From 0faaae839f93e7ab2197d7a0f150233d78b90c34 Mon Sep 17 00:00:00 2001 From: serxoz Date: Thu, 18 Apr 2024 13:43:01 +0200 Subject: [PATCH] action script --- README.md | 5 +++++ action_script.sh | 18 ++++++++++++++++++ config.toml | 4 ++++ src/config.rs | 22 ++++++++++++++++++---- src/main.rs | 10 +++++++++- 5 files changed, 54 insertions(+), 5 deletions(-) create mode 100755 action_script.sh diff --git a/README.md b/README.md index e00754b..7157fab 100644 --- a/README.md +++ b/README.md @@ -18,3 +18,8 @@ This way attacker will be entertained for some time... :D ## Configure Read config.toml and adapt it to your preferences. Keep in mind that for docker use you want to keep log_file="CONSOLE". + +## Action Script +You can configure action script by adding it to config.toml. +When a new suspicious IP address is detected, the script will be executed. See +action_script.sh for an example. diff --git a/action_script.sh b/action_script.sh new file mode 100755 index 0000000..cc470f3 --- /dev/null +++ b/action_script.sh @@ -0,0 +1,18 @@ +#!/bin/sh +# Script to run when a new suspicious IP address is detected. + +# Example for Linux: +# iptables -I INPUT -s $1 -j DROP +# +# Example for OpenBSD: +# Having a table in pf.conf: +# table persist file "/etc/blacklist" +# block drop in quick from to any +# then add/delete dinamically: +# pfctl -t badhosts -T add $1 +# pfctl -t badhosts -T delete $1 + +# Example for "debugging": +echo $1 > /tmp/foo + + diff --git a/config.toml b/config.toml index addfa15..69a5df5 100644 --- a/config.toml +++ b/config.toml @@ -17,3 +17,7 @@ delay = 1500 [sqlite] location = "tarpit.db" + +[action] +# path to action script, remember give it execution permission +script = "./action_script.sh" diff --git a/src/config.rs b/src/config.rs index fa4a1e7..8910d60 100644 --- a/src/config.rs +++ b/src/config.rs @@ -5,7 +5,8 @@ struct ConfigToml { listen: Option, log: Option, tarpit: Option, - sqlite: Option + sqlite: Option, + action: Option, } #[derive(Serialize, Deserialize, Debug)] @@ -30,6 +31,11 @@ struct ConfigTomlSqlite { location: Option, } +#[derive(Serialize, Deserialize, Debug)] +struct ConfigTomlAction { + script: Option, +} + #[derive(Serialize, Deserialize, Debug)] pub struct Config { pub bind_addr: String, @@ -37,7 +43,8 @@ pub struct Config { pub log_file: String, pub log_level: String, pub delay: u64, - pub database_location: String + pub database_location: String, + pub action_script: String } impl Config { @@ -65,7 +72,8 @@ impl Config { listen: None, log: None, tarpit: None, - sqlite: None + sqlite: None, + action: None } }); @@ -95,13 +103,19 @@ impl Config { None => "./tarpit.db".to_owned() }; + let action_script = match config_toml.action { + Some(ConfigTomlAction { script }) => script.unwrap_or("".to_owned()), + None => "".to_owned() + }; + Config { bind_addr, bind_port, log_file, log_level, delay, - database_location + database_location, + action_script } } } diff --git a/src/main.rs b/src/main.rs index c88b937..7890004 100644 --- a/src/main.rs +++ b/src/main.rs @@ -25,6 +25,7 @@ use log4rs::append::console::ConsoleAppender; use log4rs::config::{Appender, Config, Root}; use log4rs::encode::pattern::PatternEncoder; use rusqlite::Connection; +use std::process::Command; struct Server { socket: UdpSocket, @@ -62,7 +63,14 @@ impl Server { log::info!("Suspicious peer: {}", peer.ip()); match add_suspicious(&db_con, str_peer_ip.as_str()) { Ok(_) => { - // TODO: launch action script + // launch action script + let output = Command::new(config.action_script.to_owned()) + .arg(str_peer_ip.as_str()) + .output(); + match output { + Ok(_) => log::info!("Action script executed"), + Err(e) => log::info!("Error executing action script {}", e) + } }, Err(_) => return Err(io::Error::new(io::ErrorKind::Other, "Error adding suspicious peer to database")), }