Add centralized IP reputation tracking system
Created a comprehensive IP reputation system that tracks IPs across all toolkit scripts with tags/attack types, scores, and detailed analytics. NEW FILES: - lib/ip-reputation.sh: Core reputation library with optimized database * Fast lookup using pipe-delimited file format * Attack type tagging system (bitmask: SQL, XSS, RCE, Bot, Scanner, etc.) * Reputation scoring (0-100) based on hits and attack severity * GeoIP country lookup integration * Automatic cleanup of old entries * Thread-safe with file locking - modules/security/ip-reputation-manager.sh: Interactive management tool * Query individual IPs with full details * View top malicious/active IPs * Database statistics and analytics * Manual IP flagging/whitelisting * Import IPs from logs * Export to readable reports * Live monitoring mode INTEGRATION: All security and analysis scripts now use the centralized reputation system: - modules/website/500-error-tracker.sh: * Tracks IPs generating 500 errors * Tags bots/scanners with BOT/SCANNER flags * Background processing for performance - modules/security/live-attack-monitor.sh: * Maps attack types to reputation flags * Tracks SSH bruteforce, SQL injection, XSS, DDoS, etc. * Real-time reputation updates - modules/website/website-error-analyzer.sh: * Tags filtered bots in error analysis * Builds IP reputation from website errors - launcher.sh: * Added IP Reputation Manager to Bot & Traffic Analysis menu * Menu option 4 in Security > Analysis > Bot & Traffic Analysis KEY FEATURES: ✓ Centralized IP tracking across ALL scripts ✓ Multi-tag system (IP can have multiple attack types) ✓ Reputation scores increase with more tags/attacks ✓ Country tracking via GeoIP ✓ Optimized for high-volume traffic (attacks with 1000s of IPs) ✓ Fast lookups even during DDoS ✓ Background processing doesn't slow down analysis ✓ Database cleanup/maintenance tools ✓ Export for reports and sharing BENEFITS: - Single source of truth for IP reputation - Scripts share intelligence (bot detected in one script = flagged for all) - Track IPs across time and multiple attack vectors - Identify repeat offenders with multiple attack types - Make blocking decisions based on comprehensive data - Performance optimized with file locking and background updates
This commit is contained in:
cschantz
Executable
+464
@@ -0,0 +1,464 @@
|
||||
#!/bin/bash
|
||||
|
||||
################################################################################
|
||||
# IP Reputation Manager
|
||||
################################################################################
|
||||
# Purpose: View, query, and manage the centralized IP reputation database
|
||||
# Features:
|
||||
# - Query individual IPs
|
||||
# - View top malicious IPs
|
||||
# - View top active IPs
|
||||
# - Export database
|
||||
# - Database statistics
|
||||
# - Cleanup old entries
|
||||
# - Manual IP flagging/whitelisting
|
||||
################################################################################
|
||||
|
||||
# Get script directory
|
||||
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
|
||||
source "$SCRIPT_DIR/lib/common-functions.sh"
|
||||
source "$SCRIPT_DIR/lib/system-detect.sh"
|
||||
source "$SCRIPT_DIR/lib/ip-reputation.sh"
|
||||
|
||||
# Require root
|
||||
if [ "$EUID" -ne 0 ]; then
|
||||
print_error "This script must be run as root"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Menu display
|
||||
show_menu() {
|
||||
clear
|
||||
print_banner "IP Reputation Manager"
|
||||
|
||||
# Show quick stats
|
||||
local total_ips=$(wc -l < "$IP_REP_DB" 2>/dev/null || echo 0)
|
||||
