This is a simple script which I find useful in finding blacklisted ips using server (spammers etc), via a third party api (yasb.intuxication.org), connected to server, so can permanently ban them on the server firewall.
Log into the server as root via terminal / sshd (I use putty under Linux), and run this following standard network command to produce a file of ips connected to the server (snapshot)..
netstat -ntu | grep -v “::” | grep “:” | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr > ip-check.txt
This will produce a file ip-check.txt, which contains lines of the format: No of connections
eg
2 127.0.0.1
1 213.199.179.141
1 199.59.148.82
1 174.133.195.84
(your list on a web server will be much longer than this example and likely to have many more connections per ip)
Next step is to create a file called check-spam-ips.php in the same folder as ip-check.txt was just created above.
which uses the following php code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | <?php $data=file('ip-check.txt'); foreach($data as $line) { $line = trim($line); list($count,$ip)=explode(' ',$line); $url = "http://yasb.intuxication.org/api/check.xml?ip=".$ip; $info=file_get_contents($url); $orgxml = simplexml_load_string($info); if ($orgxml===false) { echo "Failed loading XML\n"; foreach(libxml_get_errors() as $error) { echo $error->message."<br>\n"; } exit; } $spam=$orgxml->spam; if($spam=='true') { echo($ip." ".$spam."\n"); } } ?> |
Then run the script as follows..
php check-spam-ips.php
This will then produce to the screen a list of ips connected to server found to have been previously blacklisted.
You can then use your servers portal software or iptables to ban these blacklisted ips or investigate further.
I hope this is of use to anyone.