diff --git a/conf/blocklist/blocklist b/conf/blocklist/blocklist new file mode 100644 index 00000000..87c715bf --- /dev/null +++ b/conf/blocklist/blocklist @@ -0,0 +1,46 @@ +#!/bin/bash +IP_TMP=/tmp/ip.tmp +IP_BLACKLIST=/etc/ip-blacklist.conf +IP_BLACKLIST_TMP=/tmp/ip-blacklist.tmp +IP_BLACKLIST_CUSTOM=/etc/ip-blacklist-custom.conf # optional +list="chinese nigerian russian lacnic exploited-servers" +BLACKLISTS=( +"http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1" # Project Honey Pot Directory of Dictionary Attacker IPs +"http://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1" # TOR Exit Nodes +"http://www.maxmind.com/en/anonymous_proxies" # MaxMind GeoIP Anonymous Proxies +"http://danger.rulez.sk/projects/bruteforceblocker/blist.php" # BruteForceBlocker IP List +"http://www.spamhaus.org/drop/drop.lasso" # Spamhaus Don't Route Or Peer List (DROP) +"http://cinsscore.com/list/ci-badguys.txt" # C.I. Army Malicious IP List +"http://www.openbl.org/lists/base.txt" # OpenBL.org 30 day List +"http://www.autoshun.org/files/shunlist.csv" # Autoshun Shun List +"http://lists.blocklist.de/lists/all.txt" # blocklist.de attackers +) +for i in "${BLACKLISTS[@]}" +do + curl "$i" > $IP_TMP + grep -Po '(?:\d{1,3}\.){3}\d{1,3}(?:/\d{1,2})?' $IP_TMP >> $IP_BLACKLIST_TMP +done + +# This part may not work for everyone, it seems wizcraft doesn't allow all VPS wget access, but I am looking into it +for i in `echo $list`; do + # Download + wget --quiet http://www.wizcrafts.net/$i-iptables-blocklist.html + # Grep all but ip blocks + cat $i-iptables-blocklist.html | grep -v \< | grep -v \: | grep -v \; | grep -v \# | grep [0-9] > $i.txt + # Consolidate + cat $i.txt >> $IP_BLACKLIST_TMP +done + +sort $IP_BLACKLIST_TMP -n | uniq > $IP_BLACKLIST +rm $IP_BLACKLIST_TMP +wc -l $IP_BLACKLIST + +ipset flush blacklist +egrep -v "^#|^$" $IP_BLACKLIST | while IFS= read -r ip +do + ipset add blacklist $ip +done + +# save IPtable rules +iptables-save > /etc/iptables/rules.v4 +ip6tables-save > /etc/iptables/rules.v6 \ No newline at end of file diff --git a/conf/blocklist/sync-fail2ban b/conf/blocklist/sync-fail2ban deleted file mode 100644 index 2ae7be3f..00000000 --- a/conf/blocklist/sync-fail2ban +++ /dev/null @@ -1,86 +0,0 @@ -#!/bin/bash - -## Update fail2ban iptables with globally known attackers. -## Actually, runs 100% independently now, without needing fail2ban installed. -## -## /etc/cron.daily/sync-fail2ban -## -## Author: Marcos Kobylecki -## http://www.reddit.com/r/linux/comments/2nvzur/shared_blacklists_from_fail2ban/ - - -## Quit if fail2ban is missing. Maybe this fake requirement can be skipped? YES. -#PROGRAM=/etc/init.d/fail2ban -#[ -x $PROGRAM ] || exit 0 - -datadir=/etc/fail2ban -[[ -d "$datadir" ]] || datadir=/tmp - -## Get default settings of fail2ban (optional?) -[ -r /etc/default/fail2ban ] && . /etc/default/fail2ban - -umask 000 -blacklistf=$datadir/blacklist.blocklist.de.txt - -mv -vf $blacklistf $blacklistf.last - -badlisturls="http://antivirus.neu.edu.cn/ssh/lists/base_30days.txt http://lists.blocklist.de/lists/ssh.txt http://lists.blocklist.de/lists/bruteforcelogin.txt" - - - iptables -vN fail2ban-ssh # Create the chain if it doesn't exist. Harmless if it does. - -# Grab list(s) at https://www.blocklist.de/en/export.html . Block. -echo "Adding new blocks:" - time curl -s http://lists.blocklist.de/lists/ssh.txt http://lists.blocklist.de/lists/bruteforcelogin.txt \ - |sort -u \ - |tee $blacklistf \ - |grep -v '^#\|:' \ - |while read IP; do iptables -I fail2ban-ssh 1 -s $IP -j DROP; done - - - -# Which listings had been removed since last time? Unblock. -echo "Removing old blocks:" -if [[ -r $blacklistf.diff ]]; then - # comm is brittle, cannot use sort -rn - time comm -23 $blacklistf.last $blacklistf \ - |tee $blacklistf.delisted \ - |grep -v '^#\|:' \ - |while read IP; do iptables -w -D fail2ban-ssh -s $IP -j DROP || iptables -wv -D fail2ban-ssh -s $IP -j LOGDROP; done - -fi - - -# prepare for next time. - diff -wbay $blacklistf.last $blacklistf > $blacklistf.diff - -# save IPtable rules -iptables-save > /etc/iptables/rules.v4 -ip6tables-save > /etc/iptables/rules.v6 - - -# Saves a copy of current iptables rules, should you like to check them later. -(set -x; iptables -wnv -L --line-numbers; iptables -wnv -t nat -L --line-numbers) &> /tmp/iptables.fail2ban.log & - - -exit - -# iptables v1.4.21: host/network `2a00:1210:fffe:145::1' not found -# So weed out IPv6, try |grep -v ':' - -## http://ix.io/fpC - - -# Option: actionban -# Notes.: command executed when banning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: See jail.conf(5) man page -# Values: CMD -# -actionban = iptables -I fail2ban- 1 -s -j # Option: actionunban -# Notes.: command executed when unbanning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: See jail.conf(5) man page -# Values: CMD -# -actionunban = iptables -D fail2ban- -s -j \ No newline at end of file diff --git a/setup/blocklist.sh b/setup/blocklist.sh index 4bfef8e6..add7a64a 100644 --- a/setup/blocklist.sh +++ b/setup/blocklist.sh @@ -7,9 +7,13 @@ source setup/functions.sh # load our functions source /etc/mailinabox.conf # load global vars -cp conf/blocklist/sync-fail2ban /etc/cron.daily/sync-fail2ban -chmod a+x /etc/cron.daily/sync-fail2ban -time /etc/cron.daily/sync-fail2ban echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections -apt_install iptables-persistent +apt_install -y ipset +ipset create blacklist hash:net +iptables -I INPUT -m set --match-set blacklist src -j DROP +cp conf/blocklist/blocklist /etc/cron.daily/blocklist +chmod a+x /etc/cron.daily/blacklist +time /etc/cron.daily/blacklist +apt_install -y iptables-persistent +echo "Blacklist has been installed. It will run daily automatically." \ No newline at end of file