local db_size=$(du -h "$IP_REP_DB" 2>/dev/null | awk '{print $1}' || echo "0B")
|
||||
|
||||
echo ""
|
||||
echo -e "${BLUE}${BOLD}Database Status:${NC} $total_ips IPs tracked | Size: $db_size"
|
||||
echo ""
|
||||
echo -e "${BOLD}Query & View:${NC}"
|
||||
echo ""
|
||||
echo -e " ${GREEN}1)${NC} Query IP Reputation - Look up specific IP"
|
||||
echo -e " ${GREEN}2)${NC} Top Malicious IPs - Highest reputation scores"
|
||||
echo -e " ${GREEN}3)${NC} Top Active IPs - Most hits/requests"
|
||||
echo -e " ${GREEN}4)${NC} Database Statistics - Overview of tracked IPs"
|
||||
echo -e " ${GREEN}5)${NC} Live Monitoring - Real-time reputation updates"
|
||||
echo ""
|
||||
echo -e "${BOLD}Database Management:${NC}"
|
||||
echo ""
|
||||
echo -e " ${BLUE}6)${NC} Export Database - Export to readable text file"
|
||||
echo -e " ${BLUE}7)${NC} Cleanup Old Entries - Remove IPs not seen in X days"
|
||||
echo -e " ${BLUE}8)${NC} Rebuild Index - Optimize database for speed"
|
||||
echo ""
|
||||
echo -e "${BOLD}Manual Actions:${NC}"
|
||||
echo ""
|
||||
echo -e " ${YELLOW}9)${NC} Flag IP as Malicious - Manually mark IP as threat"
|
||||
echo -e " ${YELLOW}10)${NC} Mark IP as Legitimate - Whitelist/reduce score"
|
||||
echo -e " ${YELLOW}11)${NC} Import IPs from Log - Batch import from file"
|
||||
echo ""
|
||||
echo -e " ${RED}0)${NC} Exit"
|
||||
echo ""
|
||||
echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
|
||||
echo -n "Select option: "
|
||||
}
|
||||
|
||||
# Query individual IP
|
||||
query_ip_interactive() {
|
||||
clear
|
||||
print_banner "Query IP Reputation"
|
||||
echo ""
|
||||
echo -n "Enter IP address to query: "
|
||||
read -r ip_address
|
||||
|
||||
if [ -z "$ip_address" ]; then
|
||||
print_error "No IP address provided"
|
||||
press_enter
|
||||
return
|
||||
fi
|
||||
|
||||
# Validate IP format (basic check)
|
||||
if ! [[ "$ip_address" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
|
||||
print_error "Invalid IP address format"
|
||||
press_enter
|
||||
return
|
||||
fi
|
||||
|
||||
echo ""
|
||||
query_ip_reputation "$ip_address"
|
||||
|
||||
echo ""
|
||||
press_enter
|
||||
}
|
||||
|
||||
# View top malicious IPs
|
||||
view_top_malicious() {
|
||||
clear
|
||||
print_banner "Top Malicious IPs"
|
||||
echo ""
|
||||
echo -n "How many top IPs to show? [20]: "
|
||||
read -r limit
|
||||
limit="${limit:-20}"
|
||||
|
||||
echo ""
|
||||
echo -e "${RED}${BOLD}Top $limit Most Malicious IPs (by Reputation Score)${NC}"
|
||||
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
||||
printf "%-15s | %-7s | %-4s | %-8s | %-8s | %-30s\n" \
|
||||
"IP ADDRESS" "HITS" "CTRY" "REP" "LEVEL" "ATTACK TYPES"
|
||||
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
||||
|
||||
get_top_malicious_ips "$limit" | while IFS='|' read -r ip hit_count rep_score country attack_flags first_seen last_seen last_activity notes; do
|
||||
local category=$(get_ip_reputation_category "$rep_score")
|
||||
local attacks=$(decode_attack_flags "$attack_flags")
|
||||
|
||||
# Color code by reputation
|
||||
local color="$NC"
|
||||
case "$category" in
|
||||
CRITICAL) color="$RED$BOLD" ;;
|
||||
HIGH) color="$RED" ;;
|
||||
MEDIUM) color="$YELLOW" ;;
|
||||
LOW) color="$CYAN" ;;
|
||||
esac
|
||||
|
||||
printf "${color}%-15s | %-7s | %-4s | %-3s/100 | %-8s | %-30s${NC}\n" \
|
||||
"$ip" "$hit_count" "$country" "$rep_score" "$category" "${attacks:0:30}"
|
||||
done
|
||||
|
||||
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
||||
echo ""
|
||||
press_enter
|
||||
}
|
||||
|
||||
# View top active IPs
|
||||
view_top_active() {
|
||||
clear
|
||||
print_banner "Top Active IPs"
|
||||
echo ""
