WpComet/sentinel_scout.sh

## sentinel_scout.sh
#!/bin/bash
# ==============================================================================
# Script Name   : sentinel_scout.sh
# Description   : Analyzes web logs for high-traffic IPs and provides threat scores
# Author        : [Your Name/Handle]
# License       : MIT
# Requirements  : curl, csf (ConfigServer Security & Firewall)
# ==============================================================================

# --- CONFIGURATION ---
MY_IP="YOUR_SERVER_IP"         # Change to your server's public IP
THRESHOLD=2000                 # Flag IPs with more than this many requests
TOP_LIMIT=5                    # Max number of IPs to analyze
LOG_FILES="/usr/local/apache/domlogs/*/*" # Path to your access logs
WHITELIST_CONF="/etc/csf/csf.allow"

# --- SAFETY CHECKS ---
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root (to check CSF files)."
   exit 1
fi

echo "--- [ SENTINEL SCOUT: $(date) ] ---"

# 1. Identify "Top Talkers"
TALKERS=$(tail -n 5000 $LOG_FILES 2>/dev/null | awk '{print $1}' | grep -v "$MY_IP" | sort | uniq -c | sort -nr)

echo "Analyzing top traffic sources (Threshold: $THRESHOLD requests)..."
echo "------------------------------------------------"

COUNT=0
while read -r REQS IP; do
    [ $COUNT -eq $TOP_LIMIT ] && break
    [ "$REQS" -lt "$THRESHOLD" ] && break

    # Check CSF Whitelist
    if grep -q "$IP" "$WHITELIST_CONF" 2>/dev/null; then
        echo "[$IP] - $REQS hits: Skipping (Already Whitelisted in CSF)"
        continue
    fi

    # API Data Collection
    GEO_DATA=$(curl -s "http://ip-api.com/json/$IP?fields=status,message,country,isp,hosting,proxy,query")
    COUNTRY=$(echo $GEO_DATA | grep -oP '(?<="country":")[^"]*')
    ISP=$(echo $GEO_DATA | grep -oP '(?<="isp":")[^"]*')
    IS_PROXY=$(echo $GEO_DATA | grep -oP '(?<="proxy":)[^,]*')
    IS_HOSTING=$(echo $GEO_DATA | grep -oP '(?<="hosting":)[^,]*')

    # Scoring & Reasoning Logic
    SCORE=0
    REASON=""

    if [[ "$IS_HOSTING" == "true" ]]; then
        SCORE=$((SCORE + 70))
        REASON="Data Center/Hosting provider ($ISP). High probability of automated bot activity."
    else
        SCORE=$((SCORE + 10))
        REASON="Residential or Business ISP ($ISP). Likely a legitimate user."
    fi

    [[ "$IS_PROXY" == "true" ]] && { SCORE=$((SCORE + 25)); REASON="$REASON Flagged as Proxy/VPN."; }

    # Verdict
    REC="IGNORE"
    [ $SCORE -ge 60 ] && REC="BLOCK"

    echo "IP: $IP ($REQS hits)"
    echo "  - ISP: $ISP ($COUNTRY)"
    echo "  - Threat Score: $SCORE/100"
    echo "  - Reason: $REASON"
    echo "  - Recommendation: $REC"

    if [ "$REC" == "BLOCK" ]; then
        if [ "$IS_HOSTING" == "true" ]; then
            RANGE=$(echo $IP | cut -d. -f1-3).0/24
            echo "  - CSF CMD: csf -d $RANGE \"Sentinel: Aggressive $ISP bot in $COUNTRY\""
        else
            echo "  - CSF CMD: csf -d $IP \"Sentinel: High threat score from $COUNTRY\""
        fi
    fi
    echo "------------------------------------------------"

    ((COUNT++))
done <<< "$TALKERS"
	#!/bin/bash
	# ==============================================================================
	# Script Name : sentinel_scout.sh
	# Description : Analyzes web logs for high-traffic IPs and provides threat scores
	# Author : [Your Name/Handle]
	# License : MIT
	# Requirements : curl, csf (ConfigServer Security & Firewall)
	# ==============================================================================

	# --- CONFIGURATION ---
	MY_IP="YOUR_SERVER_IP" # Change to your server's public IP
	THRESHOLD=2000 # Flag IPs with more than this many requests
	TOP_LIMIT=5 # Max number of IPs to analyze
	LOG_FILES="/usr/local/apache/domlogs//" # Path to your access logs
	WHITELIST_CONF="/etc/csf/csf.allow"

	# --- SAFETY CHECKS ---
	if [[ $EUID -ne 0 ]]; then
	echo "This script must be run as root (to check CSF files)."
	exit 1
	fi

	echo "--- [ SENTINEL SCOUT: $(date) ] ---"

	# 1. Identify "Top Talkers"
	TALKERS=$(tail -n 5000 $LOG_FILES 2>/dev/null \| awk '{print $1}' \| grep -v "$MY_IP" \| sort \| uniq -c \| sort -nr)

	echo "Analyzing top traffic sources (Threshold: $THRESHOLD requests)..."
	echo "------------------------------------------------"

	COUNT=0
	while read -r REQS IP; do
	[ $COUNT -eq $TOP_LIMIT ] && break
	[ "$REQS" -lt "$THRESHOLD" ] && break

	# Check CSF Whitelist
	if grep -q "$IP" "$WHITELIST_CONF" 2>/dev/null; then
	echo "[$IP] - $REQS hits: Skipping (Already Whitelisted in CSF)"
	continue
	fi

	# API Data Collection
	GEO_DATA=$(curl -s "http://ip-api.com/json/$IP?fields=status,message,country,isp,hosting,proxy,query")
	COUNTRY=$(echo $GEO_DATA \| grep -oP '(?<="country":")[^"]*')
	ISP=$(echo $GEO_DATA \| grep -oP '(?<="isp":")[^"]*')
	IS_PROXY=$(echo $GEO_DATA \| grep -oP '(?<="proxy":)[^,]*')
	IS_HOSTING=$(echo $GEO_DATA \| grep -oP '(?<="hosting":)[^,]*')

	# Scoring & Reasoning Logic
	SCORE=0
	REASON=""

	if [[ "$IS_HOSTING" == "true" ]]; then
	SCORE=$((SCORE + 70))
	REASON="Data Center/Hosting provider ($ISP). High probability of automated bot activity."
	else
	SCORE=$((SCORE + 10))
	REASON="Residential or Business ISP ($ISP). Likely a legitimate user."
	fi

	[[ "$IS_PROXY" == "true" ]] && { SCORE=$((SCORE + 25)); REASON="$REASON Flagged as Proxy/VPN."; }

	# Verdict
	REC="IGNORE"
	[ $SCORE -ge 60 ] && REC="BLOCK"

	echo "IP: $IP ($REQS hits)"
	echo " - ISP: $ISP ($COUNTRY)"
	echo " - Threat Score: $SCORE/100"
	echo " - Reason: $REASON"
	echo " - Recommendation: $REC"

	if [ "$REC" == "BLOCK" ]; then
	if [ "$IS_HOSTING" == "true" ]; then
	RANGE=$(echo $IP \| cut -d. -f1-3).0/24
	echo " - CSF CMD: csf -d $RANGE \"Sentinel: Aggressive $ISP bot in $COUNTRY\""
	else
	echo " - CSF CMD: csf -d $IP \"Sentinel: High threat score from $COUNTRY\""
	fi
	fi
	echo "------------------------------------------------"

	((COUNT++))
	done <<< "$TALKERS"
No results found