jknapp
8636b69ee1
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 1m48s
- Remove semicolons from variable initialization in AWK scripts - Each variable now on separate line to prevent syntax errors - Fixes "syntax error at or near ," in monitor-attacks.sh and manage-blocked-ips.sh - Scripts now properly parse HAProxy 3.0.11 threat intelligence data 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
144 lines
5.2 KiB
Bash
Executable File
144 lines
5.2 KiB
Bash
Executable File
#!/bin/bash
|
||
|
||
# HAProxy IP blocking management script
|
||
# Usage: ./manage-blocked-ips.sh [block|unblock|list|clear] [IP_ADDRESS]
|
||
|
||
SOCKET="/tmp/haproxy-cli"
|
||
MAP_FILE="/etc/haproxy/blocked_ips.map"
|
||
|
||
# Ensure map file exists
|
||
if [ ! -f "$MAP_FILE" ]; then
|
||
touch "$MAP_FILE"
|
||
echo "# Blocked IPs - Format: IP_ADDRESS" > "$MAP_FILE"
|
||
fi
|
||
|
||
case "$1" in
|
||
block)
|
||
if [ -z "$2" ]; then
|
||
echo "Usage: $0 block IP_ADDRESS"
|
||
exit 1
|
||
fi
|
||
# Add IP to map file
|
||
grep -q "^$2" "$MAP_FILE" || echo "$2" >> "$MAP_FILE"
|
||
# Add to runtime map
|
||
echo "add map /etc/haproxy/blocked_ips.map $2 1" | socat stdio "$SOCKET"
|
||
echo "Blocked IP: $2"
|
||
;;
|
||
|
||
unblock)
|
||
if [ -z "$2" ]; then
|
||
echo "Usage: $0 unblock IP_ADDRESS"
|
||
exit 1
|
||
fi
|
||
# Remove from map file
|
||
sed -i "/^$2$/d" "$MAP_FILE"
|
||
# Remove from runtime map
|
||
echo "del map /etc/haproxy/blocked_ips.map $2" | socat stdio "$SOCKET"
|
||
echo "Unblocked IP: $2"
|
||
;;
|
||
|
||
list)
|
||
echo "Currently blocked IPs:"
|
||
echo "show map /etc/haproxy/blocked_ips.map" | socat stdio "$SOCKET" | awk '{print $1}'
|
||
;;
|
||
|
||
clear)
|
||
echo "Clearing all blocked IPs..."
|
||
echo "clear map /etc/haproxy/blocked_ips.map" | socat stdio "$SOCKET"
|
||
echo "# Blocked IPs - Format: IP_ADDRESS" > "$MAP_FILE"
|
||
echo "All IPs unblocked"
|
||
;;
|
||
|
||
stats)
|
||
echo "=== HAProxy 3.0.11 Threat Intelligence Dashboard ==="
|
||
echo "show table web" | socat stdio "$SOCKET" | awk 'NR<=21'
|
||
echo ""
|
||
echo "=== Top Threat Scores ==="
|
||
echo "show table web" | socat stdio "$SOCKET" | awk '
|
||
NR>1 {
|
||
ip = $1
|
||
auth_fail = 0
|
||
authz_fail = 0
|
||
scanner = 0
|
||
repeat_off = 0
|
||
manual_bl = 0
|
||
|
||
if ($0 ~ /gpc\(0\)=([0-9]+)/) { match($0, /gpc\(0\)=([0-9]+)/, arr); auth_fail = arr[1] }
|
||
if ($0 ~ /gpc\(1\)=([0-9]+)/) { match($0, /gpc\(1\)=([0-9]+)/, arr); authz_fail = arr[1] }
|
||
if ($0 ~ /gpc\(3\)=([0-9]+)/) { match($0, /gpc\(3\)=([0-9]+)/, arr); scanner = arr[1] }
|
||
if ($0 ~ /gpc\(12\)=([0-9]+)/) { match($0, /gpc\(12\)=([0-9]+)/, arr); repeat_off = arr[1] }
|
||
