0

What I'm trying to do is use netstat -an | grep ESTABLISHED to check all IP addresses in my system from a whois search and ban any belonging to china.

So I'm wondering how I could achieve this? Possibly by piping the strings into each other command? but how could I do this?

(trying to ban china without adding ssh security, I'm looking to achieve this in either bash or python)

code I have so far:

#!/bin/bash
netstat -an | grep ESTABLISHED > log.txt;
myvar=$(awk -F"|" '{print $NF}' log.txt)
whois $myvar

I am struggling to automate the process that checks if the country is china and bans the ip.

oxr463
  • 1,573
  • 3
  • 14
  • 34
pythoner
  • 97
  • 1
  • 3

2 Answers2

2

Here is an example written in bash,


    #!/bin/bash
    # shellcheck disable=SC2155
    # Automatically ban IP from country
    # Copyright (C) 2019 Lucas Ramage <ramage.lucas@protonmail.com>
    # SPDX-License-Identifier: MIT
    set -euo pipefail
    IFS=$'\n\t'

    # netstat output:
    # Proto Recv-Q Send-Q Local Address Foreign Address State

    get_ip_addr() {
      # Awk splits the 5th column, Foreign Address, to get the IP
      echo "${1}" | awk '{ split($5, a, ":"); print a[1] }'
    }

    # whois output:
    # OrgName:        Internet Assigned Numbers Authority
    # OrgId:          IANA
    # Address:        12025 Waterfront Drive
    # Address:        Suite 300
    # City:           Los Angeles
    # StateProv:      CA
    # PostalCode:     90292
    # Country:        US <-- We want this one
    # RegDate:
    # Updated:        2012-08-31
    # Ref:            https://rdap.arin.net/registry/entity/IANA

    get_country() {
      # Returns nothing if Country not set
      whois "${1}" | awk '/Country/ { print $NF }'
    }

    check_country() {
      # Implements a whitelist, instead of a blacklist
      local COUNTRIES="US"

      # Iterate through whitelist
      for country in $COUNTRIES; do
        # Check entry to see if its in the whitelist
        if [ "${country}" == "${1}" ]; then
          echo 1 # true
        fi
      done
    }

    block_ip() {
      # Remove the `echo` in order to apply command; must have proper privileges, i.e sudo
      echo sudo iptables -A INPUT -s "${1}" -j "${2}"
    }

    main() {

      # Established Connections
      local ESTCON=$(netstat -an | grep ESTABLISHED)

      for entry in $ESTCON; do
        local ip=$(get_ip_addr "${entry}")
        local country=$(get_country "${ip}")
        local is_allowed=$(check_country "${country}")
        local policy='DROP' # or REJECT

        if [ ! "${is_allowed}" -eq "1" ]; then
          block_ip "${ip}" "${policy}"
        fi
      done
    }

    main

I'd personally run shellcheck on it, and test it further.

Also, you might want to look into fail2ban or something like that.

oxr463
  • 1,573
  • 3
  • 14
  • 34
  • when I run @Lucas Ramage's example I receive this error: ./.deletechina: line 51: [: : integer expression expected – pythoner Jun 14 '19 at 23:09
  • This is a rough draft, it'll need some work to get to run. For example, that's why I am echoing out the `iptables` command. – oxr463 Jun 15 '19 at 23:09
-1

Thanks for asking.

Your quest is a product scope. People are making living from it. See here.

The problem involved few unrelated practices.

  1. Geolocate connection.

  2. Maintain lists of black-list and white-list sources.

  3. Implement list update policies.

  4. Implement logging and notification.

Task 1 and 2 are served as web service (research google). Many commercial DRM solution also implement your request and maintain the functionality.

I suggest to research the quest cost/effort before getting into technical design.

Dudi Boy
  • 4,551
  • 1
  • 15
  • 30