action script

README.md

@@ -18,3 +18,8 @@ This way attacker will be entertained for some time... :D
 ## Configure
 Read config.toml and adapt it to your preferences. Keep in mind that for docker
 use you want to keep log_file="CONSOLE".
+
+## Action Script
+You can configure action script by adding it to config.toml.
+When a new suspicious IP address is detected, the script will be executed. See
+action_script.sh for an example.

action_script.sh

@@ -0,0 +1,18 @@
+#!/bin/sh
+# Script to run when a new suspicious IP address is detected.
+
+# Example for Linux:
+#   iptables -I INPUT -s $1 -j DROP
+#
+# Example for OpenBSD:
+# Having a table in pf.conf:
+#   table <blacklist> persist file "/etc/blacklist"
+#   block drop in quick from <blacklist> to any
+# then add/delete dinamically:
+#   pfctl -t badhosts -T add $1
+#   pfctl -t badhosts -T delete $1
+
+# Example for "debugging":
+echo $1 > /tmp/foo
+
+

config.toml

@@ -17,3 +17,7 @@ delay = 1500
 
 [sqlite]
 location = "tarpit.db"
+
+[action]
+# path to action script, remember give it execution permission
+script = "./action_script.sh"

src/config.rs

@@ -5,7 +5,8 @@ struct ConfigToml {
     listen: Option<ConfigTomlListen>,
     log: Option<ConfigTomlLog>,
     tarpit: Option<ConfigTomlTarpit>,
-    sqlite: Option<ConfigTomlSqlite>
+    sqlite: Option<ConfigTomlSqlite>,
+    action: Option<ConfigTomlAction>,
 }
 
 #[derive(Serialize, Deserialize, Debug)]
@@ -30,6 +31,11 @@ struct ConfigTomlSqlite {
     location: Option<String>,
 }
 
+#[derive(Serialize, Deserialize, Debug)]
+struct ConfigTomlAction {
+    script: Option<String>,
+}
+
 #[derive(Serialize, Deserialize, Debug)]
 pub struct Config {
     pub bind_addr: String,
@@ -37,7 +43,8 @@ pub struct Config {
     pub log_file: String,
     pub log_level: String,
     pub delay: u64,
-    pub database_location: String
+    pub database_location: String,
+    pub action_script: String
 }
 
 impl Config {
@@ -65,7 +72,8 @@ impl Config {
                 listen: None,
                 log: None,
                 tarpit: None,
-                sqlite: None
+                sqlite: None,
+                action: None
             }
         });
 
@@ -95,13 +103,19 @@ impl Config {
             None => "./tarpit.db".to_owned()
         };
 
+        let action_script = match config_toml.action {
+            Some(ConfigTomlAction { script }) => script.unwrap_or("".to_owned()),
+            None => "".to_owned()
+        };
+
         Config {
             bind_addr,
             bind_port,
             log_file,
             log_level,
             delay,
-            database_location
+            database_location,
+            action_script
         }
     }
 }

src/main.rs

@@ -25,6 +25,7 @@ use log4rs::append::console::ConsoleAppender;
 use log4rs::config::{Appender, Config, Root};
 use log4rs::encode::pattern::PatternEncoder;
 use rusqlite::Connection;
+use std::process::Command;
 
 struct Server {
     socket: UdpSocket,
@@ -62,7 +63,14 @@ impl Server {
                         log::info!("Suspicious peer: {}", peer.ip());
                         match add_suspicious(&db_con, str_peer_ip.as_str()) {
                             Ok(_) => {
-                                // TODO: launch action script
+                                // launch action script
+                                let output = Command::new(config.action_script.to_owned())
+                                    .arg(str_peer_ip.as_str())
+                                    .output();
+                                match output {
+                                    Ok(_) => log::info!("Action script executed"),
+                                    Err(e) => log::info!("Error executing action script {}", e)
+                                }
                             },
                             Err(_) => return Err(io::Error::new(io::ErrorKind::Other, "Error adding suspicious peer to database")),
                         }