Skip to content

iwmvictor/ira

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
isolate.py
isolate.py
 
 
isolate.sh
isolate.sh
 
 
readme.md
readme.md
 
 

Repository files navigation

Incident Response Automation (IRA)

Author: iwmvictor
Website: iwmvictor.vercel.app
Email: iwmvik@gmail.com
Repository: GitHub

Table of Contents

Introduction

Incident Response Automation (IRA) is a powerful tool designed to help security teams automate the containment of compromised systems during an active security incident. By leveraging firewall rules (iptables or nftables), the script isolates affected machines to prevent further spread of a cyber attack.

This script is ideal for:

  • Security professionals handling active threats.
  • System administrators managing corporate networks.
  • Cybersecurity researchers testing response techniques.

How It Works

  1. Identifies the target IP address of the compromised system.
  2. Blocks all incoming and outgoing traffic for that IP using either iptables or nftables.
  3. Logs the action for auditing and future incident analysis.
  4. Allows removal of isolation when the threat is mitigated.

Features

✅ Automated system isolation with firewall rules
✅ Supports both iptables and nftables
✅ Logging for auditing and forensic analysis
✅ Easy to integrate with incident response workflows
✅ Simple command-line usage

Requirements

  • Linux-based OS (Debian, Ubuntu, CentOS, etc.)
  • Python 3.x
  • Root privileges to modify firewall rules
  • iptables or nftables installed

Installation & Setup

  1. Clone the repository: 
    git clone https://github.com/iwmvictor/ira.git
  2. Navigate to the project directory: 
    cd ira
  3. Ensure execution permissions: 
    chmod +x isolate.py isolate.sh

Usage

Python Version

To isolate a system by its IP address:

sudo python3 isolate.py isolate <IP_ADDRESS>

Example:

sudo python3 isolate.py isolate 192.168.1.100

To remove isolation:

sudo python3 isolate.py remove <IP_ADDRESS>

Example:

sudo python3 isolate.py remove 192.168.1.100

Bash Version

To isolate a system:

sudo ./isolate.sh isolate <IP_ADDRESS>

To remove isolation:

sudo ./isolate.sh remove <IP_ADDRESS>

Customization

  • Modify the script to use UFW or firewalld if your system prefers those over iptables.
  • Add email notifications or Slack alerts upon isolation.
  • Extend logging capabilities to integrate with SIEM solutions.

Security Considerations

⚠️ Use with caution: Blocking the wrong IP could disrupt services.
⚠️ Test before deployment: Always test in a controlled environment before using in production.
⚠️ Keep logs secured: Attackers may attempt to tamper with log files.

Troubleshooting

  • Permission Denied: Run the script with sudo.
  • iptables/nftables not found: Install using: 
    sudo apt install iptables  # Debian/Ubuntu
sudo yum install iptables  # CentOS/RHEL
  • Firewall rules not applying: Verify with: 
    sudo iptables -L -v -n
  • No logging output: Ensure the script has write permissions to log files.

Contributing

Contributions are welcome! Feel free to open issues, suggest improvements, or submit pull requests.

License

This project is licensed under the MIT License. See the LICENSE file for details.

About

Incidence Response Automation Script

Topics

python shell open-source incident-response isolate hacking python3 shell-script open-source-project incident-management incident-reports incident-response-management

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages