bpmcdevitt/traefik_log_blocker
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
CLI utility to analyze traefik access.log file and ban bad ip addresses in iptables - Analyzes the access.log filepath specified by user
3 commits 1 branch 0 tags 37 KiB
Find a file
Exact
bpmcdevitt 063b371d64 add timestamp logging
2025-08-09 22:09:56 -05:00
README.md traefik ip blocker - analyzes traefik log file and uses ipset and iptables to block bad chinese based ips 2025-08-08 08:42:09 -05:00
test_access.log traefik ip blocker - analyzes traefik log file and uses ipset and iptables to block bad chinese based ips 2025-08-08 08:42:09 -05:00
traefik_log_blocker add timestamp logging 2025-08-09 22:09:56 -05:00

README.md

Traefik Log Blocker

A fast IP blocker program that analyzes Traefik access logs and automatically blocks IPs from specific ISPs using Linux kernel features. Designed for Debian 12 bookworm.

Overview

This tool analyzes Traefik JSON access logs to identify and block traffic from suspicious ISPs, particularly targeting Chinese cloud providers and other potentially malicious sources. It uses efficient kernel-level blocking mechanisms through iptables and ipset.

Features

  • Fast Log Analysis: Parses Traefik JSON access logs with configurable log file paths
  • ISP Detection: Performs whois lookups to identify ISPs and organizations
  • Smart Blocking Strategy: Uses ipset for bulk blocking (>10 IPs) or individual iptables rules for smaller numbers
  • Safety First: Only blocks traffic from predefined suspicious ISP patterns
  • Multiple Modes: Analyze, dry-run, or execute blocking rules
  • Rate Limiting: Built-in whois query rate limiting to avoid being blocked

Requirements

System Dependencies

  • Python 3.x
  • iptables (for firewall rules)
  • ipset (for efficient IP set management)
  • whois utility (for ISP lookups)
  • Root privileges (required for --ban-ips mode)

Target Platform

  • Debian 12 bookworm

Installation

  1. Clone or download the traefik_log_blocker script
  2. Make it executable: 
    chmod +x traefik_log_blocker
  3. Ensure system dependencies are installed: 
    sudo apt update
sudo apt install iptables ipset whois

Usage

The tool supports three main operation modes:

Analyze Mode

Display summary of suspicious IPs and their ISPs:

./traefik_log_blocker --access-log=/path/to/access.log --analyze

Dry Run Mode

Display blocking rules without executing them:

./traefik_log_blocker --access-log=/path/to/access.log --dry-run

Ban IPs Mode

Execute blocking rules (requires root privileges):

sudo ./traefik_log_blocker --access-log=/path/to/access.log --ban-ips

Configuration

Environment Variables

  • TRAEFIK_LOG_PATH: Path to Traefik access log file
    • Default: /home/booboy/repos/traefik/logs/access.log

Command Line Options

usage: traefik_log_blocker [-h] [--access-log ACCESS_LOG]
                           (--dry-run | --analyze | --ban-ips)

options:
  -h, --help            show this help message and exit
  --access-log ACCESS_LOG
                        Path to Traefik access log file (default: from
                        TRAEFIK_LOG_PATH env var or
                        /home/booboy/repos/traefik/logs/access.log)
  --dry-run             Display blocking rules to stdout but do not execute
                        them
  --analyze             Display summary of suspicious IPs and their ISPs to
                        stdout
  --ban-ips             Execute blocking rules for suspicious IPs found in
                        analysis

Log Format

Expected Traefik JSON access log format:

{
  "ClientAddr": "156.59.198.136:48006",
  "ClientHost": "156.59.198.136", 
  "ClientPort": "48006",
  "DownstreamStatus": 200,
  "RequestHost": "git.mcdevitt.tech",
  "RequestMethod": "GET",
  "RequestPath": "/path",
  "time": "2025-08-08T13:27:55Z"
}

Blocked ISPs

The tool automatically blocks traffic from these ISP patterns:

  • Huawei (huawei, huawei-cloud)
  • Alibaba Cloud (alibaba)
  • Tencent Cloud (tencent)
  • Baidu Cloud (baidu)
  • China Telecom (chinanet, china telecom)
  • China Unicom (china unicom)
  • China Mobile (china mobile)

Blocking Strategy

  • Bulk Blocking: When more than 10 suspicious IPs are found, uses ipset for efficient management
  • Individual Rules: For 10 or fewer IPs, creates individual iptables DROP rules
  • Safety: Only blocks IPs from predefined suspicious ISP patterns

Examples

Set custom log path and analyze:

export TRAEFIK_LOG_PATH="/var/log/traefik/access.log"
./traefik_log_blocker --analyze

Quick dry-run check:

./traefik_log_blocker --access-log=./test_access.log --dry-run

Execute blocking (requires root):

sudo ./traefik_log_blocker --access-log=/var/log/traefik/access.log --ban-ips

Security Notes

  • Always test with --dry-run before executing --ban-ips
  • Review the list of suspicious ISPs to ensure they align with your security policy
  • Monitor logs regularly for new patterns or legitimate traffic being blocked
  • The tool implements rate limiting for whois queries to avoid service blocks

Error Handling

The tool includes comprehensive error handling for:

  • Missing log files
  • Invalid JSON log entries
  • Network lookup timeouts
  • Firewall rule execution failures
  • Permission issues

Development

The tool is designed to handle:

  • Log file rotation and continuous monitoring
  • Proper error handling for network lookups
  • Rate limiting for whois queries
  • Performance optimization using kernel-level blocking