From 39644bd29e95505f71b461f40a9f8c7468d5a4a2 Mon Sep 17 00:00:00 2001
From: ChiefGyk <alon@ganon.me>
Date: Wed, 29 Jun 2016 09:32:16 -0400
Subject: [PATCH] Now using ipset, added more lists, resarched and looked
 around for how to script it better. Now all will be able to wget from
 wizcraft (blocked my VPS, but not local machine so I suspect IP blocks are
 blocked from them), however there seems to be a lot of overlap of the
 addresses so I don't think it will be an issue. Averages around ~47,000 IP
 addresses as opposed to the original couple thousand just from blocklist.de.
 Does not require Fail2Ban to work just iptables, and of course
 iptables-persistent to keep changes.

---
 conf/blocklist/blocklist     | 46 +++++++++++++++++++
 conf/blocklist/sync-fail2ban | 86 ------------------------------------
 setup/blocklist.sh           | 12 +++--
 3 files changed, 54 insertions(+), 90 deletions(-)
 create mode 100644 conf/blocklist/blocklist
 delete mode 100644 conf/blocklist/sync-fail2ban

diff --git a/conf/blocklist/blocklist b/conf/blocklist/blocklist
new file mode 100644
index 00000000..87c715bf
--- /dev/null
+++ b/conf/blocklist/blocklist
@@ -0,0 +1,46 @@
+#!/bin/bash
+IP_TMP=/tmp/ip.tmp
+IP_BLACKLIST=/etc/ip-blacklist.conf
+IP_BLACKLIST_TMP=/tmp/ip-blacklist.tmp
+IP_BLACKLIST_CUSTOM=/etc/ip-blacklist-custom.conf # optional
+list="chinese nigerian russian lacnic exploited-servers"
+BLACKLISTS=(
+"http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1" # Project Honey Pot Directory of Dictionary Attacker IPs
+"http://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1"  # TOR Exit Nodes
+"http://www.maxmind.com/en/anonymous_proxies" # MaxMind GeoIP Anonymous Proxies
+"http://danger.rulez.sk/projects/bruteforceblocker/blist.php" # BruteForceBlocker IP List
+"http://www.spamhaus.org/drop/drop.lasso" # Spamhaus Don't Route Or Peer List (DROP)
+"http://cinsscore.com/list/ci-badguys.txt" # C.I. Army Malicious IP List
+"http://www.openbl.org/lists/base.txt"  # OpenBL.org 30 day List
+"http://www.autoshun.org/files/shunlist.csv" # Autoshun Shun List
+"http://lists.blocklist.de/lists/all.txt" # blocklist.de attackers
+)
+for i in "${BLACKLISTS[@]}"
+do
+    curl "$i" > $IP_TMP
+    grep -Po '(?:\d{1,3}\.){3}\d{1,3}(?:/\d{1,2})?' $IP_TMP >> $IP_BLACKLIST_TMP
+done
+
+# This part may not work for everyone, it seems wizcraft doesn't allow all VPS wget access, but I am looking into it
+for i in `echo $list`; do
+        # Download
+        wget --quiet http://www.wizcrafts.net/$i-iptables-blocklist.html
+        # Grep all but ip blocks
+        cat $i-iptables-blocklist.html | grep -v \< | grep -v \: | grep -v \; | grep -v \# | grep [0-9] > $i.txt
+        # Consolidate
+        cat $i.txt >> $IP_BLACKLIST_TMP
+done
+
+sort $IP_BLACKLIST_TMP -n | uniq > $IP_BLACKLIST
+rm $IP_BLACKLIST_TMP
+wc -l $IP_BLACKLIST
+
+ipset flush blacklist
+egrep -v "^#|^$" $IP_BLACKLIST | while IFS= read -r ip
+do
+        ipset add blacklist $ip
+done
+
+# save IPtable rules
+iptables-save > /etc/iptables/rules.v4
+ip6tables-save > /etc/iptables/rules.v6
\ No newline at end of file
diff --git a/conf/blocklist/sync-fail2ban b/conf/blocklist/sync-fail2ban
deleted file mode 100644
index 2ae7be3f..00000000
--- a/conf/blocklist/sync-fail2ban
+++ /dev/null
@@ -1,86 +0,0 @@
-#!/bin/bash
-
