IP-Flame is a public Hack/Spam/DoS Attempt IP Wall-of-Shame generator for IP addresses from Apache2 Logs. I got his idea from constantly having to blacklist IP addresses that try to add spam to an old wiki that I used to host on C programming. Why would C programmers want knock-off Louis Vuitton purses from .CN anyways? I don't know. I actually took the wiki down because of the amount of spam that was slamming it and because CloudFlare.com only allows you to block and entire country with an expensive subscription. I thought that if there was a simple, pretty way to just check the logs and have a lot of detailed output, I would be a bit happier about the spam. My own Wall-Of-Flame can be found here: WeakNet Labs' IP Flames
The main script can be ran with: ./ip-flame.sh after the configuration file config-ip-flame.txt file is updated. The script generates a static HTML report that includes dynamically generated links to Shodan, SpamCop, ARIN, APNIC, InfoByIp, and Sophos, for each offending IP address found. The script does NOT make any request to these sites, just generates the links for your convenience.
Technically, this could be used as a simply incident response tool for web-application breaches or disclosures of web-accessible data. IDS functionality is in development as well for sneding the report from the cron job to an MMS address.
Linux: bash, sed, awk, egrep
Web Server: log file and hosting of report, Apache2
Terminal Output:
trevelyn@80211:~/repository/ip-flame$ ./ip-flame.sh
[ + ] WWW log location: /path/to/log/apache2/access.log
[ + ] Using web-host path: /path/to/wwwroot/example.com/flamed-ips.html
[ + ] Generated IP white list: 192.168.1.100|192.168.1.101
[ + ] Matching offending lines: /wiki/c
[ + ] HTML file generation completed and stored in /path/to/wwwroot/example.com/flamed-ips.html
trevelyn@80211:~/repository/ip-flame$
The file config-ip-flame.txt is the configuration file.
# IP-FLAME Configuration File
# #
# use fwd slashes at the end of path names!
# ~Douglas - [email protected]
web-path=/path/to/wwwroot/example.com/
offending-lines=/wiki/c
web-log=/path/to/apache2/access.log
temp-path=/tmp/
- Web Path is to where you would like to host your report
- Offending Lines are lines, or requests that resemble hacking attempts (SQLi, XSS, Spam)
- Web Log is the path to your Apache2 log file
- Tmp Path is the temporary working path for file generation
To run the application, simply use ./ip-flame.sh. To install IP-Flame, simply copy the executable into one of your $PATH directories to make it readily available. E.G.
trevelyn@80211:~/repository/ip-flame$ cp ip-flame.sh /usr/local/bin
trevelyn@80211:~/repository/ip-flame$ ip-flame.sh
Mobile responsive design- Finish coding MMS/IDS function
- Write cron job to generate the report automatically
Add a total (IPs) to the top of the HTML report