|
||||
echo -n "How many top IPs to show? [20]: "
|
||||
read -r limit
|
||||
limit="${limit:-20}"
|
||||
|
||||
echo ""
|
||||
echo -e "${YELLOW}${BOLD}Top $limit Most Active IPs (by Hit Count)${NC}"
|
||||
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
||||
printf "%-15s | %-7s | %-4s | %-8s | %-8s | %-30s\n" \
|
||||
"IP ADDRESS" "HITS" "CTRY" "REP" "LEVEL" "ATTACK TYPES"
|
||||
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
||||
|
||||
get_top_active_ips "$limit" | while IFS='|' read -r ip hit_count rep_score country attack_flags first_seen last_seen last_activity notes; do
|
||||
local category=$(get_ip_reputation_category "$rep_score")
|
||||
local attacks=$(decode_attack_flags "$attack_flags")
|
||||
|
||||
# Color code by hit count
|
||||
local color="$NC"
|
||||
if [ $hit_count -gt 10000 ]; then
|
||||
color="$RED$BOLD"
|
||||
elif [ $hit_count -gt 1000 ]; then
|
||||
color="$YELLOW"
|
||||
fi
|
||||
|
||||
printf "${color}%-15s | %-7s | %-4s | %-3s/100 | %-8s | %-30s${NC}\n" \
|
||||
"$ip" "$hit_count" "$country" "$rep_score" "$category" "${attacks:0:30}"
|
||||
done
|
||||
|
||||
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
||||
echo ""
|
||||
press_enter
|
||||
}
|
||||
|
||||
# Show statistics
|
||||
view_statistics() {
|
||||
clear
|
||||
print_banner "Database Statistics"
|
||||
echo ""
|
||||
show_ip_statistics
|
||||
echo ""
|
||||
|
||||
# Additional stats
|
||||
echo "Recent Activity (Last 24 hours):"
|
||||
local cutoff=$(($(date +%s) - 86400))
|
||||
local recent_count=$(awk -F'|' -v cut="$cutoff" '$7 >= cut' "$IP_REP_DB" 2>/dev/null | wc -l)
|
||||
echo " Active IPs: $recent_count"
|
||||
echo ""
|
||||
|
||||
# Top countries
|
||||
echo "Top Countries by IP Count:"
|
||||
awk -F'|' '{print $4}' "$IP_REP_DB" 2>/dev/null | grep -v '^$' | sort | uniq -c | sort -rn | head -5 | \
|
||||
while read count country; do
|
||||
printf " %-4s: %s IPs\n" "$country" "$count"
|
||||
done
|
||||
echo ""
|
||||
|
||||
press_enter
|
||||
}
|
||||
|
||||
# Export database
|
||||
export_database_interactive() {
|
||||
clear
|
||||
print_banner "Export IP Reputation Database"
|
||||
echo ""
|
||||
echo -n "Enter output file path [/tmp/ip_reputation_export.txt]: "
|
||||
read -r output_path
|
||||
output_path="${output_path:-/tmp/ip_reputation_export.txt}"
|
||||
|
||||
echo ""
|
||||
echo "Exporting database to $output_path..."
|
||||
export_ip_reputation "$output_path"
|
||||
|
||||
echo ""
|
||||
print_success "Database exported successfully!"
|
||||
echo ""
|
||||
echo "View with: cat $output_path"
|
||||
echo "Or: less $output_path"
|
||||
echo ""
|
||||
press_enter
|
||||
}
|
||||
|
||||
# Cleanup old entries
|
||||
cleanup_database_interactive() {
|
||||
clear
|
||||
print_banner "Cleanup Old Entries"
|
||||
echo ""
|
||||
echo "Remove IPs that haven't been seen in how many days?"
|
||||
echo ""
|
||||
echo -n "Days [90]: "
|
||||
read -r days
|
||||
days="${days:-90}"
|
||||
|
||||
echo ""
|
||||
echo "This will remove IPs not seen in the last $days days."
|
||||
echo -n "Continue? (yes/no): "
|
||||
read -r confirm
|
||||
|
||||
if [ "$confirm" != "yes" ]; then
|
||||
echo "Cancelled"
|
||||
press_enter
|
||||
return
|
||||
fi
|
||||
|
||||
echo ""
|
||||
cleanup_old_ips "$days"
|
||||
echo ""
|
||||
print_success "Cleanup complete!"
|
||||
echo ""
|
||||
press_enter
|
||||
}
|
||||
|
||||
# Rebuild index
|
||||
rebuild_index_interactive() {
|
||||
clear
|
||||
print_banner "Rebuild Database Index"
|
||||
echo ""
|
||||
echo "Rebuilding index for optimized lookups..."
|
||||
rebuild_index
|
||||
echo ""
|
||||
print_success "Index rebuilt successfully!"
