Go to file

Pawel Krawczyk 660d661551 merged with blacklist.sh		2015-01-07 10:57:16 +00:00
blacklist.sh	install into proper chains	2015-01-07 10:57:00 +00:00
ipset-drop.sh	add OSSEC active response script	2015-01-07 10:29:52 +00:00
LICENSE	Initial commit	2014-10-01 12:13:57 +01:00
README.md	update docs	2015-01-07 10:51:47 +00:00

README.md

blacklist-scripts

This is a collection of shell scripts that are intended to block Linux systems and OpenWRT routers from known sources of malicious traffic. These scripts use iptables with highly efficient ipset module to check incoming traffic against blacklists populated from publicly available sources.

Emerging Threats provides similar rules that essentially run iptables for each blacklisted IP which is extremely inefficient in case of large blacklists. Using ipset means using just one iptables rule to perform a very efficient lookup in hash structure created by ipset.

Block lists

Emerging Threats - list of other known threats (botnet C&C, compromised servers etc) compiled from various sources, including Spamhaus DROP, Shadoserver and DShield Top Attackers
www.blocklist.de - list of known password bruteforcers supplied by a network of fail2ban users
iBlocklist - various free and subscription based lists
Bogons - IP subnets that should never appear on public Internet; this includes RFC 1918 networks, be careful with deploying this in private networks

By default the script will only load Emerging Threats and Blocklist.de collections. Others may be added by simply appending to the urls variable in the beginning of the script:

urls="http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt"
urls="$urls https://www.blocklist.de/downloads/export-ips_all.txt"

The script ignores empty lines or comments and will only extract anything that looks like an IP address (a.b.c.d) or CIDR subnet (a.b.c.d/nn). Each blacklist is loaded into a separate ipset collection so that logging unambigously identifies which blacklist blocked a packet.

OpenWRT

The script automatically detects OpenWRT environment (looking for uci) and will try to obtain the WAN interface name. The filtering will be then limited to WAN interface only.

Requirements:

opkg install ipset curl

Installation:

cp blacklist.sh /etc/firewall.user
echo "01 01 * * * sh /etc/firewall.user" >>/etc/crontabs/root

Manual run:

sh /etc/firewall.user

Linux

Requirements:

On Debian, Ubuntu and other apt systems: apt-get install ipset curl
On RedHat, Fedora, CentOS and other RPM systems: yum install ipset curl

Installation:

cp blacklist.sh /etc/cron.daily/blacklist

Manual run:

sh /etc/cron.daily/blacklist