external/mailinabox
1
0
Fork 0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2025-04-21 03:02:09 +00:00
Code Issues Releases Wiki Activity

Added Dshield, to automatically block the top 20 malicious IP blocks each day. It is merged into blacklist which will run in cron.daily. So ipset blocks the majority of addresses from lists, and IPTables does the blocks.

Browse Source
This commit is contained in:
ChiefGyk 2016-06-29 18:33:09 -04:00
parent 61780b8ae7
commit 9b3a158b72
2 changed files with 63 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
conf/blacklist/blacklist
View File

@ -1,4 +1,9 @@
#!/bin/bash #!/bin/bash
IPTABLES=/sbin/iptables
URL=http://feeds.dshield.org/block.txt
FILE=/tmp/dshield_block.text
CHAIN=dshield
IP_TMP=/tmp/ip.tmp IP_TMP=/tmp/ip.tmp
IP_BLACKLIST=/etc/ip-blacklist.conf IP_BLACKLIST=/etc/ip-blacklist.conf
IP_BLACKLIST_TMP=/tmp/ip-blacklist.tmp IP_BLACKLIST_TMP=/tmp/ip-blacklist.tmp
@ -40,6 +45,63 @@ do
ipset add blacklist $ip ipset add blacklist $ip
done done
# Written by Onder Vincent Koc
# @url: https://github.com/koconder/dshield_automatic_iptables
# @credits: http://wiki.brokenpoet.org/wiki/Get_DShield_Blocklist
#
# Dshield Automatic Import to iptables
# Import Dshield Blocklist in a basic shell script which will run silently via cron
# and also use a seprate chain file to support other iptables rules without flushing
# i.e. fail2ban and ddosdeflate
# check to see if the chain already exists
$IPTABLES -L $CHAIN -n
# check to see if the chain already exists
if [ $? -eq 0 ]; then
# flush the old rules
$IPTABLES -F $CHAIN
echo "Flushed old rules. Applying updated dshield list...."
else
# create a new chain set
$IPTABLES -N $CHAIN
# tie chain to input rules so it runs
$IPTABLES -A INPUT -j $CHAIN
# don't allow this traffic through
$IPTABLES -A FORWARD -j $CHAIN
echo "Chain not detected. Creating new chain and adding dshield list...."
fi;
# get a copy of the spam list
wget -qc $URL -O $FILE
blocklist=$( cat $FILE | awk '/^[0-9]/' | awk '{print $1"/"$3}'| sort -n)
for IP in $blocklist
do
# add the ip address log rule to the chain
$IPTABLES -A $CHAIN -p 0 -s $IP -j LOG --log-prefix "[dshield BLOCK]" -m limit --limit 3/min --limit-burst 10
# add the ip address to the chain
$IPTABLES -A $CHAIN -p 0 -s $IP -j DROP
echo $IP
done
echo "Done!"
# remove the spam list
unlink $FILE
# Persistence # Persistence
ipset save > /etc/ipset.up.rules ipset save > /etc/ipset.up.rules
iptables-save > /etc/iptables.up.rules iptables-save > /etc/iptables.up.rules

2
setup/dialog.sh
View File

@ -25,7 +25,7 @@ CHOICE=$(dialog --clear \
clear clear
case $CHOICE in case $CHOICE in
1) 1)
echo "Bombing China" echo "Ok Mr. Trump"
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
cp conf/blacklist/china /etc/cron.weekly/china cp conf/blacklist/china /etc/cron.weekly/china