BASH - crtl-snort2c-fail2ban.sh
From IT-Arts.net
crtl-snort2c-fail2ban.sh
#!/bin/bash
# Define the IP addresses at the top for easy customization
IP_PFSENSE_SOURCE_01="1.2.3.4"
IP_PFSENSE_SOURCE_02="1.2.3.5"
IP_FAIL2BAN="1.2.3.6"
IP_PFSENSE_DEST="1.2.3.7"
SSH_KEY="/path/to/your/ssh/key" # Specify your SSH private key location
SNORT_TABLE="snort2c" # Define the pfSense Snort table name
# Function to fetch banned IPs from the remote pfSense Snort2c table via SSH
fetch_pfsense_banned_ips() {
local pfsense_host=$1
local ssh_key=$2
local snort_table=$3
echo "Fetching banned IPs from pfSense Snort2c table at $pfsense_host..."
ssh -i "$ssh_key" "$pfsense_host" "pfctl -t $snort_table -T show" 2>/dev/null
}
# Function to fetch banned IPs from Fail2Ban on a remote server
fetch_fail2ban_banned_ips() {
local fail2ban_host=$1
local ssh_key=$2
echo "Fetching banned IPs from Fail2Ban at $fail2ban_host..."
ssh -i "$ssh_key" "$fail2ban_host" "fail2ban-client banned" 2>/dev/null
}
# Function to merge IPs, sort, remove duplicates and return the final list
merge_banned_ips() {
local sources=("$@")
local merged_ips=""
for source in "${sources[@]}"; do
merged_ips+="$source"$'\n'
done
# Sort, remove duplicates, and return the final list
echo "$merged_ips" | sort -n | uniq
}
# Function to whitelist a network in the pfSense Snort2c table via SSH
whitelist_network() {
local pfsense_host=$1
local ssh_key=$2
local snort_table=$3
local network=$4
echo "Whitelisting network $network in pfSense Snort2c table at $pfsense_host..."
ssh -i "$ssh_key" "$pfsense_host" "pfctl -t $snort_table -T add $network" 2>/dev/null
}
# Function to unban a specific IP address from the pfSense Snort2c table
unban_ip() {
local pfsense_host=$1
local ssh_key=$2
local snort_table=$3
local ip=$4
echo "Unbanning IP $ip from pfSense Snort2c table at $pfsense_host..."
ssh -i "$ssh_key" "$pfsense_host" "pfctl -t $snort_table -T delete $ip" 2>/dev/null
}
# Function to validate IP address or CIDR with regex
validate_ip_or_cidr() {
local input=$1
# Regular expression for validating IP or CIDR format
if [[ "$input" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}(/([0-9]|[1-2][0-9]|3[0-2]))?$ ]]; then
return 0 # valid IP or CIDR
else
return 1 # invalid IP or CIDR
fi
}
# Function to validate IP address format
validate_ip() {
local ip=$1
if [[ "$ip" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]]; then
return 0 # valid IP
else
return 1 # invalid IP
fi
}
# Function to parse and handle command line options
handle_options() {
while getopts "m:w:u:" opt; do
case ${opt} in
m)
# Merge IP lists from all sources and reinject it
merge_banned_ip "$OPTARG"
;;
w)
# Whitelist network CIDR (e.g., 192.168.0.0/24)
if validate_ip_or_cidr "$OPTARG"; then
whitelist_network "$IP_PFSENSE_SOURCE_01" "$SSH_KEY" "$SNORT_TABLE" "$OPTARG"
else
echo "Invalid network CIDR format: $OPTARG"
exit 1
fi
;;
u)
# Unban a specific IP address (e.g., 192.168.1.100)
if validate_ip "$OPTARG"; then
unban_ip "$IP_PFSENSE_SOURCE_01" "$SSH_KEY" "$SNORT_TABLE" "$OPTARG"
else
echo "Invalid IP address format: $OPTARG"
exit 1
fi
;;
*)
echo "Usage: $0 [-m merge_ips] [-w whitelist_network] [-u unban_ip]"
exit 1
;;
esac
done
}
# Function to merge and reinject the banned IPs
merge_banned_ip() {
local sources="$1" # comma-separated list of sources
local pfsense_host=""
local ssh_key=""
local snort_table=""
IFS=',' read -ra ADDR <<< "$sources"
for source in "${ADDR[@]}"; do
# Parsing the source to extract host, ssh_key, snort_table
IFS=':' read -r pfsense_host ssh_key snort_table <<< "$source"
# Fetch banned IPs from the remote pfSense
pfsense_ips=$(fetch_pfsense_banned_ips "$pfsense_host" "$ssh_key" "$snort_table")
# Fetch banned IPs from remote Fail2Ban
fail2ban_ips=$(fetch_fail2ban_banned_ips "$pfsense_host" "$ssh_key")
# Merge the lists
merged_ips=$(merge_banned_ips "$pfsense_ips" "$fail2ban_ips")
# Print the final merged IPs
echo "$merged_ips"
# Optionally reinject to pfSense
for ip in $merged_ips; do
ssh -i "$ssh_key" "$pfsense_host" "pfctl -t $snort_table -T add $ip"
done
done
}
# Main script execution
handle_options "$@"