if ($0 ~ /gpc\(13\)=([0-9]+)/) { match($0, /gpc\(13\)=([0-9]+)/, arr); manual_bl = arr[1] }
|
||
|
||
threat_score = auth_fail*10 + authz_fail*8 + scanner*12 + repeat_off*25 + manual_bl*100
|
||
|
||
if (threat_score > 0) {
|
||
printf "%-15s Score:%-3d (Auth:%d Authz:%d Scanner:%d Repeat:%d Manual:%d)\n",
|
||
ip, threat_score, auth_fail, authz_fail, scanner, repeat_off, manual_bl
|
||
}
|
||
}' | sort -k2 -nr | head -10
|
||
;;
|
||
|
||
blacklist)
|
||
if [ -z "$2" ]; then
|
||
echo "Usage: $0 blacklist IP_ADDRESS"
|
||
exit 1
|
||
fi
|
||
# Add to manual blacklist using GPC(13)
|
||
echo "set table web key $2 data.gpc(13) 1" | socat stdio "$SOCKET"
|
||
echo "Manually blacklisted IP: $2 (GPC(13) = 1)"
|
||
;;
|
||
|
||
unblacklist)
|
||
if [ -z "$2" ]; then
|
||
echo "Usage: $0 unblacklist IP_ADDRESS"
|
||
exit 1
|
||
fi
|
||
# Clear manual blacklist flag
|
||
echo "set table web key $2 data.gpc(13) 0" | socat stdio "$SOCKET"
|
||
echo "Removed manual blacklist for IP: $2"
|
||
;;
|
||
|
||
auto-blacklist)
|
||
if [ -z "$2" ]; then
|
||
echo "Usage: $0 auto-blacklist IP_ADDRESS"
|
||
exit 1
|
||
fi
|
||
# Add to auto-blacklist using GPC(14)
|
||
echo "set table web key $2 data.gpc(14) 1" | socat stdio "$SOCKET"
|
||
echo "Auto-blacklisted IP: $2 (GPC(14) = 1)"
|
||
;;
|
||
|
||
threat-score)
|
||
if [ -z "$2" ]; then
|
||
echo "Usage: $0 threat-score IP_ADDRESS"
|
||
exit 1
|
||
fi
|
||
# Show detailed threat breakdown for specific IP
|
||
echo "Threat analysis for $2:"
|
||
echo "show table web key $2" | socat stdio "$SOCKET"
|
||
;;
|
||
|
||
*)
|
||
echo "Usage: $0 {block|unblock|list|clear|blacklist|unblacklist|auto-blacklist|threat-score|stats} [IP_ADDRESS]"
|
||
echo ""
|
||
echo "HAProxy 3.0.11 Enhanced Security Commands:"
|
||
echo " block IP - Block IP via map file (immediate)"
|
||
echo " unblock IP - Unblock IP from map file"
|
||
echo " blacklist IP - Manual blacklist via GPC(13) array"
|
||
echo " unblacklist IP - Remove manual blacklist flag"
|
||
echo " auto-blacklist IP - Auto-blacklist via GPC(14) array"
|
||
echo " threat-score IP - Show detailed threat analysis for IP"
|
||
echo " list - List all blocked IPs (map file)"
|
||
echo " clear - Clear all blocked IPs (map file)"
|
||
echo " stats - Show threat intelligence dashboard"
|
||
echo ""
|
||
echo "Array-Based GPC Threat Matrix:"
|
||
echo " gpc(0): Authentication failures (401s) × 10"
|
||
echo " gpc(1): Authorization failures (403s) × 8"
|
||
echo " gpc(3): Scanner/Bot detection × 12"
|
||
echo " gpc(12): Repeat offender flag × 25"
|
||
echo " gpc(13): Manual blacklist flag × 100"
|
||
echo " gpc(14): Auto-blacklist candidate × 50"
|
||
exit 1
|
||
;;
|
||
esac |