echo ${i} >> ${MAIL}
			curl http://ipinfo.io/${i} >> ${MAIL}
			echo "" >> ${MAIL}
			echo ${i} >> ${BLACKLIST}
		done
		echo "IP dejà blacklisté : " >> ${MAIL}
		cat ${BLACKLIST} >> ${MAIL}
		cat ${MAIL} |mail -s "Blacklist IP ${i}" valczebackup@gmail.com
	fi
done