|
||||
echo ""
|
||||
press_enter
|
||||
}
|
||||
|
||||
# Flag IP as malicious
|
||||
flag_ip_interactive() {
|
||||
clear
|
||||
print_banner "Flag IP as Malicious"
|
||||
echo ""
|
||||
echo -n "Enter IP address: "
|
||||
read -r ip_address
|
||||
|
||||
if [ -z "$ip_address" ]; then
|
||||
print_error "No IP address provided"
|
||||
press_enter
|
||||
return
|
||||
fi
|
||||
|
||||
echo ""
|
||||
echo "Attack Type:"
|
||||
echo " 1) SQL Injection"
|
||||
echo " 2) XSS"
|
||||
echo " 3) Path Traversal"
|
||||
echo " 4) RCE/Shell Upload"
|
||||
echo " 5) Brute Force"
|
||||
echo " 6) DDoS"
|
||||
echo " 7) Bot/Scanner"
|
||||
echo " 8) Exploit"
|
||||
echo ""
|
||||
echo -n "Select [1]: "
|
||||
read -r attack_choice
|
||||
attack_choice="${attack_choice:-1}"
|
||||
|
||||
case "$attack_choice" in
|
||||
1) attack_type="SQL_INJECTION" ;;
|
||||
2) attack_type="XSS" ;;
|
||||
3) attack_type="PATH_TRAVERSAL" ;;
|
||||
4) attack_type="RCE" ;;
|
||||
5) attack_type="BRUTEFORCE" ;;
|
||||
6) attack_type="DDOS" ;;
|
||||
7) attack_type="SCANNER" ;;
|
||||
8) attack_type="EXPLOIT" ;;
|
||||
*) attack_type="SUSPICIOUS" ;;
|
||||
esac
|
||||
|
||||
echo ""
|
||||
echo -n "Notes/Description: "
|
||||
read -r notes
|
||||
|
||||
echo ""
|
||||
echo "Flagging $ip_address for $attack_type..."
|
||||
flag_ip_attack "$ip_address" "$attack_type" 0 "$notes"
|
||||
|
||||
echo ""
|
||||
print_success "IP flagged successfully!"
|
||||
echo ""
|
||||
query_ip_reputation "$ip_address"
|
||||
echo ""
|
||||
press_enter
|
||||
}
|
||||
|
||||
# Mark IP as legitimate
|
||||
whitelist_ip_interactive() {
|
||||
clear
|
||||
print_banner "Mark IP as Legitimate"
|
||||
echo ""
|
||||
echo -n "Enter IP address: "
|
||||
read -r ip_address
|
||||
|
||||
if [ -z "$ip_address" ]; then
|
||||
print_error "No IP address provided"
|
||||
press_enter
|
||||
return
|
||||
fi
|
||||
|
||||
echo ""
|
||||
echo -n "Reason/Notes: "
|
||||
read -r notes
|
||||
|
||||
echo ""
|
||||
echo "Marking $ip_address as legitimate..."
|
||||
mark_ip_legitimate "$ip_address" "$notes"
|
||||
|
||||
echo ""
|
||||
print_success "IP marked as legitimate!"
|
||||
echo ""
|
||||
query_ip_reputation "$ip_address"
|
||||
echo ""
|
||||
press_enter
|
||||
}
|
||||
|
||||
# Import from log file
|
||||
import_log_interactive() {
|
||||
clear
|
||||
print_banner "Import IPs from Log File"
|
||||
echo ""
|
||||
echo -n "Enter log file path: "
|
||||
read -r log_path
|
||||
|
||||
if [ ! -f "$log_path" ]; then
|
||||
print_error "File not found: $log_path"
|
||||
press_enter
|
||||
return
|
||||
fi
|
||||
|
||||
echo ""
|
||||
echo "Attack Type (will be applied to all IPs):"
|
||||
echo " 1) Suspicious (default)"
|
||||
echo " 2) SQL Injection"
|
||||
echo " 3) XSS"
|
||||
echo " 4) Bot/Scanner"
|
||||
echo " 5) DDoS"
|
||||
echo ""
|
||||
echo -n "Select [1]: "
|
||||
read -r attack_choice
|
||||
attack_choice="${attack_choice:-1}"
|
||||
|
||||
case "$attack_choice" in
|
||||
2) attack_type="SQL_INJECTION" ;;
|
||||
3) attack_type="XSS" ;;
|
||||
4) attack_type="SCANNER" ;;
|
||||
5) attack_type="DDOS" ;;
|
||||
*) attack_type="SUSPICIOUS" ;;
|
||||
esac
|
||||
|
||||
echo ""
|
||||
echo "Importing IPs from $log_path as $attack_type..."
|
||||
import_ips_from_log "$log_path" "$attack_type" 5
|
||||
|
||||
echo ""
|
||||
print_success "Import complete!"
