This was an experiment made in the earlier days of Repsheet. There are much better ways to deal with this and this experiment has outlived its usefulness. The repo will live on for historical purposes.
This is the backend infrastructure for Repsheet. It provides automatic processing of the current state of actors and allows for automatic blacklisting of repeat offenders. It is designed to be run under cron.
You need the hiredis,
libcurl, and
libjson/json-c libraries installed
for compilation and linking. You also need the standard autotools
packages. This includes autoconf
, automake
, and libtool
.
$ ./autogen.sh
$ ./configure
$ make
$ sudo make install
$ repsheet --version
Repsheet Backend Version 2.0.0
usage: repsheet [-srauv] [-h] [-p] [-e] [-t] [-o]
--score -s score actors
--report -r report top 10 offenders
--analyze -a analyze and act on offenders
--publish -u publish blacklist to upstream providers
--host -h <redis host>
--port -p <redis port>
--expiry -e <redis expiry> blacklist expire time
--modsecurity_threshold -t <blacklist threshold>
--ofdp_threshold -o <ofdp threshold> score and blacklist actors against wafsec.com
--version -v print version and help
If you pass no arugments to the repsheet binary, it will default to simply scoring the actors in a sorted set inside of Redis under the offenders key.
$ repsheet
No options specified, performing score operation
The score -s / --score
operation can be run on its own, but is also
run during the report and analyze operations.
Using the -r / --report
option will print a report of the top ten
unblacklisted actors.
$ repsheet -r
Top 10 Suspsects (not yet blacklisted)
1.1.1.1 20444 offenses
1.1.1.215 996 offenses
1.1.1.210 991 offenses
1.1.1.55 986 offenses
1.1.1.218 969 offenses
1.1.1.156 964 offenses
1.1.1.49 954 offenses
1.1.1.200 948 offenses
1.1.1.85 945 offenses
1.1.1.21 943 offenses
1.1.1.45 934 offenses
And the -a / --analyze
option will analyze the offenders list and
blacklist any offenders that have an offense count higher than the
ModSecurity threshold -t / --modsecurity_threshold
(default 200),
the OFDP threshold -o / --ofdp_threshold
(default 50), or have been previously
blacklisted and have returned after their blacklist has expired.
$ repsheet --analyze --modsecurity_threshold 75 --ofdp_threshold 20
Actor 1.1.1.1 has been blacklisted: The actor has exceeded the ModSecurity blacklist threshold. [Score: 181]