Post by head_dunce » Wed Feb 12, 2020 10:59 am

Had a problem with Proxies/VPN's from someone/something hitting my site acting as regular users. Came up with a simple script to block them using Perl to do a whois lookup and then an API call to CloudFlare to block the IP. Just sharing in case someone else sees this too. You can play around with the sleep or select line below it depending on how fast you want things noticed and blocked. This is a quick and dirty script that could be improved upon, but works well for now.

Code: Select all

#!/usr/bin/perl

my $cftoken = 'YOURTOKEN';
my $cfuser = 'YOUREMAIL';

my $linesinloglast = `wc -l < /var/log/httpd/access_log`; # USE YOUR APACHE LOG LOCATION

while(1){
        my $newlines = 0;
        $linesinlog = `wc -l < /var/log/httpd/access_log`; # USE YOUR APACHE LOG LOCATION
        if($linesinloglast < $linesinlog){
                $newlines = $linesinlog - $linesinloglast;
        } elsif ($linesinloglast > $linesinlog){
                $newlines =  $linesinlog;
        }
        my $logfile = `tail -n $newlines /var/log/httpd/access_log`;
        my @ips = $logfile =~ /^(\S+)/gm;

        my %dedupehash   = map { $_ => 1 } @ips;
        @ips = keys %dedupehash;

        my $ipcount = scalar(@ips);

        my $totalbanned = 0;

        foreach my $ip (@ips){
                my $whois = `timeout 5 whois $ip`;
                $whois = lc($whois);

                my $blockflag = 0;
                if (index($whois, 'highwinds') != -1) { $blockflag = 1; print "\nHIGHWINDS\n";}
                if (index($whois, 'strongvpn') != -1) { $blockflag = 1; print "\nSTRONGVPH\n";}
                if (index($whois, 'stackpath') != -1) { $blockflag = 1; print "\nSTACKPATH\n";}
                if (index($whois, 'ipvanish') != -1) { $blockflag = 1; print "\nIPVANISH \n"; }
                if (index($whois, 'strongtechnology') != -1) { $blockflag = 1; print "\nSTRONGTECHNOLOGY\n"; }
                if (index($whois, 'strong technology') != -1) { $blockflag = 1; print "\nSTRONGTECHNOLOGY\n"; }
                if (index($whois, 'm247') != -1) { $blockflag = 1; print "\nM247\n"; }
                if (index($whois, 'bandcon') != -1) { $blockflag = 1; print "\BANDCON\n"; }
                if (index($whois, 'netprotect') != -1) { $blockflag = 1; print "\nNETPROTECT\n"; }

                if ( $blockflag == 1) {
                        print "IP: $ip\n";
                        my $cfaction = "curl -s -o /dev/null -X POST -H 'X-Auth-Email: $cfuser' -H 'X-Auth-Key: $cftoken' -H 'Content-Type: application/json' -d '{ \"mode\": \"block\", \"configuration\": { \"target\": \"ip\", \"value\": \"$ip\" } }' https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules";
                        #print $cfaction."\n\n";
                        system($cfaction);
                } else {
                }
        }
        $linesinloglast = $linesinlog;
        #sleep 1;
        select(undef, undef, undef, 0.05);
}

Jim
https://www.carguygarage.com
Yahoo Store since 2006 moved to OpenCart on January 24, 2020


Active Member

Posts

Joined
Thu Apr 04, 2019 11:50 pm

Post by IP_CAM » Wed Feb 12, 2020 2:00 pm

What's the cftoken Value? :D
It must be 15 Years, since I was playing around with Perl ?

Please don't send me OC Forum Personal Messages, just contact: jti@jacob.ch
---
OC 1.5.6.5 LIGHT Test Site: http://www.bigmax.ch/shop/
OC 1.5.6.5 V-PRO Test Site: http://www.jacob.ch/shop/
My Github OC Site: https://github.com/IP-CAM
2'400+ FREE OC Extensions from the World's largest Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by head_dunce » Wed Feb 12, 2020 8:09 pm

IP_CAM wrote:
Wed Feb 12, 2020 2:00 pm
What's the cftoken Value? :D
It must be 15 Years, since I was playing around with Perl ?
The CloudFlare token for their API
I can't see writing this type of thing in PHP :laugh:

Jim
https://www.carguygarage.com
Yahoo Store since 2006 moved to OpenCart on January 24, 2020


Active Member

Posts

Joined
Thu Apr 04, 2019 11:50 pm
Who is online

Users browsing this forum: No registered users and 1 guest