Some fixes
This commit is contained in:
Sefinek
parent
f032c5da38
commit
f95073d196
3 changed files with 54 additions and 26 deletions
|
|
@ -1,11 +1,11 @@
|
||||||
exports.MAIN = {
|
exports.MAIN = {
|
||||||
LOG_FILE: 'D:\\test\\ufw.log',
|
LOG_FILE: '/var/log/ufw.log',
|
||||||
CACHE_FILE: 'D:\\test\\ufw-abuseipdb-reporter.cache',
|
CACHE_FILE: '/tmp/ufw-abuseipdb-reporter.cache',
|
||||||
|
|
||||||
ABUSEIPDB_API_KEY: '',
|
ABUSEIPDB_API_KEY: '',
|
||||||
GITHUB_REPO: 'https://github.com/sefinek/UFW-AbuseIPDB-Reporter',
|
GITHUB_REPO: 'https://github.com/sefinek/UFW-AbuseIPDB-Reporter',
|
||||||
|
|
||||||
REPORT_INTERVAL: 43200,
|
REPORT_INTERVAL: 12 * 60 * 60 * 1000, // 12h
|
||||||
};
|
};
|
||||||
|
|
||||||
exports.REPORT_COMMENT = (timestamp, srcIp, dstIp, proto, spt, dpt, ttl, len, tos) => {
|
exports.REPORT_COMMENT = (timestamp, srcIp, dstIp, proto, spt, dpt, ttl, len, tos) => {
|
||||||
|
|
@ -17,4 +17,33 @@ TOS: ${tos || 'N/A'}
|
||||||
|
|
||||||
This report (for ${srcIp}) was generated by:
|
This report (for ${srcIp}) was generated by:
|
||||||
https://github.com/sefinek/UFW-AbuseIPDB-Reporter`; // Please do not remove the URL to the repository of this script. I would be really grateful. 💙
|
https://github.com/sefinek/UFW-AbuseIPDB-Reporter`; // Please do not remove the URL to the repository of this script. I would be really grateful. 💙
|
||||||
|
};
|
||||||
|
|
||||||
|
// See: https://www.abuseipdb.com/categories
|
||||||
|
exports.DETERMINE_CATEGORIES = (proto, dpt) => {
|
||||||
|
const categories = {
|
||||||
|
TCP: {
|
||||||
|
22: '14,22,18', // Port Scan | SSH | Brute-Force
|
||||||
|
80: '14,21', // Port Scan | Web App Attack
|
||||||
|
443: '14,21', // Port Scan | Web App Attack
|
||||||
|
8080: '14,21', // Port Scan | Web App Attack
|
||||||
|
25: '14,11', // Port Scan | Email Spam
|
||||||
|
21: '14,5,18', // Port Scan | FTP Brute-Force | Brute-Force
|
||||||
|
53: '14,1,2', // Port Scan | DNS Compromise | DNS Poisoning
|
||||||
|
23: '14,15,18', // Port Scan | Hacking | Brute-Force
|
||||||
|
3389: '14,15,18', // Port Scan | Hacking | Brute-Force
|
||||||
|
3306: '14,16', // Port Scan | SQL Injection
|
||||||
|
6666: '14,8', // Port Scan | Fraud VoIP
|
||||||
|
6667: '14,8', // Port Scan | Fraud VoIP
|
||||||
|
6668: '14,8', // Port Scan | Fraud VoIP
|
||||||
|
6669: '14,8', // Port Scan | Fraud VoIP
|
||||||
|
9999: '14,6', // Port Scan | Ping of Death
|
||||||
|
},
|
||||||
|
UDP: {
|
||||||
|
53: '14,1,2', // Port Scan | DNS Compromise | DNS Poisoning
|
||||||
|
123: '14,17', // Port Scan | Spoofing
|
||||||
|
},
|
||||||
|
};
|
||||||
|
|
||||||
|
return categories[proto]?.[dpt] || '14'; // Port Scan
|
||||||
};
|
};
|
||||||
39
index.js
39
index.js
|
|
@ -1,7 +1,7 @@
|
||||||
const fs = require('node:fs');
|
const fs = require('node:fs');
|
||||||
const chokidar = require('chokidar');
|
const chokidar = require('chokidar');
|
||||||
const isLocalIP = require('./utils/isLocalIP.js');
|
const isLocalIP = require('./utils/isLocalIP.js');
|
||||||
const { loadReportedIps, saveReportedIps, isIpReportedRecently, markIpAsReported } = require('./utils/cache.js');
|
const { reportedIps, loadReportedIps, saveReportedIps, isIpReportedRecently, markIpAsReported } = require('./utils/cache.js');
|
||||||
const log = require('./utils/log.js');
|
const log = require('./utils/log.js');
|
||||||
const axios = require('./services/axios.js');
|
const axios = require('./services/axios.js');
|
||||||
const config = require('./config.js');
|
const config = require('./config.js');
|
||||||
|
|
@ -15,7 +15,7 @@ const reportToAbuseIpDb = async (ip, categories, comment) => {
|
||||||
headers: { 'Key': ABUSEIPDB_API_KEY },
|
headers: { 'Key': ABUSEIPDB_API_KEY },
|
||||||
});
|
});
|
||||||
|
|
||||||
log(0, `Successfully reported IP ${ip} (score: ${data.data.abuseConfidenceScore})`);
|
log(0, `Successfully reported IP ${ip} (abuse: ${data.data.abuseConfidenceScore}%)`);
|
||||||
return true;
|
return true;
