logblock 0.2.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 2bcf5fb5f81e733c5dc8c501ede3c95bf16bd4f91a8b0f91906921236238fa0d
+  data.tar.gz: 0bfa914c4b5ff89a7639732cf8139b131a26725ae375d09d91a9374e11413618
+SHA512:
+  metadata.gz: 711a2a59ae90c254ecee597f19ba70ef232d1d6ae38fa52438923b5020bb6590de10665f0a084a0f7f5d66df3eb60e5df0e1e822b697e004c331eb5440d9f338
+  data.tar.gz: 310b9fb1cea2467851930835fdea7138e36ac7034191bbc1e51b2904d0e2bd7d30a1f8bf4d0aec53bc0d65ab800a298c46355af8b47e01ffc1f4d006e8b7656f

data/bin/logblock

@@ -0,0 +1,37 @@
+#!/usr/bin/env ruby
+
+require 'optparse'
+require 'ip'
+require 'log_entries'
+
+DEFAULT_OUTPUT_FILE = 'blocklist.txt'
+DEFAULT_LOG_FILE    = '/var/log/nginx/access.log'
+FLAGS = { log_file:    ["-l", "--log-file=LOG_FILE",       "Path to access log"],
+          output_file: ["-o", "--output-file=OUTPUT_FILE", "Path for blocklist"] }
+
+options = {}
+pad = ->(s) { "\n#{s}\n\n" }
+
+OptionParser.new { |opts|
+  opts.banner = pad.("Usage: #{$0} [options]")
+
+  opts.on("-h", "--help", "Show basic usage / options") do
+    puts "#{opts}\n"
+    exit
+  end
+
+  FLAGS.each { |key, arr| opts.on(*arr) { |v| options[key] = v } }
+
+}.parse!
+
+log_file    = options[:log_file]    || DEFAULT_LOG_FILE
+output_file = options[:output_file] || DEFAULT_OUTPUT_FILE
+
+if File.file?(log_file)
+  LogEntries.new(log_file, output_file).create_blocklist
+  puts pad.("blocklist successfully written: #{output_file}")
+else
+  msg =  "nginx access log doesn't exist: #{log_file}\n\n"
+  msg << "please run the following for usage: #{$0} -h"
+  puts pad.(msg)
+end

data/lib/ip.rb

@@ -0,0 +1,40 @@
+class IP
+  # -----------------------------------------------------------------------------
+  # https://www.cloudflare.com/ips-v4
+  EXPECTED_CIDRS = %w(
+    103.21.244.0/22  103.22.200.0/22 103.31.4.0/22   131.0.72.0/22    197.234.240.0/22
+    173.245.48.0/20  188.114.96.0/20 190.93.240.0/20 108.162.192.0/18 141.101.64.0/18
+    198.41.128.0/17  162.158.0.0/15  172.64.0.0/13   104.16.0.0/12
+  )
+  BITS_IN_IP, BITS_IN_SEGMENT = 32, 8
+  attr_reader :bits
+
+  # accepts plain IP address, or CIDR notation
+  def initialize(cidr_str)
+    @ip, bits = cidr_str.split('/')
+    @bits = bits.to_i if bits
+  end
+
+  def to_s; @ip; end
+
+  # 192.168.0.1 -> 11000000101010000000000000000001
+  def to_binary
+    n_to_b = ->(n) { n.to_s(2).rjust(BITS_IN_SEGMENT, '0') }
+    @binary_ip ||= @ip.split('.').map { |segment| n_to_b.(segment.to_i) }.join
+  end
+
+  def sketch?
+    @sketch ||= IP.expected_cidrs.none? { |cidr| cidr.includes?(self) }
+  end
+
+  # IP.new('192.168.0.1/24').includes?(IP.new('192.168.0.1'))
+  def includes?(ip_addr)
+    len = self.bits
+    ip_slice = ->(ip) { ip.to_binary[0,len] }
+    ip_slice.(self) == ip_slice.(ip_addr)
+  end
+
+  def self.expected_cidrs
+    @cf_ips ||= EXPECTED_CIDRS.map { |cidr| IP.new(cidr) }
+  end
+end

