From ed8881afc94ec5800a6f41e869468a247229af20 Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Wed, 29 Jun 2016 09:05:39 -0400 Subject: [PATCH] double checking lists --- README.md | 2 ++ blacklist | 7 ++--- install.sh | 3 ++ sync-fail2ban | 86 --------------------------------------------------- 4 files changed, 8 insertions(+), 90 deletions(-) delete mode 100644 sync-fail2ban diff --git a/README.md b/README.md index 6965b89b..b29e7fbe 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,8 @@ blocklist-installer This will install a cron to run daily and pull lists from https://blocklist.de to block malicious IP addresses. Adding around ~20,000 or more IP addresses per day, all voluntarily and freely contributed through people with Fail2Ban accounts. If setting up Fail2Ban I suggest you help contribute to blocklist.de. Script is pretty self explanatory it prepares IPTables persistence, and the cron tab. Simply run as root and it will do the work for you. + +2.0 has been rewritten with help from some research to use IPset and far more tables and lists resourced. Please do not run this more than once per day, per server. Tested on Ubuntu 14.04LTS alon@ganon.me https://alonganon.info \ No newline at end of file diff --git a/blacklist b/blacklist index 5bda6f2b..7a102262 100644 --- a/blacklist +++ b/blacklist @@ -1,5 +1,4 @@ #!/bin/bash -# Found here IP_TMP=/tmp/ip.tmp IP_BLACKLIST=/etc/ip-blacklist.conf IP_BLACKLIST_TMP=/tmp/ip-blacklist.tmp @@ -10,7 +9,7 @@ BLACKLISTS=( "http://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1" # TOR Exit Nodes "http://www.maxmind.com/en/anonymous_proxies" # MaxMind GeoIP Anonymous Proxies "http://danger.rulez.sk/projects/bruteforceblocker/blist.php" # BruteForceBlocker IP List -"http://rules.emergingthreats.net/blockrules/rbn-ips.txt" # Emerging Threats - Russian Business Networks List +#"http://rules.emergingthreats.net/blockrules/rbn-ips.txt" # Emerging Threats - Russian Business Networks List "http://www.spamhaus.org/drop/drop.lasso" # Spamhaus Don't Route Or Peer List (DROP) "http://cinsscore.com/list/ci-badguys.txt" # C.I. Army Malicious IP List "http://www.openbl.org/lists/base.txt" # OpenBL.org 30 day List @@ -25,9 +24,9 @@ done for i in `echo $list`; do # Download wget --quiet http://www.wizcrafts.net/$i-iptables-blocklist.html - # Grep out all but ip blocks + # Grep all but ip blocks cat $i-iptables-blocklist.html | grep -v \< | grep -v \: | grep -v \; | grep -v \# | grep [0-9] > $i.txt - # Consolidate blocks into master list + # Consolidate cat $i.txt >> $IP_BLACKLIST_TMP done diff --git a/install.sh b/install.sh index 29cae284..0dd88a63 100755 --- a/install.sh +++ b/install.sh @@ -1,6 +1,7 @@ # Add Blocklist.de malicious IP Addresses to Daily Crontab # Also IPtables-persistent to save IP addresses upon reboot # Added by Alon "ChiefGyk" Ganon +# alonganon.info # alon@ganon.me # Are we running as root? @@ -16,7 +17,9 @@ echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf- apt-get update apt-get install -y ipset ipset create blacklist hash:net +iptables -I INPUT -m set --match-set blacklist src -j DROP cp blacklist /etc/cron.daily/blacklist chmod a+x /etc/cron.daily/blacklist time /etc/cron.daily/blacklist apt-get install -y iptables-persistent +echo "Blacklist has been installed. It will run daily automatically." diff --git a/sync-fail2ban b/sync-fail2ban deleted file mode 100644 index 608a919a..00000000 --- a/sync-fail2ban +++ /dev/null @@ -1,86 +0,0 @@ -#!/bin/bash - -## Update fail2ban iptables with globally known attackers. -## Actually, runs 100% independently now, without needing fail2ban installed. -## -## /etc/cron.daily/sync-fail2ban -## -## Author: Marcos Kobylecki -## http://www.reddit.com/r/linux/comments/2nvzur/shared_blacklists_from_fail2ban/ - - -## Quit if fail2ban is missing. Maybe this fake requirement can be skipped? YES. -#PROGRAM=/etc/init.d/fail2ban -#[ -x $PROGRAM ] || exit 0 - -datadir=/etc/fail2ban -[[ -d "$datadir" ]] || datadir=/tmp - -## Get default settings of fail2ban (optional?) -[ -r /etc/default/fail2ban ] && . /etc/default/fail2ban - -umask 000 -blacklistf=$datadir/blacklist.blocklist.de.txt - -mv -vf $blacklistf $blacklistf.last - -badlisturls="http://antivirus.neu.edu.cn/ssh/lists/base_30days.txt https://lists.blocklist.de/lists/all.txt" - - - iptables -vN fail2ban-ssh # Create the chain if it doesn't exist. Harmless if it does. - -# Grab list(s) at https://www.blocklist.de/en/export.html . Block. -echo "Adding new blocks:" - time curl -s https://lists.blocklist.de/lists/all.txt \ - |sort -u \ - |tee $blacklistf \ - |grep -v '^#\|:' \ - |while read IP; do iptables -I fail2ban-ssh 1 -s $IP -j DROP; done - - - -# Which listings had been removed since last time? Unblock. -echo "Removing old blocks:" -if [[ -r $blacklistf.diff ]]; then - # comm is brittle, cannot use sort -rn - time comm -23 $blacklistf.last $blacklistf \ - |tee $blacklistf.delisted \ - |grep -v '^#\|:' \ - |while read IP; do iptables -w -D fail2ban-ssh -s $IP -j DROP || iptables -wv -D fail2ban-ssh -s $IP -j LOGDROP; done - -fi - - -# prepare for next time. - diff -wbay $blacklistf.last $blacklistf > $blacklistf.diff - -# save IPtable rules -iptables-save > /etc/iptables/rules.v4 -ip6tables-save > /etc/iptables/rules.v6 - - -# Saves a copy of current iptables rules, should you like to check them later. -(set -x; iptables -wnv -L --line-numbers; iptables -wnv -t nat -L --line-numbers) &> /tmp/iptables.fail2ban.log & - - -exit - -# iptables v1.4.21: host/network `2a00:1210:fffe:145::1' not found -# So weed out IPv6, try |grep -v ':' - -## http://ix.io/fpC - - -# Option: actionban -# Notes.: command executed when banning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: See jail.conf(5) man page -# Values: CMD -# -actionban = iptables -I fail2ban- 1 -s -j # Option: actionunban -# Notes.: command executed when unbanning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: See jail.conf(5) man page -# Values: CMD -# -actionunban = iptables -D fail2ban- -s -j \ No newline at end of file