mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2025-04-21 03:02:09 +00:00
Now using ipset, added more lists, resarched and looked around for how to script it better. Now all will be able to wget from wizcraft (blocked my VPS, but not local machine so I suspect IP blocks are blocked from them), however there seems to be a lot of overlap of the addresses so I don't think it will be an issue. Averages around ~47,000 IP addresses as opposed to the original couple thousand just from blocklist.de. Does not require Fail2Ban to work just iptables, and of course iptables-persistent to keep changes.
This commit is contained in:
ChiefGyk
parent
6c808a5654
commit
39644bd29e
46
conf/blocklist/blocklist
Normal file
46
conf/blocklist/blocklist
Normal file
@ -0,0 +1,46 @@
|
||||
#!/bin/bash
|
||||
IP_TMP=/tmp/ip.tmp
|
||||
IP_BLACKLIST=/etc/ip-blacklist.conf
|
||||
IP_BLACKLIST_TMP=/tmp/ip-blacklist.tmp
|
||||
IP_BLACKLIST_CUSTOM=/etc/ip-blacklist-custom.conf # optional
|
||||
list="chinese nigerian russian lacnic exploited-servers"
|
||||
BLACKLISTS=(
|
||||
"http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1" # Project Honey Pot Directory of Dictionary Attacker IPs
|
||||
"http://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1" # TOR Exit Nodes
|
||||
"http://www.maxmind.com/en/anonymous_proxies" # MaxMind GeoIP Anonymous Proxies
|
||||
"http://danger.rulez.sk/projects/bruteforceblocker/blist.php" # BruteForceBlocker IP List
|
||||
"http://www.spamhaus.org/drop/drop.lasso" # Spamhaus Don't Route Or Peer List (DROP)
|
||||
"http://cinsscore.com/list/ci-badguys.txt" # C.I. Army Malicious IP List
|
||||
"http://www.openbl.org/lists/base.txt" # OpenBL.org 30 day List
|
||||
"http://www.autoshun.org/files/shunlist.csv" # Autoshun Shun List
|
||||
"http://lists.blocklist.de/lists/all.txt" # blocklist.de attackers
|
||||
)
|
||||
for i in "${BLACKLISTS[@]}"
|
||||
do
|
||||
curl "$i" > $IP_TMP
|
||||
grep -Po '(?:\d{1,3}\.){3}\d{1,3}(?:/\d{1,2})?' $IP_TMP >> $IP_BLACKLIST_TMP
|
||||
done
|
||||
|
||||
# This part may not work for everyone, it seems wizcraft doesn't allow all VPS wget access, but I am looking into it
|
||||
for i in `echo $list`; do
|
||||
# Download
|
||||
wget --quiet http://www.wizcrafts.net/$i-iptables-blocklist.html
|
||||
# Grep all but ip blocks
|
||||
cat $i-iptables-blocklist.html | grep -v \< | grep -v \: | grep -v \; | grep -v \# | grep [0-9] > $i.txt
