ban/unban scripts for ipf firewall

System administrators are always running across unauthorized access requests and reasons to ban/block IP addresses – on webservers, daemons, etc. I’ve long used some homemade scripts to facilitate this and figured I would include them here.

Here’s the ‘ban’ script, which just takes an IP address to ban via ipf (e.g. “ban 1.2.3.4”):

#!/bin/bash

CIDR=32
CONF=ipf.conf

IP=`echo $1 | /bin/tr -d '[:alpha:]\:[:space:]'`

ESC_IP=`echo $IP | /bin/sed 's/\./\\\./g'`

EXISTS=`/bin/grep "$ESC_IP" /etc/ipf/$CONF`

if [ -n "$EXISTS" ]; then
        echo "$IP is already blocked"
        exit
fi

REGEX="\.0$"

if [[ $IP =~ $REGEX ]]; then
    CIDR=24
fi

CMD="block in quick from $IP/$CIDR to any"

echo $CMD | /usr/sbin/ipf -f -

/bin/echo $CMD >>/etc/ipf/$CONF

And here’s an unban script which reverses the ban:

#!/bin/bash

CIDR=32
CONF=ipf.conf

IP=`echo $1 | /bin/tr -d '[:alpha:]\:[:space:]'`

ESC_IP=`echo $IP | /bin/sed 's/\./\\\./g'`

EXISTS=`/bin/grep "$ESC_IP" /etc/ipf/ipf.conf`

if [ -z "$EXISTS" ]; then
        echo "$IP is not blocked"
        exit
fi

REGEX="\.0$"

if [[ $IP =~ $REGEX ]]; then
    CIDR=24
fi

CMD="block in quick from $IP/$CIDR to any"

echo $CMD | /usr/sbin/ipf -r -f -

/bin/echo $CMD >>/etc/ipf/unban_log

perl -pi -e "s/block in quick from $ESC_IP\/$CIDR to any\n//" /etc/ipf/ipf.conf

These files (and the init.d startup script) are at https://github.com/heybige/ipf-ban-unban

OSX – run a script during boot

I’ve been running OSX for a while, and one of my favorite things about it is having Unix underneath that gorgeous GUI interface. However, OSX does so many things different from “standard” (Linux, Solaris, BSD, etc) Unix that I often find myself struggling to figure out how to do things in OSX vs standard Unix procedures.

Here’s one circumstance – I’m running a headless Mac Mini server in a large DHCP network, and if I have to reboot the server for any reason, there’s no guarantee that I will get the same IP address again (especially if the server was powered down for any appreciable amount of time). Now I could crawl under the desk and switch the DVI adaptor to the Mac (after putting on the DVI-HDMI adaptor) but that just sucks.

It would be better if the server just emailed me the new IP address when it was booted so I know where to SSH/VNC to.

Unfortunately, the boot process for OSX is completely proprietary and involves StartupDaemons, plists and all sorts of crap – no rc.* scripts in sight. [actually,  Solaris (since 10) uses something similar called SMF – service management facility – which I also hate.. but at least it still uses rc.* scripts as well]

Anyway, I was almost resigned to writing a new plist when I ran across a very handy bit of information – OSX uses Vixie cron, which has some special meta tags including a ‘@reboot’ tag that will execute upon boot:

@reboot /path/to/ipnotify.sh

Ultra simple, and works great! Now the server emails me its IP address after it has completed the boot process, saving me having to crawl around under the desk.

Startup Weekend

MindWorksDev is at Startup Weekend this weekend. Please keep an eye out for me (badge: HeyBigE / MindWorksDev) and say hello!

This is my inaugural post

MindWorksDev is going to post about all the different tools and techniques available out there.