Go to file
2015-01-07 10:57:00 +00:00
blacklist.sh install into proper chains 2015-01-07 10:57:00 +00:00
firewall.user chmod +x 2015-01-07 10:30:05 +00:00
ipset-drop.sh add OSSEC active response script 2015-01-07 10:29:52 +00:00
LICENSE Initial commit 2014-10-01 12:13:57 +01:00
README.md update docs 2015-01-07 10:51:47 +00:00

blacklist-scripts

This is a collection of shell scripts that are intended to block Linux systems and OpenWRT routers from known sources of malicious traffic. These scripts use iptables with highly efficient ipset module to check incoming traffic against blacklists populated from publicly available sources.

Emerging Threats provides similar rules that essentially run iptables for each blacklisted IP which is extremely inefficient in case of large blacklists. Using ipset means using just one iptables rule to perform a very efficient lookup in hash structure created by ipset.

Block lists

By default the script will only load Emerging Threats and Blocklist.de collections. Others may be added by simply appending to the urls variable in the beginning of the script:

urls="http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt"
urls="$urls https://www.blocklist.de/downloads/export-ips_all.txt"

The script ignores empty lines or comments and will only extract anything that looks like an IP address (a.b.c.d) or CIDR subnet (a.b.c.d/nn). Each blacklist is loaded into a separate ipset collection so that logging unambigously identifies which blacklist blocked a packet.

OpenWRT

The script automatically detects OpenWRT environment (looking for uci) and will try to obtain the WAN interface name. The filtering will be then limited to WAN interface only.

Requirements:

  • opkg install ipset curl

Installation:

cp blacklist.sh /etc/firewall.user
echo "01 01 * * * sh /etc/firewall.user" >>/etc/crontabs/root

Manual run:

sh /etc/firewall.user

Linux

Requirements:

  • On Debian, Ubuntu and other apt systems: apt-get install ipset curl
  • On RedHat, Fedora, CentOS and other RPM systems: yum install ipset curl

Installation:

cp blacklist.sh /etc/cron.daily/blacklist

Manual run:

sh /etc/cron.daily/blacklist