-##  Update fail2ban iptables with globally known attackers.
-##  Actually, runs 100% independently now, without needing fail2ban installed.
-##
-##  /etc/cron.daily/sync-fail2ban
-##
-## Author: Marcos Kobylecki <fail2ban.globalBlackList@askmarcos.com>
-## http://www.reddit.com/r/linux/comments/2nvzur/shared_blacklists_from_fail2ban/
-
-
-## Quit if fail2ban is missing.  Maybe this fake requirement can be skipped? YES.
-#PROGRAM=/etc/init.d/fail2ban
-#[ -x $PROGRAM ] || exit 0
-
-datadir=/etc/fail2ban
-[[ -d "$datadir" ]] || datadir=/tmp
-
-## Get default settings of fail2ban (optional?)
-[ -r /etc/default/fail2ban ] && . /etc/default/fail2ban
-
-umask 000
-blacklistf=$datadir/blacklist.blocklist.de.txt
-
-mv -vf  $blacklistf  $blacklistf.last
-
-badlisturls="http://antivirus.neu.edu.cn/ssh/lists/base_30days.txt http://lists.blocklist.de/lists/ssh.txt  http://lists.blocklist.de/lists/bruteforcelogin.txt"
-
-
- iptables -vN fail2ban-ssh   # Create the chain if it doesn't exist. Harmless if it does.
-  
-# Grab list(s) at https://www.blocklist.de/en/export.html .  Block.
-echo "Adding new blocks:"
- time  curl -s http://lists.blocklist.de/lists/ssh.txt  http://lists.blocklist.de/lists/bruteforcelogin.txt \
-  |sort -u \
-  |tee $blacklistf \
-  |grep -v '^#\|:' \
-  |while read IP; do iptables -I fail2ban-ssh 1 -s $IP -j DROP; done 
-
-
-
-# Which listings had been removed since last time?  Unblock.
-echo "Removing old blocks:"
-if [[ -r  $blacklistf.diff ]]; then
-  #       comm  is brittle, cannot use sort -rn 
- time  comm -23 $blacklistf.last  $blacklistf \
-   |tee $blacklistf.delisted \
-   |grep -v '^#\|:' \
-   |while read IP; do  iptables -w -D fail2ban-ssh -s $IP -j DROP || iptables -wv -D fail2ban-ssh -s $IP -j LOGDROP; done 
-
-fi
-
-
-# prepare for next time.
-	diff -wbay $blacklistf.last $blacklistf  > $blacklistf.diff 
-
-# save IPtable rules
-iptables-save > /etc/iptables/rules.v4
-ip6tables-save > /etc/iptables/rules.v6
-
-
-# Saves a copy of current iptables rules, should you like to check them later.
-(set -x; iptables -wnv -L --line-numbers; iptables -wnv -t nat -L --line-numbers) &> /tmp/iptables.fail2ban.log &
-
-
-exit 
-
-# iptables v1.4.21: host/network `2a00:1210:fffe:145::1' not found
-# So weed out IPv6, try |grep -v ':' 
-
-## http://ix.io/fpC
-
- 
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype># Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
\ No newline at end of file
diff --git a/setup/blocklist.sh b/setup/blocklist.sh
index 4bfef8e6..add7a64a 100644
--- a/setup/blocklist.sh
+++ b/setup/blocklist.sh
@@ -7,9 +7,13 @@
 source setup/functions.sh # load our functions
 source /etc/mailinabox.conf # load global vars
 
-cp conf/blocklist/sync-fail2ban /etc/cron.daily/sync-fail2ban
-chmod a+x /etc/cron.daily/sync-fail2ban
-time /etc/cron.daily/sync-fail2ban
 echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
 echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
-apt_install iptables-persistent
+apt_install -y ipset 
+ipset create blacklist hash:net
+iptables -I INPUT -m set --match-set blacklist src -j DROP
+cp conf/blocklist/blocklist /etc/cron.daily/blocklist
+chmod a+x /etc/cron.daily/blacklist
+time /etc/cron.daily/blacklist
+apt_install -y iptables-persistent
+echo "Blacklist has been installed. It will run daily automatically."
\ No newline at end of file