paramah/ossec-blacklist
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
ca1ed35f92
ossec-blacklist/blacklist.sh
Pawel Krawczyk 5a325d5f2b less verbose
2014-11-13 11:33:00 +00:00

58 lines
2.1 KiB
Bash
Raw Blame History

#!/bin/sh
# IP blacklisting script for Linux servers
# Pawel Krawczyk https://keybase.io/kravietz
#
# This script should be installed as /etc/cron.daily/blacklist
# Emerging Threats lists offensive IPs such as botnet command servers
urls="http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt"
# Blocklist.de collects reports from fail2ban probes, listing password brute-forces, scanners and other offenders
urls="$urls https://www.blocklist.de/downloads/export-ips_all.txt"
blocklist_chain_name=blocklists
if [ -z "$(which ipset)" ]; then
echo "Cannot find ipset"
echo "Run \"apt-get install ipset\" or \"yum install ipset\""
exit 1
fi
if [ -z "$(which curl)" ]; then
echo "Cannot find curl"
echo "Run \"apt-get install curl\" or \"yum install curl\""
exit 1
fi
# create main blocklists chain
if ! iptables -L | grep -q "Chain ${blocklist_chain_name}"; then iptables -N ${blocklist_chain_name}; fi
# inject references to blocklist in the beginning of input and forward chains
if ! iptables -L INPUT|grep -q ${blocklist_chain_name}; then
iptables -I INPUT 1 -m state --state NEW,RELATED -j ${blocklist_chain_name}
fi
if ! iptables -L FORWARD|grep -q ${blocklist_chain_name}; then
iptables -I FORWARD 1 -m state --state NEW,RELATED -j ${blocklist_chain_name}
fi
iptables -F ${blocklist_chain_name}
for url in $urls; do
tmp=$(mktemp)
tmp2=$(mktemp)
set_name=$(basename $url)
curl -s --compressed -k "$url" >"$tmp"
sort -u <"$tmp" | egrep "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$" >"$tmp2"
ipset -! create ${set_name} hash:net
while read line; do
ipset -! add ${set_name} "$line"
done <"$tmp2"
iptables -A ${blocklist_chain_name} -m set --match-set "${set_name}" src,dst -m limit --limit 10/minute -j LOG --log-prefix "BLOCK ${set_name} "
iptables -A ${blocklist_chain_name} -m set --match-set "${set_name}" src,dst -j DROP
# echo ${set_name} $(ipset list ${set_name} | wc -l)
rm "$tmp" "$tmp2"
done
Reference in New Issue View Git Blame Copy Permalink