This is a simple script which I find useful in finding blacklisted ips using server (spammers etc), via a third party api (yasb.intuxication.org), connected to server, so can permanently ban them on the server firewall.
Log into the server as root via terminal / sshd (I use putty under Linux), and run this following standard network command to produce a file of ips connected to the server (snapshot)..
netstat -ntu | grep -v “::” | grep “:” | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr > ip-check.txt
This will produce a file ip-check.txt, which contains lines of the format: No of connections
eg
2 127.0.0.1
1 213.199.179.141
1 199.59.148.82
1 174.133.195.84
(your list on a web server will be much longer than this example and likely to have many more connections per ip)
Next step is to create a file called check-spam-ips.php in the same folder as ip-check.txt was just created above.
which uses the following php code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | <?php
$data=file('ip-check.txt');
foreach($data as $line) {
$line = trim($line);
list($count,$ip)=explode(' ',$line);
$url = "http://yasb.intuxication.org/api/check.xml?ip=".$ip;
$info=file_get_contents($url);
$orgxml = simplexml_load_string($info);
if ($orgxml===false) {
echo "Failed loading XML\n";
foreach(libxml_get_errors() as $error) {
echo $error->message."<br>\n";
}
exit;
}
$spam=$orgxml->spam;
if($spam=='true') {
echo($ip." ".$spam."\n");
}
}
?> |
Then run the script as follows..
php check-spam-ips.php
This will then produce to the screen a list of ips connected to server found to have been previously blacklisted.
You can then use your servers portal software or iptables to ban these blacklisted ips or investigate further.
I hope this is of use to anyone.
