From 460a1cac056aac632c97716a7075e1062387032b Mon Sep 17 00:00:00 2001 From: Vladimir Date: Sat, 23 Jan 2021 10:05:26 +0200 Subject: [PATCH] v.1.0.4 --- README.md | 6 +++- antiscan.admin.inc | 45 ++++++++++++++++++------------ antiscan.info | 2 +- antiscan.install | 14 +++++++++- antiscan.module | 52 ++++++++++++++++++++++++++++++++--- config/antiscan.settings.json | 3 +- 6 files changed, 97 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index 028f673..321d63c 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,9 @@ module (version 1.x-1.0.5 or newest) to automatically block anyone who tries to Usually it is a bad crawler looking for known potentially vulnerable paths, such as "wp-admin.php", "xmlrpc.php" and so on. +**New in version version 1.x-1.0.4:** option "Report to AbuseIPDB" can be enabled for automatic reporting to AbuseIPDB about blocked scanners activity. +(You need to install [AbuseIPDB report](https://backdropcms.org/project/abuseipdb_report) module to see and use this option.) + Installation ------------ Install this module using the official Backdrop CMS instructions at https://backdropcms.org/guide/modules @@ -21,7 +24,8 @@ and may be used for: - add your patterns for paths to be restricted (some usefull patterns are already added out of the box); - set paths or portions of paths that will NOT be restricted to avoid self-blocking; -- enable or disable logging for blocked access attempts (enabled by default); +- enable automatic reporting to AbuseIPDB about blocked scanners activity ("AbuseIPDB report" module should be installed); +- enable logging for blocked access attempts (enabled by default); - select the time after which the blocked IP will be unblocked automatically; - use "Test Mode" to test your patterns, your current IP will not be blocked, but you may see a message when you try to visit the restricted path. diff --git a/antiscan.admin.inc b/antiscan.admin.inc index 3db8e93..1495478 100644 --- a/antiscan.admin.inc +++ b/antiscan.admin.inc @@ -8,9 +8,8 @@ * Define the form for manage blocking restricted paths * */ -function antiscan_form() { +function antiscan_form($form, &$form_state) { $config = config('antiscan.settings'); - $form = array(); $form['top'] = array( '#markup' => t('When a web crawler or even a person tries to visit a path that matches one of the patterns specified in the field below, their IP address will be blocked.') @@ -25,8 +24,8 @@ function antiscan_form() { '#title' => t('Restricted path patterns'), '#required' => TRUE, '#description' => t('Enter paths or portions of paths to restrict, separating them with commas or new lines.') - . '
' . t('Please note: the * character is a wildcard for end of pattern, so pattern like') . ' wp-* ' - . t('will match to any path containing "wp-admin", "wp-login", etc.'), + . '
' . t('Please note: the * character is a wildcard for end of pattern, so pattern like') . ' /wp-* ' + . t('will match to any path containing "/wp-admin", "/wp-login.php", etc.'), ); @@ -54,6 +53,15 @@ function antiscan_form() { . '
' . t('Same format of rules as above.'), ); + if (module_exists('abuseipdb_report')) { + $form['abuseipdb_report'] = array( + '#type' => 'checkbox', + '#title' => t('Report to AbuseIPDB'), + '#default_value' => $config->get('abuseipdb_report'), + '#description' => t('Report to AbuseIPDB about blocked scanners activity.'), + ); + } + $form['log_enabled'] = array( '#type' => 'checkbox', '#title' => t('Enable logging'), @@ -120,20 +128,23 @@ function antiscan_form_validate($form, &$form_state) { * Implements hook_submit(). */ function antiscan_form_submit($form, &$form_state) { - $config = config('antiscan.settings'); - $path_patterns = trim($form_state['values']['path_patterns']); - $path_noblock = trim($form_state['values']['path_noblock']); - $log_enabled = (int) $form_state['values']['log_enabled']; - $unblock = (int) $form_state['values']['unblock']; - $unblock_after = (int) $form_state['values']['unblock_after']; - $test_mode = (int) $form_state['values']['test_mode']; + $config = config('antiscan.settings'); + $path_patterns = trim($form_state['values']['path_patterns']); + $path_noblock = trim($form_state['values']['path_noblock']); + $log_enabled = (int) $form_state['values']['log_enabled']; + $unblock = (int) $form_state['values']['unblock']; + $unblock_after = (int) $form_state['values']['unblock_after']; + $test_mode = (int) $form_state['values']['test_mode']; - $config->set('path_patterns', strtolower($path_patterns)); - $config->set('path_noblock', strtolower($path_noblock)); - $config->set('log_enabled', $log_enabled); - $config->set('unblock', $unblock); - $config->set('unblock_after', $unblock_after); - $config->set('test_mode', $test_mode); + $config->set('path_patterns', strtolower($path_patterns)); + $config->set('path_noblock', strtolower($path_noblock)); + if (isset($form_state['values']['abuseipdb_report'])) { + $config->set('abuseipdb_report', $form_state['values']['abuseipdb_report']); + } + $config->set('log_enabled', $log_enabled); + $config->set('unblock', $unblock); + $config->set('unblock_after', $unblock_after); + $config->set('test_mode', $test_mode); $config->save(); backdrop_set_message(t('The configuration options have been saved.')); diff --git a/antiscan.info b/antiscan.info index 6a16895..7205b16 100644 --- a/antiscan.info +++ b/antiscan.info @@ -8,4 +8,4 @@ dependencies[] = ip_blocking (>=1.0.5) configure = admin/config/people/antiscan -version = 1.0.3 +version = 1.0.4 diff --git a/antiscan.install b/antiscan.install index 9708840..635a83c 100644 --- a/antiscan.install +++ b/antiscan.install @@ -29,4 +29,16 @@ function antiscan_requirements($phase) { } return $requirements; -} \ No newline at end of file +} + +/** + * Add and initialize new variable. + * Set first starting time for reports. + */ +function antiscan_update_1000() { + $config = config('antiscan.settings'); + $config->set('abuseipdb_report', 0); + $config->save(); + + state_set('antiscan_abuseipdb_report_last_date', time()); +} diff --git a/antiscan.module b/antiscan.module index aaaecc8..c9da527 100644 --- a/antiscan.module +++ b/antiscan.module @@ -153,14 +153,19 @@ function antiscan_is_denied($ip) { * Implementation of hook_cron(). */ function antiscan_cron() { - $config = config('antiscan.settings'); - $unblock = $config->get('unblock'); - $unblock_after = $config->get('unblock_after'); - $time_expired = time() - $unblock_after; + $config = config('antiscan.settings'); + $abuseipdb_report = $config->get('abuseipdb_report'); + $unblock = $config->get('unblock'); + $unblock_after = $config->get('unblock_after'); + $time_expired = time() - $unblock_after; if ($unblock) { antiscan_unblock($time_expired); } + + if ($abuseipdb_report) { + antiscan_abuseipdb_report(); + } } /** @@ -179,6 +184,45 @@ function antiscan_unblock($time_expired) { } } +/** + * Report blocked IP to AbuseIPDB. + */ +function antiscan_abuseipdb_report() { + + if (module_exists('abuseipdb_report')) { + $config = config('antiscan.settings'); + $abuseipdb_report = $config->get('abuseipdb_report'); + + if ($abuseipdb_report) { + $last_report_date = state_get('antiscan_abuseipdb_report_last_date', 0); + + $result = db_select('blocked_ips', 'bi') + ->fields('bi', array( + 'ip', 'reason', + ) + ) + ->condition('uid', MODULE_UID, '=') + ->condition('time', $last_report_date, '>') + ->execute() + ->fetchAll(); + + if ($result) { + // Most relevant categories: Brute-Force, Bad Web Bot, Web App Attack + $categories = array(18, 19, 21); + + foreach ($result as $record => $value) { + $ip = $value->ip; + $request = $value->reason; + abuseipdb_report_ip($ip, $request, '"Antiscan" module', $categories); + sleep(1); + } + + state_set('antiscan_abuseipdb_report_last_date', time()); + } + } + } +} + /** * Utility function * @param string $raw_string diff --git a/config/antiscan.settings.json b/config/antiscan.settings.json index d8d1c58..8e69dcb 100644 --- a/config/antiscan.settings.json +++ b/config/antiscan.settings.json @@ -5,6 +5,7 @@ "log_enabled": 1, "test_mode": 0, "unblock": 1, - "unblock_after": 604800 + "unblock_after": 604800, + "abuseipdb_report": 0 }