Skip to content

Commit 94ca25f

Browse files
committed
Add script to get ips block
1 parent 08528c4 commit 94ca25f

7 files changed

Lines changed: 95 additions & 32 deletions

File tree

.github/workflows/update-waf-firewall.yml

Lines changed: 20 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -16,8 +16,9 @@ env:
1616
SCOPE: REGIONAL
1717
IPSET_NAME_STAGING: ipset-block-ohm-staging
1818
IPSET_NAME_PROD: ipset-block-ohm-production
19-
FILE_STAGING: firewall/ip-blacklist-staging.txt
20-
FILE_PROD: firewall/ip-blacklist-production.txt
19+
# --- Archivos actualizados a .yaml ---
20+
FILE_STAGING: firewall/ip-blacklist-staging.yaml
21+
FILE_PROD: firewall/ip-blacklist-production.yaml
2122

2223
jobs:
2324
update-waf-ipset:
@@ -27,54 +28,51 @@ jobs:
2728
- name: Checkout repository
2829
uses: actions/checkout@v4
2930

30-
# Configure AWS credentials from secrets (access keys)
3131
- name: Configure AWS credentials
3232
uses: aws-actions/configure-aws-credentials@v4
3333
with:
3434
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
3535
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
3636
aws-region: ${{ env.AWS_REGION }}
3737

38-
- name: Install jq
39-
run: sudo apt-get update && sudo apt-get install -y jq
38+
- name: Install jq and yq
39+
run: |
40+
sudo apt-get update && sudo apt-get install -y jq
41+
sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq
42+
sudo chmod +x /usr/bin/yq
4043
4144
- name: Resolve target env, IP set and file
4245
id: target
4346
run: |
44-
ENV_IN="${{ inputs.environment }}"
45-
if [[ "$ENV_IN" == "main" ]]; then
47+
# This logic remains the same, but will now point to .yaml files
48+
if [[ "${{ github.ref_name }}" == "main" ]]; then
4649
echo "IPSET_NAME=${IPSET_NAME_PROD}" >> $GITHUB_OUTPUT
4750
echo "IP_FILE=${FILE_PROD}" >> $GITHUB_OUTPUT
4851
else
4952
echo "IPSET_NAME=${IPSET_NAME_STAGING}" >> $GITHUB_OUTPUT
5053
echo "IP_FILE=${FILE_STAGING}" >> $GITHUB_OUTPUT
5154
fi
5255
53-
- name: Build IP list
56+
- name: Build IP list from YAML
5457
id: iplist
5558
shell: bash
5659
run: |
5760
TMP=$(mktemp)
58-
if [[ -n "${{ inputs.ips }}" ]]; then
59-
# Convert space/newline-separated input to one-per-line
60-
echo "${{ inputs.ips }}" | tr ' ' '\n' | sed '/^\s*$/d' > "$TMP"
61-
else
62-
FILE="${{ steps.target.outputs.IP_FILE }}"
63-
if [[ ! -f "$FILE" ]]; then
64-
echo "File $FILE not found" >&2
65-
exit 1
66-
fi
67-
# Remove comments and blank lines
68-
sed '/^\s*#/d;/^\s*$/d' "$FILE" > "$TMP"
61+
FILE="${{ steps.target.outputs.IP_FILE }}"
62+
if [[ ! -f "$FILE" ]]; then
63+
echo "File $FILE not found" >&2
64+
exit 1
6965
fi
66+
# --- Cambio principal: Usar yq para leer el YAML ---
67+
# Extrae cada IP de la lista 'block_ips' y la pone en una nueva línea
68+
yq '.block_ips[]' "$FILE" > "$TMP"
7069
71-
# Basic validation for IPv4/IPv6 with optional CIDR
70+
# La validación y el resto del script no necesitan cambios
7271
INVALID=$(grep -Ev '^([0-9]{1,3}\.){3}[0-9]{1,3}(/[0-9]{1,2})?$|^([0-9a-fA-F:]+)(/[0-9]{1,3})?$' "$TMP" || true)
7372
if [[ -n "$INVALID" ]]; then
7473
echo "Invalid entries:"; echo "$INVALID"; exit 1
7574
fi
7675
77-
# Unique and sorted list
7876
sort -u "$TMP" > "${TMP}.uniq"
7977
LIST=$(paste -sd' ' "${TMP}.uniq")
8078
echo "addresses=$LIST" >> $GITHUB_OUTPUT
@@ -105,4 +103,4 @@ jobs:
105103
106104
- name: Summary
107105
run: |
108-
echo "Updated IP set: ${{ steps.target.outputs.IPSET_NAME }}"
106+
echo "Updated IP set: ${{ steps.target.outputs.IPSET_NAME }}"