|
||||
# Consolidate
|
||||
cat $i.txt >> $IP_BLACKLIST_TMP
|
||||
done
|
||||
|
||||
sort $IP_BLACKLIST_TMP -n | uniq > $IP_BLACKLIST
|
||||
rm $IP_BLACKLIST_TMP
|
||||
wc -l $IP_BLACKLIST
|
||||
|
||||
ipset flush blacklist
|
||||
egrep -v "^#|^$" $IP_BLACKLIST | while IFS= read -r ip
|
||||
do
|
||||
ipset add blacklist $ip
|
||||
done
|
||||
|
||||
# save IPtable rules
|
||||
iptables-save > /etc/iptables/rules.v4
|
||||
ip6tables-save > /etc/iptables/rules.v6
|
||||
@ -1,86 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
## Update fail2ban iptables with globally known attackers.
|
||||
## Actually, runs 100% independently now, without needing fail2ban installed.
|
||||
##
|
||||
## /etc/cron.daily/sync-fail2ban
|
||||
##
|
||||
## Author: Marcos Kobylecki <fail2ban.globalBlackList@askmarcos.com>
|
||||
## http://www.reddit.com/r/linux/comments/2nvzur/shared_blacklists_from_fail2ban/
|
||||
|
||||
|
||||
## Quit if fail2ban is missing. Maybe this fake requirement can be skipped? YES.
|
||||
#PROGRAM=/etc/init.d/fail2ban
|
||||
#[ -x $PROGRAM ] || exit 0
|
||||
|
||||
datadir=/etc/fail2ban
|
||||
[[ -d "$datadir" ]] || datadir=/tmp
|
||||
|
||||
## Get default settings of fail2ban (optional?)
|
||||
[ -r /etc/default/fail2ban ] && . /etc/default/fail2ban
|
||||
|
||||
umask 000
|
||||
blacklistf=$datadir/blacklist.blocklist.de.txt
|
||||
|
||||
mv -vf $blacklistf $blacklistf.last
|
||||
|
||||
badlisturls="http://antivirus.neu.edu.cn/ssh/lists/base_30days.txt http://lists.blocklist.de/lists/ssh.txt http://lists.blocklist.de/lists/bruteforcelogin.txt"
|
||||
|
||||
|
||||
iptables -vN fail2ban-ssh # Create the chain if it doesn't exist. Harmless if it does.
|
||||
|
||||
# Grab list(s) at https://www.blocklist.de/en/export.html . Block.
|
||||
echo "Adding new blocks:"
|
||||
time curl -s http://lists.blocklist.de/lists/ssh.txt http://lists.blocklist.de/lists/bruteforcelogin.txt \
|
||||
|sort -u \
|
||||
|tee $blacklistf \
|
||||
|grep -v '^#\|:' \
|
||||
|while read IP; do iptables -I fail2ban-ssh 1 -s $IP -j DROP; done
|
||||
|
||||
|
||||
|
||||
# Which listings had been removed since last time? Unblock.
|
||||
echo "Removing old blocks:"
|
||||
if [[ -r $blacklistf.diff ]]; then
|
||||
# comm is brittle, cannot use sort -rn
|
||||
time comm -23 $blacklistf.last $blacklistf \
|
||||
|tee $blacklistf.delisted \
|
||||
|grep -v '^#\|:' \
|
||||
|while read IP; do iptables -w -D fail2ban-ssh -s $IP -j DROP || iptables -wv -D fail2ban-ssh -s $IP -j LOGDROP; done
|
||||
|
||||
fi
|
||||
|
||||
|
||||
# prepare for next time.
|
||||
diff -wbay $blacklistf.last $blacklistf > $blacklistf.diff
|
||||
|
||||
# save IPtable rules
|
||||
iptables-save > /etc/iptables/rules.v4
|
||||
ip6tables-save > /etc/iptables/rules.v6
|
||||
|
||||
|
||||
# Saves a copy of current iptables rules, should you like to check them later.
|
||||
(set -x; iptables -wnv -L --line-numbers; iptables -wnv -t nat -L --line-numbers) &> /tmp/iptables.fail2ban.log &
|
||||
|
||||
|
||||
exit
|
||||
|
||||
# iptables v1.4.21: host/network `2a00:1210:fffe:145::1' not found
|
||||
# So weed out IPv6, try |grep -v ':'
|
||||
|
||||
## http://ix.io/fpC
|
||||
|
||||
|
||||
# Option: actionban
|
||||
# Notes.: command executed when banning an IP. Take care that the
|
||||
# command is executed with Fail2Ban user rights.
|
||||
# Tags: See jail.conf(5) man page
|
||||
# Values: CMD
|
||||
#
|
||||
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype># Option: actionunban
|
||||
# Notes.: command executed when unbanning an IP. Take care that the
|
||||
# command is executed with Fail2Ban user rights.
|
||||
# Tags: See jail.conf(5) man page
|
||||
# Values: CMD
|
||||
#
|
||||
actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
|
||||
@ -7,9 +7,13 @@
|
||||
source setup/functions.sh # load our functions
|
||||
source /etc/mailinabox.conf # load global vars
|
||||
|
||||
cp conf/blocklist/sync-fail2ban /etc/cron.daily/sync-fail2ban
|
||||
chmod a+x /etc/cron.daily/sync-fail2ban
|
||||
time /etc/cron.daily/sync-fail2ban
|
||||
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
|
||||
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
|
||||
apt_install iptables-persistent
|
||||
apt_install -y ipset
|
||||
ipset create blacklist hash:net
|
||||
iptables -I INPUT -m set --match-set blacklist src -j DROP
|
||||
cp conf/blocklist/blocklist /etc/cron.daily/blocklist
|
||||
chmod a+x /etc/cron.daily/blacklist
|
||||
time /etc/cron.daily/blacklist
|
||||
apt_install -y iptables-persistent
|
||||
echo "Blacklist has been installed. It will run daily automatically."
|
||||
Loading…
Reference in New Issue
Block a user