How do I block a host by ASN for apache - Example

From Brian Nelson Ramblings
Jump to: navigation, search

How do I block a host by ASN for apache - Example

Do you have issues with bots attempting to cause issues with your site? This is can disrupt your business and cause all types of performance issue.

Working to solve this we found it best to block entire ASN's for known bad ranges.

During my investigation I found a list of known bad ASN

https://raw.githubusercontent.com/brianhama/bad-asn-list/master/bad-asn-list.csv

I took this list by downloading, and then parsing out the ASN numbers.

Get the contents of the bad ASN list

First create a directory to download this list to.

mkdir /blockasn

Down the above csv file:

curl https://raw.githubusercontent.com/brianhama/bad-asn-list/master/bad-asn-list.csv > /blockasn/badasnlist.list

Parsing the ASN number

cat /blockasn/badasnlist.list | awk -F',' '{print $1}' | cut -d'"' -f2

You can use this with the following to download the ips for that ASN NUMBER, just replace ASN NUMBER

wget --content-disposition "https://www.enjen.net/asn-blocklist/index.php?asn=ASASN NUMBER&type=htaccess&api=1"

This will save the contents to file:

Example:

AS9925_htaccess.txt

Then you can copy this over to apache configuration directory:

cp AS9925_htaccess.txt /etc/httpd/conf.d/AS9925.conf

Then just restart apache and it will be blocked

sudo systemctl restart httpd.service

At this point you have blocked all the ips in that ASN

Making a Script that you can apply to a cron to auto update the list

#!/bin/bash
#Block bad ASN
#https://briansnelson.com/How_do_I_block_a_host_by_ASN_for_apache_-_Example
###########################
#Download List to use
curl https://raw.githubusercontent.com/brianhama/bad-asn-list/master/bad-asn-list.csv > /blockasn/badasnlist.list

#Get all the ASN lists download to your blockasn directory
for x in $(cat /blockasn/badasnlist.list | awk -F',' '{print $1}' | cut -d'"' -f2| grep -v ASN); do
  wget --content-disposition "https://www.enjen.net/asn-blocklist/index.php?asn=AS$x&type=htaccess&api=1"
done;
#Lets add them to apache
echo '<Directory />' > /etc/httpd/conf.d/blockASN.conf; 
echo 'Order Deny,Allow' >> /etc/httpd/conf.d/blockASN.conf; 
cat /blockasn/AS*.txt | grep -v Order >> /etc/httpd/conf.d/blockASN.conf; 
echo '</Directory>' >> /etc/httpd/conf.d/blockASN.conf;
sudo systemctl restart httpd.service

Save the script to /blockasn/cron.script then add it to a cron

echo '0 0 * * 6 /blockasn/cron.script >/dev/null 2>&1' >> /var/spool/cron/root
chmod +x cron.script

Now with everything setup you can easily block bad ASN from causing issues on your network, you can also add ASN that are not part of that list that you find over time, by adding an echo statement to update the badasnlist.list file before it goes into the add to apache

#!/bin/bash
#Block bad ASN
#https://briansnelson.com/How_do_I_block_a_host_by_ASN_for_apache_-_Example
###########################
#Download List to use
curl https://raw.githubusercontent.com/brianhama/bad-asn-list/master/bad-asn-list.csv > /blockasn/badasnlist.list
#Add non listed ASN numbers to auto block list
echo '32934' >> /blockasn/badasnlist.list
#Get all the ASN lists download to your blockasn directory
for x in $(cat /blockasn/badasnlist.list | awk -F',' '{print $1}' | cut -d'"' -f2| grep -v ASN); do
  wget --content-disposition "https://www.enjen.net/asn-blocklist/index.php?asn=AS$x&type=htaccess&api=1"
done;
#Lets add them to apache
echo '<Directory />' > /etc/httpd/conf.d/blockASN.conf; 
echo 'Order Deny,Allow' >> /etc/httpd/conf.d/blockASN.conf; 
cat /blockasn/AS*.txt | grep -v Order >> /etc/httpd/conf.d/blockASN.conf; 
echo '</Directory>' >> /etc/httpd/conf.d/blockASN.conf;
sudo systemctl restart httpd.service

Use with caution, as come copy and paste will mixup the quotes in the above script