dev #1

Merged
serxoz merged 3 commits from dev into main 2024-04-18 13:47:12 +02:00
5 changed files with 54 additions and 5 deletions
Showing only changes of commit 0faaae839f - Show all commits

View File

@ -18,3 +18,8 @@ This way attacker will be entertained for some time... :D
## Configure
Read config.toml and adapt it to your preferences. Keep in mind that for docker
use you want to keep log_file="CONSOLE".
## Action Script
You can configure action script by adding it to config.toml.
When a new suspicious IP address is detected, the script will be executed. See
action_script.sh for an example.

18
action_script.sh Executable file
View File

@ -0,0 +1,18 @@
#!/bin/sh
# Script to run when a new suspicious IP address is detected.
# Example for Linux:
# iptables -I INPUT -s $1 -j DROP
#
# Example for OpenBSD:
# Having a table in pf.conf:
# table <blacklist> persist file "/etc/blacklist"
# block drop in quick from <blacklist> to any
# then add/delete dinamically:
# pfctl -t badhosts -T add $1
# pfctl -t badhosts -T delete $1
# Example for "debugging":
echo $1 > /tmp/foo

View File

@ -17,3 +17,7 @@ delay = 1500
[sqlite]
location = "tarpit.db"
[action]
# path to action script, remember give it execution permission
script = "./action_script.sh"

View File

@ -5,7 +5,8 @@ struct ConfigToml {
listen: Option<ConfigTomlListen>,
log: Option<ConfigTomlLog>,
tarpit: Option<ConfigTomlTarpit>,
sqlite: Option<ConfigTomlSqlite>
sqlite: Option<ConfigTomlSqlite>,
action: Option<ConfigTomlAction>,
}
#[derive(Serialize, Deserialize, Debug)]
@ -30,6 +31,11 @@ struct ConfigTomlSqlite {
location: Option<String>,
}
#[derive(Serialize, Deserialize, Debug)]
struct ConfigTomlAction {
script: Option<String>,
}
#[derive(Serialize, Deserialize, Debug)]
pub struct Config {
pub bind_addr: String,
@ -37,7 +43,8 @@ pub struct Config {
pub log_file: String,
pub log_level: String,
pub delay: u64,
pub database_location: String
pub database_location: String,
pub action_script: String
}
impl Config {
@ -65,7 +72,8 @@ impl Config {
listen: None,
log: None,
tarpit: None,
sqlite: None
sqlite: None,
action: None
}
});
@ -95,13 +103,19 @@ impl Config {
None => "./tarpit.db".to_owned()
};
let action_script = match config_toml.action {
Some(ConfigTomlAction { script }) => script.unwrap_or("".to_owned()),
None => "".to_owned()
};
Config {
bind_addr,
bind_port,
log_file,
log_level,
delay,
database_location
database_location,
action_script
}
}
}

View File

@ -25,6 +25,7 @@ use log4rs::append::console::ConsoleAppender;
use log4rs::config::{Appender, Config, Root};
use log4rs::encode::pattern::PatternEncoder;
use rusqlite::Connection;
use std::process::Command;
struct Server {
socket: UdpSocket,
@ -62,7 +63,14 @@ impl Server {
log::info!("Suspicious peer: {}", peer.ip());
match add_suspicious(&db_con, str_peer_ip.as_str()) {
Ok(_) => {
// TODO: launch action script
// launch action script
let output = Command::new(config.action_script.to_owned())
.arg(str_peer_ip.as_str())
.output();
match output {
Ok(_) => log::info!("Action script executed"),
Err(e) => log::info!("Error executing action script {}", e)
}
},
Err(_) => return Err(io::Error::new(io::ErrorKind::Other, "Error adding suspicious peer to database")),
}