#!/bin/bash # HAProxy IP blocking management script # Usage: ./manage-blocked-ips.sh [block|unblock|list|clear] [IP_ADDRESS] SOCKET="/tmp/haproxy-cli" MAP_FILE="/etc/haproxy/blocked_ips.map" # Ensure map file exists if [ ! -f "$MAP_FILE" ]; then touch "$MAP_FILE" echo "# Blocked IPs - Format: IP_ADDRESS" > "$MAP_FILE" fi case "$1" in block) if [ -z "$2" ]; then echo "Usage: $0 block IP_ADDRESS" exit 1 fi # Add IP to map file grep -q "^$2" "$MAP_FILE" || echo "$2" >> "$MAP_FILE" # Add to runtime map echo "add map /etc/haproxy/blocked_ips.map $2 1" | socat stdio "$SOCKET" echo "Blocked IP: $2" ;; unblock) if [ -z "$2" ]; then echo "Usage: $0 unblock IP_ADDRESS" exit 1 fi # Remove from map file sed -i "/^$2$/d" "$MAP_FILE" # Remove from runtime map echo "del map /etc/haproxy/blocked_ips.map $2" | socat stdio "$SOCKET" echo "Unblocked IP: $2" ;; list) echo "Currently blocked IPs:" echo "show map /etc/haproxy/blocked_ips.map" | socat stdio "$SOCKET" | awk '{print $1}' ;; clear) echo "Clearing all blocked IPs..." echo "clear map /etc/haproxy/blocked_ips.map" | socat stdio "$SOCKET" echo "# Blocked IPs - Format: IP_ADDRESS" > "$MAP_FILE" echo "All IPs unblocked" ;; stats) echo "=== HAProxy 3.0.11 Threat Intelligence Dashboard ===" echo "show table web" | socat stdio "$SOCKET" | awk 'NR<=21' echo "" echo "=== Top Threat Scores ===" echo "show table web" | socat stdio "$SOCKET" | awk ' NR>1 { ip = $1 auth_fail = 0 authz_fail = 0 scanner = 0 repeat_off = 0 manual_bl = 0 if ($0 ~ /gpc\(0\)=([0-9]+)/) { match($0, /gpc\(0\)=([0-9]+)/, arr); auth_fail = arr[1] } if ($0 ~ /gpc\(1\)=([0-9]+)/) { match($0, /gpc\(1\)=([0-9]+)/, arr); authz_fail = arr[1] } if ($0 ~ /gpc\(3\)=([0-9]+)/) { match($0, /gpc\(3\)=([0-9]+)/, arr); scanner = arr[1] } if ($0 ~ /gpc\(12\)=([0-9]+)/) { match($0, /gpc\(12\)=([0-9]+)/, arr); repeat_off = arr[1] } if ($0 ~ /gpc\(13\)=([0-9]+)/) { match($0, /gpc\(13\)=([0-9]+)/, arr); manual_bl = arr[1] } threat_score = auth_fail*10 + authz_fail*8 + scanner*12 + repeat_off*25 + manual_bl*100 if (threat_score > 0) { printf "%-15s Score:%-3d (Auth:%d Authz:%d Scanner:%d Repeat:%d Manual:%d)\n", ip, threat_score, auth_fail, authz_fail, scanner, repeat_off, manual_bl } }' | sort -k2 -nr | head -10 ;; blacklist) if [ -z "$2" ]; then echo "Usage: $0 blacklist IP_ADDRESS" exit 1 fi # Add to manual blacklist using GPC(13) echo "set table web key $2 data.gpc(13) 1" | socat stdio "$SOCKET" echo "Manually blacklisted IP: $2 (GPC(13) = 1)" ;; unblacklist) if [ -z "$2" ]; then echo "Usage: $0 unblacklist IP_ADDRESS" exit 1 fi # Clear manual blacklist flag echo "set table web key $2 data.gpc(13) 0" | socat stdio "$SOCKET" echo "Removed manual blacklist for IP: $2" ;; auto-blacklist) if [ -z "$2" ]; then echo "Usage: $0 auto-blacklist IP_ADDRESS" exit 1 fi # Add to auto-blacklist using GPC(14) echo "set table web key $2 data.gpc(14) 1" | socat stdio "$SOCKET" echo "Auto-blacklisted IP: $2 (GPC(14) = 1)" ;; threat-score) if [ -z "$2" ]; then echo "Usage: $0 threat-score IP_ADDRESS" exit 1 fi # Show detailed threat breakdown for specific IP echo "Threat analysis for $2:" echo "show table web key $2" | socat stdio "$SOCKET" ;; *) echo "Usage: $0 {block|unblock|list|clear|blacklist|unblacklist|auto-blacklist|threat-score|stats} [IP_ADDRESS]" echo "" echo "HAProxy 3.0.11 Enhanced Security Commands:" echo " block IP - Block IP via map file (immediate)" echo " unblock IP - Unblock IP from map file" echo " blacklist IP - Manual blacklist via GPC(13) array" echo " unblacklist IP - Remove manual blacklist flag" echo " auto-blacklist IP - Auto-blacklist via GPC(14) array" echo " threat-score IP - Show detailed threat analysis for IP" echo " list - List all blocked IPs (map file)" echo " clear - Clear all blocked IPs (map file)" echo " stats - Show threat intelligence dashboard" echo "" echo "Array-Based GPC Threat Matrix:" echo " gpc(0): Authentication failures (401s) × 10" echo " gpc(1): Authorization failures (403s) × 8" echo " gpc(3): Scanner/Bot detection × 12" echo " gpc(12): Repeat offender flag × 25" echo " gpc(13): Manual blacklist flag × 100" echo " gpc(14): Auto-blacklist candidate × 50" exit 1 ;; esac