From 10aef791d73487286aab89f41dc2fb55024fc5d2 Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Wed, 29 Jun 2016 17:49:54 -0400 Subject: [PATCH 1/7] dshield --- dshield | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 dshield diff --git a/dshield b/dshield new file mode 100644 index 00000000..d0fc8f7c --- /dev/null +++ b/dshield @@ -0,0 +1,54 @@ +#!/bin/bash +## +## Add the top 20 IP blocks that have been reported by DShield +## +## /etc/cron.daily/dshield +## +## Author: Alon "ChiefGyk" Ganon +## https://alonganon.info +## alon@ganon.me + +datadir=/tmp + +## Get default settings of fail2ban (optional?) +[ -r /etc/default/fail2ban ] && . /etc/default/fail2ban + +umask 000 +blacklistf=$datadir/dshield.txt + +mv -vf $blacklistf $blacklistf.last + +badlisturls="http://feeds.dshield.org/block.txt" + +# Create the chain if it doesn't exist. Harmless if it does. + iptables -vN dshield + +# Grab list(s) at http://feeds.dshield.org/block.txt . Block. +echo "Adding new blocks:" + curl -s http://feeds.dshield.org/block.txt \ + |sort -u \ + |tee $blacklistf \ + |grep -v '^#\|:' \ + |while read IP; do iptables -I dshield 1 -s $IP -j DROP; done + + + +# Which listings had been removed since last time? Unblock. +echo "Removing old blocks:" +if [[ -r $blacklistf.diff ]]; then + # comm is brittle, cannot use sort -rn + time comm -23 $blacklistf.last $blacklistf \ + |tee $blacklistf.delisted \ + |grep -v '^#\|:' \ + |while read IP; do iptables -w -D dshield -s $IP -j DROP || iptables -wv -D dshield -s $IP -j LOGDROP; done + +fi + + +# prepare for next time. + diff -wbay $blacklistf.last $blacklistf > $blacklistf.diff + +# save IPtable rules +iptables-save > /etc/iptables.up.rules + +exit \ No newline at end of file From 06f4a1d55cbcda28e3405729129cc76316077489 Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Wed, 29 Jun 2016 17:54:21 -0400 Subject: [PATCH 2/7] changing IPtable settings --- dshield | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dshield b/dshield index d0fc8f7c..43b07ba1 100644 --- a/dshield +++ b/dshield @@ -29,7 +29,7 @@ echo "Adding new blocks:" |sort -u \ |tee $blacklistf \ |grep -v '^#\|:' \ - |while read IP; do iptables -I dshield 1 -s $IP -j DROP; done + |while read IP; do iptables -A dshield -p tcp -s $IP -j DROP; done From 4286eff0bde38201625adaa66babce7d706dafa5 Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Wed, 29 Jun 2016 17:55:36 -0400 Subject: [PATCH 3/7] changing IPtable settings --- dshield | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 dshield diff --git a/dshield b/dshield old mode 100644 new mode 100755 From fe8acc8e4447061ada7148ab1ad40aa3aa823343 Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Wed, 29 Jun 2016 18:13:18 -0400 Subject: [PATCH 4/7] trying to get the blacklist and dshield merged --- conf/dshield | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++ dshield | 54 ------------------------------------------ install.sh | 3 +++ 3 files changed, 70 insertions(+), 54 deletions(-) create mode 100644 conf/dshield delete mode 100755 dshield diff --git a/conf/dshield b/conf/dshield new file mode 100644 index 00000000..a96d3fd5 --- /dev/null +++ b/conf/dshield @@ -0,0 +1,67 @@ +#!/bin/bash +# Written by Onder Vincent Koc +# @url: https://github.com/koconder/dshield_automatic_iptables +# @credits: http://wiki.brokenpoet.org/wiki/Get_DShield_Blocklist +# +# Dshield Automatic Import to iptables +# Import Dshield Blocklist in a basic shell script which will run silently via cron +# and also use a seprate chain file to support other iptables rules without flushing +# i.e. fail2ban and ddosdeflate + +# path to iptables +IPTABLES="/sbin/iptables"; + +# list of known spammers +URL="http://feeds.dshield.org/block.txt"; + +# save local copy here +FILE="/tmp/dshield_block.text"; + +# iptables custom chain +CHAIN="dshield"; + +# check to see if the chain already exists +$IPTABLES -L $CHAIN -n + +# check to see if the chain already exists +if [ $? -eq 0 ]; then + + # flush the old rules + $IPTABLES -F $CHAIN + + echo "Flushed old rules. Applying updated dsheild list...." + +else + + # create a new chain set + $IPTABLES -N $CHAIN + + # tie chain to input rules so it runs + $IPTABLES -A INPUT -j $CHAIN + + # don't allow this traffic through + $IPTABLES -A FORWARD -j $CHAIN + + echo "Chain not detected. Creating new