data/lib/log_entries.rb

@@ -0,0 +1,62 @@
+require 'log_entry'
+
+class LogEntries
+  # number of permissable redirects
+  REDIRECT_MAX = 5
+  # span of time to check redirects
+  REDIRECT_WINDOW = 5
+
+  attr_reader :entries
+  def initialize(log_file, output_file)
+    @log_file, @output_file = log_file, output_file
+    @entries = {}
+  end
+
+  def add(log_entry)
+    @entries[log_entry.ip.to_s] ||= []
+    @entries[log_entry.ip.to_s] << log_entry
+  end
+
+  def sketch?(ip)
+    return false unless entries[ip.to_s]
+    redirects = entries[ip.to_s].select{ |entry| entry.redirect? }
+
+    ip.sketch? &&
+      redirects.count > REDIRECT_MAX &&
+      exceeds_window(redirects.map(&:time))
+  end
+
+  def sketch_ips
+    File.open(@log_file, 'r').each_line do |line|
+      if(entry = LogEntry.parse(line))
+        self.add(LogEntry.new(entry))
+      end
+    end
+
+    sketchy = []
+    self.entries.values.map(&:first).each do |entry|
+      sketchy << entry.ip.to_s if self.sketch?(entry.ip)
+    end
+    sketchy
+  end
+
+  def exceeds_window(time_arr)
+    return false if time_arr.count < REDIRECT_MAX
+    return true  if (time_arr[REDIRECT_MAX - 1] - time_arr.first) < REDIRECT_WINDOW
+    exceeds_window(time_arr[1..-1])
+  end
+
+  def create_blocklist
+    new_blocks  = sketch_ips
+    curr_blocks = []
+
+    if(File.file?(@output_file))
+      curr_blocks += File.read(@output_file).split("\n")
+    end
+
+    results = (curr_blocks + new_blocks).uniq.
+                reject(&:empty?).
+                sort_by { |ip| IP.new(ip).to_binary }
+    File.write(@output_file, results.join("\n"))
+  end
+end

data/lib/log_entry.rb

@@ -0,0 +1,32 @@
+require 'time'
+require 'ip'
+
+class LogEntry
+  TIME_FORMAT = '%d/%b/%Y:%H:%M:%S'
+  attr_reader :ip, :resp_code, :time
+
+  def initialize(attrs)
+    @ip, @resp_code, @time = attrs[:ip], attrs[:resp_code], attrs[:time]
+  end
+
+  # Format here is definitely for nginx logs, but easily adaptable
+  #   192.168.0.128 - - [25/Jan/2019:06:57:32 +0000] "GET / HTTP/1.1" 200 708 "-" "Awsome Browser"
+  def self.parse(line)
+    ip_r   = '(\d+\.\d+\.\d+\.\d+)'
+    date_r = '\[(.*?)\]'
+    str_r  = '"(.*?)"'
+    num_r  = '(\d+)'
+    regex  = /#{ip_r} - - #{date_r} #{str_r} #{num_r} #{num_r} #{str_r} #{str_r}/
+
+    if(line =~ regex)
+      ip, time, req, resp_code, bytes, _, agent = IP.new($1), $2, $3, $4, $5, $6, $7
+      time = Time.strptime(time, TIME_FORMAT)
+
+      { ip: ip, resp_code: resp_code, time: time }
+    end
+  end
+
+  def redirect?
+    @resp_code == '301'
+  end
+end

metadata

@@ -0,0 +1,89 @@
+--- !ruby/object:Gem::Specification
+name: logblock
+version: !ruby/object:Gem::Version
+  version: 0.2.0
+platform: ruby
+authors:
+- Christopher Kuttruff
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2019-02-04 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.0.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.0.1
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 12.3.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 12.3.2
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.11.3
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.11.3
+description: 
+email: 
+executables:
+- logblock
+extensions: []
+extra_rdoc_files: []
+files:
+- bin/logblock
+- lib/ip.rb
+- lib/log_entries.rb
+- lib/log_entry.rb
+homepage: https://gitlab.com/slackz/log-block
+licenses:
+- BSD-3-Clause
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.1
+signing_key: 
+specification_version: 4
+summary: simple ruby tool for identify sketchy nginx requests
+test_files: []