paramah/ossec-blacklist
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

source the config file instead of reading line by line

Browse Source
This commit is contained in:
Paweł Krawczyk 2016-01-18 18:17:58 +00:00
parent a93e2b606d
commit f408072a81
1 changed files with 29 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
blacklist.sh
View File

@ -9,33 +9,39 @@
config_file="/etc/ip-blacklist.conf" config_file="/etc/ip-blacklist.conf"
if [ -f "${config_file}" ]; then if [ -f "${config_file}" ]; then
exec <"${config_file}" source ${config_file}
read line
while [ "$line" ]; do
if ! echo "$line" | egrep -q '(^#|^$)'; then
urls="${urls} $line"
fi
read line
done
else else
# if no config file is available, load default set of blacklists # if no config file is available, load default set of blacklists
# URLs for further blocklists are appended using the classical
# shell syntax: "$URLS new_url"
# Emerging Threats lists offensive IPs such as botnet command servers # Emerging Threats lists offensive IPs such as botnet command servers
urls="http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt" URLS="http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt"
# URLs for further blocklists are appeneded below using the typical
# shell syntax: "$urls new_url"
# Blocklist.de collects reports from fail2ban probes, listing password brute-forces, scanners and other offenders # Blocklist.de collects reports from fail2ban probes, listing password brute-forces, scanners and other offenders
urls="$urls https://www.blocklist.de/downloads/export-ips_all.txt" URLS="$URLS https://www.blocklist.de/downloads/export-ips_all.txt"
# badips.com, from score 2 up # badips.com, from score 2 up
urls="$urls http://www.badips.com/get/list/ssh/2" URLS="$URLS http://www.badips.com/get/list/ssh/2"
# iblocklist.com is also supported # iblocklist.com is also supported
# urls="$urls http://list.iblocklist.com/?list=srzondksmjuwsvmgdbhi&fileformat=p2p&archiveformat=gz&username=USERNAMEx$&pin=PIN" # URLS="$URLS http://list.iblocklist.com/?list=srzondksmjuwsvmgdbhi&fileformat=p2p&archiveformat=gz&username=USERNAMEx$&pin=PIN"
# by default all incoming/forwarding traffic is blocked
# if this parameter is specified, only the specified ports will be blocked
PORTS="22/tcp"
# iptables logging limit
LIMIT="10/minute"
fi fi
function link_set {
if [ "$3" = "log" ]; then
iptables -A "$1" -m set --match-set "$2" src,dst -m limit --limit "$LIMIT" -j LOG --log-prefix "BLOCK $2 "
fi
iptables -A "$1" -m set --match-set "$2" src -j DROP
iptables -A "$1" -m set --match-set "$2" dst -j DROP
}
# This is how it will look like on the server # This is how it will look like on the server
@ -51,18 +57,19 @@ fi
# 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set www.badips.com dst # 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set www.badips.com dst
blocklist_chain_name=blocklists blocklist_chain_name=blocklists
# check for dependencies - ipset and curl
if [ -z "$(which ipset 2>/dev/null)" ]; then if [ -z "$(which ipset 2>/dev/null)" ]; then
echo "Cannot find ipset" echo "Cannot find ipset"
echo "Run \"apt-get install ipset\" or \"yum install ipset\"" echo "Run \"apt-get install ipset\" or \"yum install ipset\""
exit 1 exit 1
fi fi
if [ -z "$(which curl 2>/dev/null)" ]; then if [ -z "$(which curl 2>/dev/null)" ]; then
echo "Cannot find curl" echo "Cannot find curl"
echo "Run \"apt-get install curl\" or \"yum install curl\"" echo "Run \"apt-get install curl\" or \"yum install curl\""
exit 1 exit 1
fi fi
# check if we are on OpenWRT
if [ "$(which uci 2>/dev/null)" ]; then if [ "$(which uci 2>/dev/null)" ]; then
# we're on OpenWRT # we're on OpenWRT
wan_iface=$(uci get network.wan.ifname) wan_iface=$(uci get network.wan.ifname)
@ -94,14 +101,15 @@ fi
iptables -F ${blocklist_chain_name} iptables -F ${blocklist_chain_name}
# create the "manual" blacklist set # create the "manual" blacklist set
# this can be populated manually using ipset command:
# ipset add manual-blacklist a.b.c.d
set_name="manual-blacklist" set_name="manual-blacklist"
if ! ipset list | grep -q "Name: ${set_name}"; then if ! ipset list | grep -q "Name: ${set_name}"; then
ipset create "${set_name}" hash:net ipset create "${set_name}" hash:net
fi fi
iptables -A ${blocklist_chain_name} -m set --match-set "${set_name}" src,dst -m limit --limit 10/minute -j LOG --log-prefix "BLOCK ${set_name} " link_set("${blocklist_chain_name}", "${blocklist_chain_name}", "$3")
iptables -A ${blocklist_chain_name} -m set --match-set "${set_name}" src,dst -j DROP
# now process the dynamic blacklists # download and process the dynamic blacklists
for url in $urls; do for url in $urls; do
# initialize temp files # initialize temp files
unsorted_blocklist=$(mktemp) unsorted_blocklist=$(mktemp)
@ -167,13 +175,8 @@ for url in $urls; do
# actually execute the set update # actually execute the set update
ipset -! -q restore < "${new_set_file}" ipset -! -q restore < "${new_set_file}"
if [ "$1" = "log" ]; then link_set("${blocklist_chain_name}", "${blocklist_chain_name}", "$3")
iptables -A ${blocklist_chain_name} -m set --match-set "${set_name}" src -m limit --limit 10/minute -j LOG --log-prefix "BLOCK src ${set_name} "
iptables -A ${blocklist_chain_name} -m set --match-set "${set_name}" dst -m limit --limit 10/minute -j LOG --log-prefix "BLOCK dst ${set_name} "
fi
iptables -A ${blocklist_chain_name} -m set --match-set "${set_name}" src -j DROP
iptables -A ${blocklist_chain_name} -m set --match-set "${set_name}" dst -j DROP
# clean up temp files # clean up temp files
rm "${unsorted_blocklist}" "${sorted_blocklist}" "${new_set_file}" "${headers}" rm "${unsorted_blocklist}" "${sorted_blocklist}" "${new_set_file}" "${headers}"