chain and adding dsheild list...." + +fi; + +# get a copy of the spam list +wget -qc $URL -O $FILE + +blocklist=$( cat $FILE | awk '/^[0-9]/' | awk '{print $1"/"$3}'| sort -n) +for IP in $blocklist +do + # add the ip address log rule to the chain + $IPTABLES -A $CHAIN -p 0 -s $IP -j LOG --log-prefix "[dsheild BLOCK]" -m limit --limit 3/min --limit-burst 10 + + # add the ip address to the chain + $IPTABLES -A $CHAIN -p 0 -s $IP -j DROP + + echo $IP +done + +echo "Done!" + +# remove the spam list +unlink $FILE diff --git a/dshield b/dshield deleted file mode 100755 index 43b07ba1..00000000 --- a/dshield +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/bash -## -## Add the top 20 IP blocks that have been reported by DShield -## -## /etc/cron.daily/dshield -## -## Author: Alon "ChiefGyk" Ganon -## https://alonganon.info -## alon@ganon.me - -datadir=/tmp - -## Get default settings of fail2ban (optional?) -[ -r /etc/default/fail2ban ] && . /etc/default/fail2ban - -umask 000 -blacklistf=$datadir/dshield.txt - -mv -vf $blacklistf $blacklistf.last - -badlisturls="http://feeds.dshield.org/block.txt" - -# Create the chain if it doesn't exist. Harmless if it does. - iptables -vN dshield - -# Grab list(s) at http://feeds.dshield.org/block.txt . Block. -echo "Adding new blocks:" - curl -s http://feeds.dshield.org/block.txt \ - |sort -u \ - |tee $blacklistf \ - |grep -v '^#\|:' \ - |while read IP; do iptables -A dshield -p tcp -s $IP -j DROP; done - - - -# Which listings had been removed since last time? Unblock. -echo "Removing old blocks:" -if [[ -r $blacklistf.diff ]]; then - # comm is brittle, cannot use sort -rn - time comm -23 $blacklistf.last $blacklistf \ - |tee $blacklistf.delisted \ - |grep -v '^#\|:' \ - |while read IP; do iptables -w -D dshield -s $IP -j DROP || iptables -wv -D dshield -s $IP -j LOGDROP; done - -fi - - -# prepare for next time. - diff -wbay $blacklistf.last $blacklistf > $blacklistf.diff - -# save IPtable rules -iptables-save > /etc/iptables.up.rules - -exit \ No newline at end of file diff --git a/install.sh b/install.sh index 0c0d9d08..ad272cbf 100755 --- a/install.sh +++ b/install.sh @@ -21,6 +21,9 @@ cp conf/blacklist /etc/cron.daily/blacklist chmod a+x /etc/cron.daily/blacklist time /etc/cron.daily/blacklist source conf/dialog.sh +#cp conf/dshield /etc/cron.daily/dshield +#chmod +x /etc/cron.daily/dshield +#time /etc/cron.daily/blacklist iptables-save > /etc/iptables.up.rules sed -i -e "\$apre-up ipset restore < /etc/ipset.up.rules" /etc/network/interfaces sed -i -e "\$apre-up iptables-restore < /etc/iptables.up.rules" /etc/network/interfaces From b9a9b46707ec5707e28644fb4eea7642985c9129 Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Wed, 29 Jun 2016 18:23:46 -0400 Subject: [PATCH 5/7] merging dshield and blacklist cron together --- conf/blacklist | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/conf/blacklist b/conf/blacklist index b34f3fe8..0a3b88b0 100644 --- a/conf/blacklist +++ b/conf/blacklist @@ -1,5 +1,9 @@ # I found this script somewhere a long time ago and modified it #!/bin/bash +IPTABLES=/sbin/iptables +URL=http://feeds.dshield.org/block.txt +FILE=/tmp/dshield_block.text +CHAIN=dshield IP_TMP=/tmp/ip.tmp IP_BLACKLIST=/etc/ip-blacklist.conf IP_BLACKLIST_TMP=/tmp/ip-blacklist.tmp @@ -42,5 +46,63 @@ do ipset add blacklist $ip done +# Written by Onder Vincent Koc +# @url: https://github.com/koconder/dshield_automatic_iptables +# @credits: http://wiki.brokenpoet.org/wiki/Get_DShield_Blocklist +# +# Dshield Automatic Import to iptables +# Import Dshield Blocklist in a basic shell script which will run silently via cron +# and also use a seprate chain file to support other iptables rules without flushing +# i.e. fail2ban and ddosdeflate + + + +# check to see if the chain already exists +$IPTABLES -L $CHAIN -n + +# check to see if the chain already exists +if [ $? -eq 0 ]; then + + # flush the old rules + $IPTABLES -F $CHAIN + + echo "Flushed old rules. Applying updated dshield list...." + +else + + # create a new chain set + $IPTABLES -N $CHAIN + + # tie chain to input rules so it runs + $IPTABLES -A INPUT -j $CHAIN + + # don't allow this traffic through + $IPTABLES -A FORWARD -j $CHAIN + + echo "Chain not detected. Creating new chain and adding dshield list...." + +fi; + +# get a copy of the spam list +wget -qc $URL -O $FILE + +blocklist=$( cat $FILE | awk '/^[0-9]/' | awk '{print $1"/"$3}'| sort -n) +for IP in $blocklist +do + # add the ip address log rule to the chain + $IPTABLES -A $CHAIN -p 0 -s $IP -j LOG --log-prefix "[dshield BLOCK]" -m limit --limit 3/min --limit-burst 10 + + # add the ip address to the chain + $IPTABLES -A $CHAIN -p 0 -s $IP -j DROP + + echo $IP +done + +echo "Done!" + +# remove the spam list +unlink $FILE + +# Persistence ipset save > /etc/ipset.up.rules iptables-save > /etc/iptables.up.rules \ No newline at end of file From 66a542d66660c0b00197f3055dc283c9842b4dab Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Wed, 29 Jun 2016 18:27:01 -0400 Subject: [PATCH 6/7] dialog fix --- conf/dialog.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/conf/dialog.sh b/conf/dialog.sh index 02f83569..983679fb 100755 --- a/conf/dialog.sh +++ b/conf/dialog.sh @@ -51,5 +51,6 @@ case $CHOICE in time /etc/cron.weekly/sinokorea apt-get install -y iptables-persistent ;; - 4) break;; + 4) echo "doing nothing" + ;; esac \ No newline at end of file From 86a504713e7a341d6a9d2db543db895f9d2ce608 Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Wed, 29 Jun 2016 18:36:55 -0400 Subject: [PATCH 7/7] added dshield --- README.md | 2 ++ conf/dshield | 67 ---------------------------------------------------- 2 files changed, 2 insertions(+), 67 deletions(-) delete mode 100644 conf/dshield diff --git a/README.md b/README.md index 178545ad..34966d5b 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,8 @@ Tested on Ubuntu 14.04LTS for my own servers, so please test on your own systems I have also added the capability to block all Chinese and/or Korean IP Addresses as a good number of spam and malicious activity are linked to them. Towards the end after ipset has added thousands of IP addresses, a dialog will appear giving the option to choose if you want to block China, Korea, both, or neither. Simply select the option you desire and it will take care of the rest. The Korean and/or Chinese addresses will only update weekly, as it blocks entire IP blocks off assigned to the country/countries you have chosen. I may add more countries down the line if need be. +The latest addition in 2.2 is it looks up Dshields top 20 blocks of IP addresses that are malicious, and blocks them daily. It has been merged into the /etc/cron.daily/blacklist created prior. The Dshield script was originally found at https://github.com/koconder/dshield_automatic_iptables + Simply run this once, and that's it. sudo ./install.sh alon@ganon.me diff --git a/conf/dshield b/conf/dshield deleted file mode 100644 index a96d3fd5..00000000 --- a/conf/dshield +++ /dev/null @@ -1,67 +0,0 @@ -#!/bin/bash -# Written by Onder Vincent Koc -# @url: https://github.com/koconder/dshield_automatic_iptables -# @credits: http://wiki.brokenpoet.org/wiki/Get_DShield_Blocklist -# -# Dshield Automatic Import to iptables -# Import Dshield Blocklist in a basic shell script which will run silently via cron -# and also use a seprate chain file to support other iptables rules without flushing -# i.e. fail2ban and ddosdeflate - -# path to iptables -IPTABLES="/sbin/iptables"; - -# list of known spammers -URL="http://feeds.dshield.org/block.txt"; - -# save local copy here -FILE="/tmp/dshield_block.text"; - -# iptables custom chain -CHAIN="dshield"; - -# check to see if the chain already exists -$IPTABLES -L $CHAIN -n - -# check to see if the chain already exists -if [ $? -eq 0 ]; then - - # flush the old rules - $IPTABLES -F $CHAIN - - echo "Flushed old rules. Applying updated dsheild list...." - -else - - # create a new chain set - $IPTABLES -N $CHAIN - - # tie chain to input rules so it runs - $IPTABLES -A INPUT -j $CHAIN - - # don't allow this traffic through - $IPTABLES -A FORWARD -j $CHAIN - - echo "Chain not detected. Creating new chain and adding dsheild list...." - -fi; - -# get a copy of the spam list -wget -qc $URL -O $FILE - -blocklist=$( cat $FILE | awk '/^[0-9]/' | awk '{print $1"/"$3}'| sort -n) -for IP in $blocklist -do - # add the ip address log rule to the chain - $IPTABLES -A $CHAIN -p 0 -s $IP -j LOG --log-prefix "[dsheild BLOCK]" -m limit --limit 3/min --limit-burst 10 - - # add the ip address to the chain - $IPTABLES -A $CHAIN -p 0 -s $IP -j DROP - - echo $IP -done - -echo "Done!" - -# remove the spam list -unlink $FILE