|
||||
echo ""
|
||||
press_enter
|
||||
}
|
||||
|
||||
# Live monitoring (real-time updates)
|
||||
live_monitoring() {
|
||||
clear
|
||||
print_banner "Live IP Reputation Monitoring"
|
||||
echo ""
|
||||
echo "Watching database for changes... (Press Ctrl+C to exit)"
|
||||
echo ""
|
||||
|
||||
local last_count=0
|
||||
local last_update=0
|
||||
|
||||
while true; do
|
||||
local current_count=$(wc -l < "$IP_REP_DB" 2>/dev/null || echo 0)
|
||||
local current_time=$(stat -c %Y "$IP_REP_DB" 2>/dev/null || echo 0)
|
||||
|
||||
if [ $current_count -ne $last_count ] || [ $current_time -ne $last_update ]; then
|
||||
clear
|
||||
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
||||
echo "LIVE IP REPUTATION MONITORING - $(date '+%H:%M:%S')"
|
||||
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
||||
echo ""
|
||||
show_ip_statistics
|
||||
echo ""
|
||||
echo "Recent Top 10 Updates:"
|
||||
get_top_malicious_ips 10 | head -10 | while IFS='|' read -r ip hit_count rep_score country attack_flags _ _ _ _; do
|
||||
local category=$(get_ip_reputation_category "$rep_score")
|
||||
local attacks=$(decode_attack_flags "$attack_flags")
|
||||
printf "%-15s | %5s hits | %3s/100 | %-8s | %s\n" "$ip" "$hit_count" "$rep_score" "$category" "${attacks:0:40}"
|
||||
done
|
||||
echo ""
|
||||
echo "Press Ctrl+C to exit | Refreshing every 2 seconds..."
|
||||
|
||||
last_count=$current_count
|
||||
last_update=$current_time
|
||||
fi
|
||||
|
||||
sleep 2
|
||||
done
|
||||
}
|
||||
|
||||
# Main loop
|
||||
main() {
|
||||
while true; do
|
||||
show_menu
|
||||
read -r choice
|
||||
|
||||
case $choice in
|
||||
1) query_ip_interactive ;;
|
||||
2) view_top_malicious ;;
|
||||
3) view_top_active ;;
|
||||
4) view_statistics ;;
|
||||
5) live_monitoring ;;
|
||||
6) export_database_interactive ;;
|
||||
7) cleanup_database_interactive ;;
|
||||
8) rebuild_index_interactive ;;
|
||||
9) flag_ip_interactive ;;
|
||||
10) whitelist_ip_interactive ;;
|
||||
11) import_log_interactive ;;
|
||||
0)
|
||||
clear
|
||||
echo "Exiting..."
|
||||
exit 0
|
||||
;;
|
||||
*)
|
||||
print_error "Invalid option"
|
||||
sleep 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
|
||||
# Run main
|
||||
main
|
||||
@@ -20,6 +20,7 @@
|
||||
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
|
||||
source "$SCRIPT_DIR/lib/common-functions.sh"
|
||||
source "$SCRIPT_DIR/lib/system-detect.sh"
|
||||
source "$SCRIPT_DIR/lib/ip-reputation.sh"
|
||||
|
||||
# Require root
|
||||
if [ "$EUID" -ne 0 ]; then
|
||||
@@ -341,6 +342,21 @@ process_threat_event() {
|
||||
local threat_level=$(classify_threat_level "${IP_COUNTER[$ip]}")
|
||||
IP_THREAT_LEVEL[$ip]="$threat_level"
|
||||
|
||||
# Track in centralized IP reputation database
|
||||
# Map attack types to reputation flags
|
||||
local rep_attack_type="SUSPICIOUS"
|
||||
case "$attack_type" in
|
||||
SSH_BRUTEFORCE) rep_attack_type="BRUTEFORCE" ;;
|
||||
SQL_INJECTION) rep_attack_type="SQL_INJECTION" ;;
|
||||
XSS_ATTACK) rep_attack_type="XSS" ;;
|
||||
PATH_TRAVERSAL) rep_attack_type="PATH_TRAVERSAL" ;;
|
||||
EXPLOIT) rep_attack_type="EXPLOIT" ;;
|
||||
DDOS) rep_attack_type="DDOS" ;;
|
||||
BOT) rep_attack_type="BOT" ;;
|
||||
*) rep_attack_type="SCANNER" ;;
|
||||
esac
|
||||
flag_ip_attack "$ip" "$rep_attack_type" 0 "$attack_type: $details" >/dev/null 2>&1 &
|
||||
|
||||
# Log to feed
|
||||
log_event "$ip" "$attack_type" "$(get_threat_color "$threat_level")" "$details"
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user