Score:0

Ubuntu

Help to complete a script (fake google IPs, maybe fail2ban)

alebal

12/30/22, 8:23 PM

I monitored the google ip that accessed my server for a few years and identified these masks: 66.249.64.0/19 66.102.0.0/20 64.233.160.0/19 34.64.0.0/10 216.58.192.0/19 74.125.0.0/16

Then I created this script in php which I include in all my websites.

include_once('function_global/cidr_match_function.php');
    if(cidr_match($_SERVER['REMOTE_ADDR'], '66.249.64.0/19') === false && cidr_match($_SERVER['REMOTE_ADDR'], '66.102.0.0/20') === false && cidr_match($_SERVER['REMOTE_ADDR'], '64.233.160.0/19') === false && cidr_match($_SERVER['REMOTE_ADDR'], '34.64.0.0/10') === false && cidr_match($_SERVER['REMOTE_ADDR'], '216.58.192.0/19') === false&& cidr_match($_SERVER['REMOTE_ADDR'], '74.125.0.0/16') === false){ 
    $fake_google_ip_list = file_get_contents('function_global/ip_add_fwd.txt');

        if(strpos($fake_google_ip_list, $_SERVER['REMOTE_ADDR']) === false){
            file_put_contents('function_global/ip_add_fwd.txt', $_SERVER['REMOTE_ADDR'].PHP_EOL , FILE_APPEND | LOCK_EX);
        }
    }
}

The result is this file containing a list of IPs that pretend to be google and access my server with scam intentions.

Then I, more or less once a day, run this console command which adds all these ip to ufw:

while read line; do sudo ufw insert 1 deny from $line to any; done < /var/www/html/function_global/ip_add_fwd.txt

and upload a new blank file to the server.

I would like to automate this last part and maybe use fail2ban instead of filling more and more of ip, which may never come back, in ufw.

And I think I need a .sh script, or something similar, but I have no idea how to write it... (I am a php programmer and I only use ubuntu as a web server limited to what is necessary for the functioning of my sites).

The script should be:

callable with a crontab
add the ip list to ufw, or rather to fail2ban
empty the ip_add_fwd.txt file
maybe send me an email with the IPs list, just to know what it has done and be able to verify if it works correctly (the crontab outputs also arrive via email, so maybe an output would be enough?)

Can anyone help me write it or at least give me some hints to get started? I have no idea where to start, I tried to put pieces of some other files together, but it didn't go very well ... :(

170

1 + 2

scripts

cron

ufw

google

fail2ban

jpbrain

12/30/22, 8:52 PM

Hello. Which web server software are you runiing?

alebal

12/30/22, 11:42 PM

apache web server

Score:1

Ubuntu

jpbrain

12/31/22, 12:25 AM

You can try this approach.

For Apache, to Configure a webserver "jail" in fail2ban configuration, there is a guide: fail2ban with Apache

Here you can configure temporary bans for IPs and also there is a client fail2ban-client that you could call directly from your php script (need to check permissions) to ban IPs manually.

I think this will work better than the cron approach, but if you still want to go via shell:

#!/bin/bash
#assuming one IP per line
input="/var/www/html/function_global/ip_add_fwd.txt"
while IFS= read -r line
do
    sudo ufw deny from $line to any;
done < "$input"

#This line will empty the file
echo "">"$input"

script with fail2ban

#!/bin/bash
#assuming one IP per line
input="/var/www/html/function_global/ip_add_fwd.txt"
while IFS= read -r line
do
    #sudo ufw deny from $line to any;
    sudo fail2ban-client set apache-badbots banip $line;
done < "$input"

#This line will empty the file
echo "">"$input"  

#added by JP - Will list all banned IPs for apache-badbots
sudo fail2ban-client get apache-badbots banip --with-time;

0 + 21

alebal

12/31/22, 9:43 PM

Hi, I like fail2ban solution, its faster, lighter, wonderfull, but its hard to found something about it... I pratically found only this https://stackoverflow.com/questions/36101796/fail2ban-add-manually-ip-from-php-script-using-exec-or-shell-exec, and they stop at the configuration file. For me the problem is that there are a lot of file in /etc/fail2ban, what's the correct one? what .conf file want fail2ban-client. If i can figure out what .conf file use, i was thinking about a symlink, in a dir i can acces via php... would be possible?

