Skip to content

Instantly share code, notes, and snippets.

@mayli
Last active November 6, 2019 02:53
Show Gist options
  • Save mayli/86feb96f4a50193e472ce9398c8a7bef to your computer and use it in GitHub Desktop.
Save mayli/86feb96f4a50193e472ce9398c8a7bef to your computer and use it in GitHub Desktop.

usage

ban.py

`kubectl logs --all-containers=true --tail=20 -f -l workload.user.cattle.io/workloadselector=web | python2 ./ban.py`

ratecounter.py

`kubectl logs --all-containers=true --tail=20 -f -l workload.user.cattle.io/workloadselector=web | python2 ratecounter.py web`
`kubectl logs --all-containers=true --tail=20 -f -l workload.user.cattle.io/workloadselector=tracker | python2 ratecounter.py tracker`

sample

02:14:09 web Avg,All: 0.0,1.9/s, T5: 36.157.x.x: 0.1/s, 220.184.x.x: 0.0/s, 124.78.x.x: 0.0/s, 117.30.x.x: 0.0/s, 113.118.x.x: 0.0/s 02:15:28 tracker Avg,All: 0.1,147.5/s, T5: 27.184.x.x: 1.7/s, 180.111.x.x: 1.7/s, 49.80.x.x: 1.6/s, 220.17.x.x: 1.3/s, 112.32.x.x: 1.2/s

ban ('164.68.107.152', '302', '/torrents.php') 16

#!/usr/bin/env python2
import sys
from collections import Counter
import requests
counter = Counter()
import requests
headers = {
'X-Auth-Email': '',
'X-Auth-Key': '',
'Content-Type': 'application/json',
}
data_tmp = '{"mode":"block","configuration":{"target":"ip","value":"%s"},"notes":"Banned by Fail2Ban:%s"}'
# response = requests.post('https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules', headers=headers, data=data)
banned = set()
for line in sys.stdin:
s = line.split()
if len(s) <= 8:
continue
ip, code, url = s[0], s[8], s[6]
if ip in banned:
continue
# print s
if s[8] != "200":
counter[(ip,code,url)] += 1
if counter[(ip,code,url)] > 15:
print "ban", (ip,code,url), counter[(ip,code,url)]
data = data_tmp % (ip, "%s-%sx%s" % (url,code, counter[(ip,code,url)]))
response = requests.post('https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules', headers=headers, data=data)
print response.json()
# break
del counter[(ip,code,url)]
banned.add(ip)
#!/usr/bin/env python2
import sys
import time
from collections import deque, Counter
import logging
logging.basicConfig(level=logging.DEBUG, datefmt="%H:%M:%S", format='%(asctime)s %(name)s%(message)s')
logger = logging.getLogger((sys.argv[1] + " ") if len(sys.argv) > 1 else "")
c = Counter()
q = deque() #("ip", timestamp)
dur = 60
ban = set()
interval = 3
last_report = 0
for line in sys.stdin:
now = time.time()
ip = line.split()[0]
# popleft if too old
while q:
lastip, ts = q[0]
if now - ts > dur:
q.popleft()
c.subtract((lastip,))
if c[lastip] <= 0:
del c[lastip]
continue
break
# append and add to counter
q.append((ip, now))
c.update((ip,))
if now - last_report > interval:
rates = []
if now > q[0][1]:
for ip, count in c.most_common(5):
rates.append("%s: %0.1f/s" % (ip, count/(now-q[0][1])))
all_ = len(q) / (now-q[0][1])
avg = all_ / len(c)
logger.debug("Avg,All: %0.1f,%0.1f/s, T5: %s", avg, all_, ", ".join(rates))
last_report = now
import CloudFlare
def main():
cf = CloudFlare.CloudFlare(email=", token="")
zone_info = cf.zones.get(params={'name': 'xxx.com'})
# print zone_info
rules = (cf.user.firewall.access_rules.rules.get(params = {'per_page':1000}))
print "rules:", len(rules)
for rule in rules[410:]:
print "deleting", rule
print "delete", cf.user.firewall.access_rules.rules.delete(rule["id"])
if __name__ == '__main__':
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment