-
Notifications
You must be signed in to change notification settings - Fork 8
/
03_basic_firewall.py
85 lines (67 loc) · 2.48 KB
/
03_basic_firewall.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
import os
import sys
import time
from collections import defaultdict
from scapy.all import sniff, IP, TCP
THRESHOLD = 40
print(f"THRESHOLD: {THRESHOLD}")
# Read IPs from a file
def read_ip_file(filename):
with open(filename, "r") as file:
ips = [line.strip() for line in file]
return set(ips)
# Check for Nimda worm signature
def is_nimda_worm(packet):
if packet.haslayer(TCP) and packet[TCP].dport == 80:
payload = packet[TCP].payload
return "GET /scripts/root.exe" in str(payload)
return False
# Log events to a file
def log_event(message):
log_folder = "logs"
os.makedirs(log_folder, exist_ok=True)
timestamp = time.strftime("%Y-%m-%d_%H-%M-%S", time.localtime())
log_file = os.path.join(log_folder, f"log_{timestamp}.txt")
with open(log_file, "a") as file:
file.write(f"{message}\n")
def packet_callback(packet):
src_ip = packet[IP].src
# Check if IP is in the whitelist
if src_ip in whitelist_ips:
return
# Check if IP is in the blacklist
if src_ip in blacklist_ips:
os.system(f"iptables -A INPUT -s {src_ip} -j DROP")
log_event(f"Blocking blacklisted IP: {src_ip}")
return
# Check for Nimda worm signature
if is_nimda_worm(packet):
print(f"Blocking Nimda source IP: {src_ip}")
os.system(f"iptables -A INPUT -s {src_ip} -j DROP")
log_event(f"Blocking Nimda source IP: {src_ip}")
return
packet_count[src_ip] += 1
current_time = time.time()
time_interval = current_time - start_time[0]
if time_interval >= 1:
for ip, count in packet_count.items():
packet_rate = count / time_interval
if packet_rate > THRESHOLD and ip not in blocked_ips:
print(f"Blocking IP: {ip}, packet rate: {packet_rate}")
os.system(f"iptables -A INPUT -s {ip} -j DROP")
log_event(f"Blocking IP: {ip}, packet rate: {packet_rate}")
blocked_ips.add(ip)
packet_count.clear()
start_time[0] = current_time
if __name__ == "__main__":
if os.geteuid() != 0:
print("This script requires root privileges.")
sys.exit(1)
# Import whitelist and blacklist IPs
whitelist_ips = read_ip_file("whitelist.txt")
blacklist_ips = read_ip_file("blacklist.txt")
packet_count = defaultdict(int)
start_time = [time.time()]
blocked_ips = set()
print("Monitoring network traffic...")
sniff(filter="ip", prn=packet_callback)