alebal

12/31/22, 9:43 PM

Can you help me understand what file use and if its possible to use a symlink?

jpbrain

12/31/22, 10:49 PM

Hello. I do not understand your idea of a symlink. can you explain what you mean?

alebal

1/2/23, 11:48 AM

Looks like php can't access configuration file dir of fail2ban... (in /etc) maybe it can with a symlink?

jpbrain

1/2/23, 5:33 PM

in both case you need to be root. so, one approach will be to use cron to execute the shell, a in the shell use fail2ban or ufw. Calling from php as root requires security checks . Maybe it is not a good idea.

alebal

1/2/23, 8:05 PM

Exec via php shouldn't need root to use fail2ban-client, right? The problem appears to be the configuration file that fail2ban needs to read, and it is located in /etc directory which www-data cannot access. In the last comment they even say to copy it to an accessible directory, but I don't know how good it is to copy a configuration file, also because I didn't understand what this file is. Unfortunately, the discussion seems to be over, but it seemed that it was just a short distance away ...

jpbrain

1/2/23, 8:10 PM

Fail2ban needs root to take actions over the firewall ufw too. So the symlilnk approach it is not an option. The two step I describe up works. php writes the file with ips. Cron executes the shell as root every 10 minutes or something like that and cleans the file.

alebal

1/3/23, 8:59 PM

So... i make some little changes to work with fail2ban in the cron way...#!bin/bash #assuming one IP per line input="/var/www/html/function_global/ip_add_fwd.txt" while IFS= read -r line do #sudo ufw deny from $line to any; sudo fail2ban-client set apache-badbots banip $line; done < "$input" #This line will empty the file echo "">"$input"

alebal

1/3/23, 9:01 PM

but, when i try this: sudo /var/www/html/function_global/google_ip_list_ban_cron sudo: unable to execute /var/www/html/function_global/google_ip_list_ban_cron: No such file or directory... what he don't understand? where is ip_add_fwd.txt? i save the new file in the same dir... https://ibb.co/chVmwCn

jpbrain

1/4/23, 12:42 AM

sorry.. is a typo. please correct "#!/bin/bash" and try again. Also, file needs to be run from root cron.

alebal

1/6/23, 10:33 PM

Thanks, llooks like it work... I create this crontab 5 0 * * * root /var/www/html/function_global/google_ip_list_ban_cron on sudo nano /etc/crontab, should the crontab work?

jpbrain

1/7/23, 3:26 AM

Yes. It should work.

alebal

1/7/23, 10:08 PM

All right, but today I would have liked to receive an email with the IPs that he added to fail2ban, but nothing came. The results of the crontabs arrive by mail, is it possible to add an output with the processed ip?

jpbrain

1/7/23, 11:50 PM

Two thing to look at: Is there a MAIL directive in crontab file? Is any output being generated?

alebal

1/8/23, 11:03 PM

yes, the mail is on the top of crontab file, today it send me a mail, the mail say: 0 1 1 1 1 1 1 1 1 1 1 ... should be the result of fail2ban, but would be nice have the blocked IPs...

jpbrain

1/8/23, 11:11 PM

May be, is better to send a fail2ban status at the end of the script.

alebal

1/8/23, 11:31 PM

how ??? no idea how to do it...

jpbrain

1/9/23, 12:21 AM

Can you post your actual script? if you are using "fail2ban-client" there is an option that list banned ips for a Jail.

alebal

1/9/23, 12:43 AM

added to your first post... but it's very similar to yours...

alebal

1/9/23, 12:55 AM

Can we just print in the mail ip_add_fwd.txt file content?

jpbrain

1/9/23, 1:33 AM

Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/129411/discussion-between-jpbrain-and-alebal).

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Help to complete a script (fake google IPs, maybe fail2ban)

TH: ช่วยกรอกสคริปต์ให้สมบูรณ์ (ปลอม google IPs, อาจล้มเหลว 2 แบน)

RO: Ajutor pentru a finaliza un script (IP-uri Google false, poate fail2ban)

RU: Помогите доделать скрипт (поддельные гугл айпи, возможно fail2ban)

VI: Giúp hoàn thiện script ( fake google IP, có thể fail2ban )

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.