|
||||||
} catch (err) {
|
} catch (err) {
|
||||||
log(2, `${err.message}\n${JSON.stringify(err.response.data)}`);
|
log(2, `${err.message}\n${JSON.stringify(err.response.data)}`);
|
||||||
|
|
@ -23,22 +23,6 @@ const reportToAbuseIpDb = async (ip, categories, comment) => {
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
const determineCategories = (proto, dpt) => {
|
|
||||||
const categories = {
|
|
||||||
TCP: {
|
|
||||||
22: '14,22,18', 80: '14,21', 443: '14,21', 8080: '14,21',
|
|
||||||
25: '14,11', 21: '14,5,18', 53: '14,1,2', 23: '14,15,18',
|
|
||||||
3389: '14,15,18', 3306: '14,16', 6666: '14,8',
|
|
||||||
6667: '14,8', 6668: '14,8', 6669: '14,8', 9999: '14,6',
|
|
||||||
},
|
|
||||||
UDP: {
|
|
||||||
53: '14,1,2', 123: '14,17',
|
|
||||||
},
|
|
||||||
};
|
|
||||||
|
|
||||||
return categories[proto]?.[dpt] || '14';
|
|
||||||
};
|
|
||||||
|
|
||||||
const processLogLine = async line => {
|
const processLogLine = async line => {
|
||||||
if (!line.includes('[UFW BLOCK]')) return log(1, `Ignoring line: ${line}`);
|
if (!line.includes('[UFW BLOCK]')) return log(1, `Ignoring line: ${line}`);
|
||||||
|
|
||||||
|
|
@ -66,11 +50,26 @@ const processLogLine = async line => {
|
||||||
}
|
}
|
||||||
|
|
||||||
if (isIpReportedRecently(srcIp)) {
|
if (isIpReportedRecently(srcIp)) {
|
||||||
log(0, `IP ${srcIp} reported recently`);
|
const lastReportedTime = reportedIps.get(srcIp);
|
||||||
|
const elapsedTime = Math.floor(Date.now() / 1000 - lastReportedTime);
|
||||||
|
|
||||||
|
const days = Math.floor(elapsedTime / 86400);
|
||||||
|
const hours = Math.floor((elapsedTime % 86400) / 3600);
|
||||||
|
const minutes = Math.floor((elapsedTime % 3600) / 60);
|
||||||
|
const seconds = elapsedTime % 60;
|
||||||
|
|
||||||
|
const timeAgo = [
|
||||||
|
days && `${days}d`,
|
||||||
|
hours && `${hours}h`,
|
||||||
|
minutes && `${minutes}m`,
|
||||||
|
(seconds || !days && !hours && !minutes) && `${seconds}s`,
|
||||||
|
].filter(Boolean).join(' ');
|
||||||
|
|
||||||
|
log(0, `IP ${srcIp} was last reported on ${new Date(lastReportedTime * 1000).toLocaleString()} (${timeAgo} ago)`);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
const categories = determineCategories(proto, dpt);
|
const categories = config.DETERMINE_CATEGORIES(proto, dpt);
|
||||||
const comment = config.REPORT_COMMENT(match.timestamp, srcIp, match.dstIp, proto, match.spt, dpt, match.ttl, match.len, match.tos);
|
const comment = config.REPORT_COMMENT(match.timestamp, srcIp, match.dstIp, proto, match.spt, dpt, match.ttl, match.len, match.tos);
|
||||||
|
|
||||||
log(0, `Reporting IP ${srcIp} (${proto} ${dpt}) with categories ${categories}`);
|
log(0, `Reporting IP ${srcIp} (${proto} ${dpt}) with categories ${categories}`);
|
||||||
|
|
|
||||||
|
|
@ -21,10 +21,10 @@ const loadReportedIps = () => {
|
||||||
const saveReportedIps = () => fs.writeFileSync(CACHE_FILE, Array.from(reportedIps).map(([ip, time]) => `${ip} ${time}`).join('\n'), 'utf8');
|
const saveReportedIps = () => fs.writeFileSync(CACHE_FILE, Array.from(reportedIps).map(([ip, time]) => `${ip} ${time}`).join('\n'), 'utf8');
|
||||||
|
|
||||||
const isIpReportedRecently = ip => {
|
const isIpReportedRecently = ip => {
|
||||||
const now = Math.floor(Date.now() / 1000);
|
const reportedTime = reportedIps.get(ip);
|
||||||
return reportedIps.has(ip) && (now - reportedIps.get(ip) < REPORT_INTERVAL);
|
return reportedTime && (Date.now() / 1000 - reportedTime < REPORT_INTERVAL / 1000);
|
||||||
};
|
};
|
||||||
|
|
||||||
const markIpAsReported = ip => reportedIps.set(ip, Math.floor(Date.now() / 1000));
|
const markIpAsReported = ip => reportedIps.set(ip, Math.floor(Date.now() / 1000));
|
||||||
|
|
||||||
module.exports = { loadReportedIps, saveReportedIps, isIpReportedRecently, markIpAsReported };
|
module.exports = { reportedIps, loadReportedIps, saveReportedIps, isIpReportedRecently, markIpAsReported };
|
||||||
Loading…
Add table
Reference in a new issue