external/mailinabox
1
0
Fork 0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2025-04-21 03:02:09 +00:00
Code Issues Releases Wiki Activity

Now using ipset, added more lists, resarched and looked around for how to script it better. Now all will be able to wget from wizcraft (blocked my VPS, but not local machine so I suspect IP blocks are blocked from them), however there seems to be a lot of overlap of the addresses so I don't think it will be an issue. Averages around ~47,000 IP addresses as opposed to the original couple thousand just from blocklist.de. Does not require Fail2Ban to work just iptables, and of course iptables-persistent to keep changes.

Browse Source
This commit is contained in:
ChiefGyk 2016-06-29 09:32:16 -04:00
parent 6c808a5654
commit 39644bd29e
3 changed files with 54 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
conf/blocklist/blocklist Normal file
View File

@ -0,0 +1,46 @@
#!/bin/bash
IP_TMP=/tmp/ip.tmp
IP_BLACKLIST=/etc/ip-blacklist.conf
IP_BLACKLIST_TMP=/tmp/ip-blacklist.tmp
IP_BLACKLIST_CUSTOM=/etc/ip-blacklist-custom.conf # optional
list="chinese nigerian russian lacnic exploited-servers"
BLACKLISTS=(
"http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1" # Project Honey Pot Directory of Dictionary Attacker IPs
"http://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1" # TOR Exit Nodes
"http://www.maxmind.com/en/anonymous_proxies" # MaxMind GeoIP Anonymous Proxies
"http://danger.rulez.sk/projects/bruteforceblocker/blist.php" # BruteForceBlocker IP List
"http://www.spamhaus.org/drop/drop.lasso" # Spamhaus Don't Route Or Peer List (DROP)
"http://cinsscore.com/list/ci-badguys.txt" # C.I. Army Malicious IP List
"http://www.openbl.org/lists/base.txt" # OpenBL.org 30 day List
"http://www.autoshun.org/files/shunlist.csv" # Autoshun Shun List
"http://lists.blocklist.de/lists/all.txt" # blocklist.de attackers
)
for i in "${BLACKLISTS[@]}"
do
curl "$i" > $IP_TMP
grep -Po '(?:\d{1,3}\.){3}\d{1,3}(?:/\d{1,2})?' $IP_TMP >> $IP_BLACKLIST_TMP
done
# This part may not work for everyone, it seems wizcraft doesn't allow all VPS wget access, but I am looking into it
for i in `echo $list`; do
# Download
wget --quiet http://www.wizcrafts.net/$i-iptables-blocklist.html
# Grep all but ip blocks
cat $i-iptables-blocklist.html | grep -v \< | grep -v \: | grep -v \; | grep -v \# | grep [0-9] > $i.txt
# Consolidate
cat $i.txt >> $IP_BLACKLIST_TMP
done
sort $IP_BLACKLIST_TMP -n | uniq > $IP_BLACKLIST
rm $IP_BLACKLIST_TMP
wc -l $IP_BLACKLIST
ipset flush blacklist
egrep -v "^#|^$" $IP_BLACKLIST | while IFS= read -r ip
do
ipset add blacklist $ip
done
# save IPtable rules
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

86
conf/blocklist/sync-fail2ban
View File

@ -1,86 +0,0 @@
#!/bin/bash
## Update fail2ban iptables with globally known attackers.
## Actually, runs 100% independently now, without needing fail2ban installed.
##
## /etc/cron.daily/sync-fail2ban
##
## Author: Marcos Kobylecki <fail2ban.globalBlackList@askmarcos.com>
## http://www.reddit.com/r/linux/comments/2nvzur/shared_blacklists_from_fail2ban/
## Quit if fail2ban is missing. Maybe this fake requirement can be skipped? YES.
#PROGRAM=/etc/init.d/fail2ban
#[ -x $PROGRAM ] || exit 0
datadir=/etc/fail2ban
[[ -d "$datadir" ]] || datadir=/tmp
## Get default settings of fail2ban (optional?)
[ -r /etc/default/fail2ban ] && . /etc/default/fail2ban
umask 000
blacklistf=$datadir/blacklist.blocklist.de.txt
mv -vf $blacklistf $blacklistf.last
badlisturls="http://antivirus.neu.edu.cn/ssh/lists/base_30days.txt http://lists.blocklist.de/lists/ssh.txt http://lists.blocklist.de/lists/bruteforcelogin.txt"
iptables -vN fail2ban-ssh # Create the chain if it doesn't exist. Harmless if it does.
# Grab list(s) at https://www.blocklist.de/en/export.html . Block.
echo "Adding new blocks:"
time curl -s http://lists.blocklist.de/lists/ssh.txt http://lists.blocklist.de/lists/bruteforcelogin.txt \
|sort -u \
|tee $blacklistf \
|grep -v '^#\|:' \
|while read IP; do iptables -I fail2ban-ssh 1 -s $IP -j DROP; done
# Which listings had been removed since last time? Unblock.
echo "Removing old blocks:"
if [[ -r $blacklistf.diff ]]; then
# comm is brittle, cannot use sort -rn
time comm -23 $blacklistf.last $blacklistf \
|tee $blacklistf.delisted \
|grep -v '^#\|:' \
|while read IP; do iptables -w -D fail2ban-ssh -s $IP -j DROP || iptables -wv -D fail2ban-ssh -s $IP -j LOGDROP; done
fi
# prepare for next time.
diff -wbay $blacklistf.last $blacklistf > $blacklistf.diff
# save IPtable rules
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
# Saves a copy of current iptables rules, should you like to check them later.
(set -x; iptables -wnv -L --line-numbers; iptables -wnv -t nat -L --line-numbers) &> /tmp/iptables.fail2ban.log &
exit
# iptables v1.4.21: host/network `2a00:1210:fffe:145::1' not found
# So weed out IPv6, try |grep -v ':'
## http://ix.io/fpC
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype># Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>

12
setup/blocklist.sh
View File

@ -7,9 +7,13 @@
source setup/functions.sh # load our functions source setup/functions.sh # load our functions
source /etc/mailinabox.conf # load global vars source /etc/mailinabox.conf # load global vars
cp conf/blocklist/sync-fail2ban /etc/cron.daily/sync-fail2ban
chmod a+x /etc/cron.daily/sync-fail2ban
time /etc/cron.daily/sync-fail2ban
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
apt_install iptables-persistent apt_install -y ipset
ipset create blacklist hash:net
iptables -I INPUT -m set --match-set blacklist src -j DROP
cp conf/blocklist/blocklist /etc/cron.daily/blocklist
chmod a+x /etc/cron.daily/blacklist
time /etc/cron.daily/blacklist
apt_install -y iptables-persistent
echo "Blacklist has been installed. It will run daily automatically."