firewall/README.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
## Blocking High-Probability Bot IPs Based on Traffic Patterns
2+
3+
We’re blocking IPs with a high probability of being bots. Analysis shows these IPs generated excessive traffic on the site, following clear bot-like patterns.
4+

firewall/ip-blacklist-production.txt

Lines changed: 0 additions & 2 deletions
This file was deleted.
Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
block_ips:
2+
## Test Rub21 ips
3+
200.60.4.59/32
4+
200.37.252.67/32
5+
200.10.69.30/32

firewall/ip-blacklist-staging.txt

Lines changed: 0 additions & 8 deletions
This file was deleted.

firewall/ip-blacklist-staging.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
block_ips:
2+
## Test Rub21 ips
3+
200.60.4.59/32
4+
200.37.252.67/32
5+
200.10.69.30/32

firewall/queries/boots.sql

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
/* This query is used to create the external table for the alb logs. */
2+
3+
CREATE EXTERNAL TABLE IF NOT EXISTS alb_logs (
4+
type STRING,
5+
time STRING,
6+
elb STRING,
7+
client_ip STRING,
8+
client_port INT,
9+
target_ip STRING,
10+
target_port INT,
11+
request_processing_time DOUBLE,
12+
target_processing_time DOUBLE,
13+
response_processing_time DOUBLE,
14+
elb_status_code INT,
15+
target_status_code STRING,
16+
received_bytes BIGINT,
17+
sent_bytes BIGINT,
18+
request_verb STRING,
19+
request_url STRING,
20+
request_proto STRING,
21+
user_agent STRING,
22+
ssl_cipher STRING,
23+
ssl_protocol STRING,
24+
target_group_arn STRING,
25+
trace_id STRING,
26+
domain_name STRING,
27+
chosen_cert_arn STRING,
28+
matched_rule_priority STRING,
29+
request_creation_time STRING,
30+
actions_executed STRING,
31+
redirect_url STRING,
32+
error_reason STRING,
33+
target_port_list STRING,
34+
target_status_code_list STRING,
35+
classification STRING,
36+
classification_reason STRING
37+
)
38+
ROW FORMAT SERDE 'org.apache.hadoop.hive.serde2.RegexSerDe'
39+
WITH SERDEPROPERTIES (
40+
'serialization.format' = '1',
41+
'input.regex' = '([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*):([0-9]*) ([^ ]*)[:-]([0-9]*) ([-.0-9]*) ([-.0-9]*) ([-.0-9]*) (|[-0-9]*) (-|[-0-9]*) ([-0-9]*) ([-0-9]*) \"([^ ]*) ([^ ]*) (- |[^ ]*)\" \"([^\"]*)\" ([A-Z0-9-_]+) ([A-Za-z0-9.-]*) ([^ ]*) \"([^\"]*)\" \"([^\"]*)\" \"([^\"]*)\" ([-.0-9]*) ([^ ]*) \"([^\"]*)\" \"([^\"]*)\" \"([^ ]*)\" \"([^\s]+?)\" \"([^\s]+)\" \"([^ ]*)\" \"([^ ]*)\"'
42+
)
43+
LOCATION 's3://openhistoricalmap-elb-logs/alb_production/AWSLogs/618380242247/elasticloadbalancing/us-east-1/';
44+
45+
/* This query is used to find the bots in the alb logs. */
46+
SELECT
47+
user_agent,
48+
client_ip,
49+
COUNT(*) AS request_count
50+
FROM
51+
alb_logs
52+
WHERE
53+
from_iso8601_timestamp(time) >= (now() - interval '48' hour)
54+
AND
55+
(LOWER(user_agent) LIKE '%bot%' OR LOWER(user_agent) LIKE '%spider%' OR LOWER(user_agent) LIKE '%crawler%')
56+
GROUP BY
57+
user_agent,
58+
client_ip
59+
ORDER BY
60+
request_count DESC
61+
LIMIT 50;

0 commit comments

Comments
 (0)