-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmonitor_mariadb.sh
72 lines (54 loc) · 2.6 KB
/
monitor_mariadb.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#!/bin/bash
LOG_FILE="/var/log/mariadb_access_attempts.log"
DEBUG_FILE="/var/log/mdb_brutedefence_debug.log"
# Whitelisted usernames
WHITELIST=("user_name_0" "user_name_1")
block_ip() {
IDENTIFIER="$1"
USERNAME="$2"
# Check if the identifier is an IP or hostname
if [[ "$IDENTIFIER" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
IP="$IDENTIFIER"
else
# Resolve the hostname to an IP
IP=$(getent hosts "$IDENTIFIER" | awk '{print $1}')
fi
# If the username is not in the whitelist, block the IP immediately
if [[ ! " ${WHITELIST[@]} " =~ " ${USERNAME} " ]]; then
sudo iptables -A INPUT -s "$IP" -j DROP
echo "Blocked IP: $IP ($IDENTIFIER) due to non-whitelisted username: $USERNAME" >> "$LOG_FILE"
return
fi
# If the hostname cannot be resolved, skip the blocking logic
[ -z "$IP" ] && return
# Get the current timestamp
CURRENT_TIMESTAMP=$(date +%s)
# Count attempts within the last 15 minutes
RECENT_ATTEMPTS=$(grep "$IP" "$LOG_FILE" | awk -v current="$CURRENT_TIMESTAMP" '{ if ($4 > (current - 900)) print $0 }' | wc -l)
# Calculate average attempts over the last hour
AVG_ATTEMPTS_LAST_HOUR=$(grep "$IP" "$LOG_FILE" | awk -v current="$CURRENT_TIMESTAMP" '{ if ($4 > (current - 3600)) print $0 }' | wc -l)
AVG_ATTEMPTS_LAST_HOUR=$((AVG_ATTEMPTS_LAST_HOUR / 4))
# Set the blocking threshold to half the average
BLOCKING_THRESHOLD=$((AVG_ATTEMPTS_LAST_HOUR / 2))
BLOCKING_THRESHOLD=$((BLOCKING_THRESHOLD < 5 ? 5 : BLOCKING_THRESHOLD))
# Debugging statements
echo "Debug: IP: $IP, RECENT_ATTEMPTS: $RECENT_ATTEMPTS, AVG_ATTEMPTS_LAST_HOUR: $AVG_ATTEMPTS_LAST_HOUR, BLOCKING_THRESHOLD: $BLOCKING_THRESHOLD" >> "$DEBUG_FILE"
# Log the IP, username, timestamp, and current threshold
echo "$IDENTIFIER - $IP - $USERNAME - $(date +%s) - Current Threshold: $BLOCKING_THRESHOLD" >> "$LOG_FILE"
# Block the IP if recent attempts exceed the dynamic threshold
if [ "$RECENT_ATTEMPTS" -gt "$BLOCKING_THRESHOLD" ]; then
sudo iptables -A INPUT -s "$IP" -j DROP
echo "Blocked IP: $IP ($IDENTIFIER) targeting user: $USERNAME after exceeding threshold of $BLOCKING_THRESHOLD attempts within 15 minutes" >> "$LOG_FILE"
fi
}
# Monitor MariaDB status
sudo journalctl -u mariadb -f |
while IFS= read -r line; do
if [[ "$line" == *"[Warning] Access denied for user"* ]]; then
# Extract the identifier (could be hostname or IP) and username
IDENTIFIER=$(echo "$line" | sed -n "s/.*@'\([^']*\)'.*/\1/p")
USERNAME=$(echo "$line" | awk -F"'" '{print $(NF-3)}')
# Log, analyze, and block if necessary
block_ip "$IDENTIFIER" "$USERNAME"
fi
done