From f054128a65fb38e7a0de6198602e3592b986de04 Mon Sep 17 00:00:00 2001 From: ChiefGyk <alon@ganon.me> Date: Tue, 28 Jun 2016 16:12:16 -0400 Subject: [PATCH] added script --- install.sh | 12 +++++++ sync-fail2ban | 86 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 98 insertions(+) create mode 100644 install.sh create mode 100644 sync-fail2ban diff --git a/install.sh b/install.sh new file mode 100644 index 00000000..055d8dfb --- /dev/null +++ b/install.sh @@ -0,0 +1,12 @@ +# Add Blocklist.de malicious IP Addresses to Daily Crontab +# Also IPtables-persistent to save IP addresses upon reboot +# Added by Alon "ChiefGyk" Ganon +cp sync-fail2ban /etc/cron.daily/sync-fail2ban +chmod a+x /etc/cron.daily/sync-fail2ban +time /etc/cron.daily/sync-fail2ban +echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections +echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections +apt-get update +apt-get install -y iptables-persistent +iptables-save > /etc/iptables/rules.v4 +ip6tables-save > /etc/iptables/rules.v6 \ No newline at end of file diff --git a/sync-fail2ban b/sync-fail2ban new file mode 100644 index 00000000..2ae7be3f --- /dev/null +++ b/sync-fail2ban @@ -0,0 +1,86 @@ +#!/bin/bash + +## Update fail2ban iptables with globally known attackers. +## Actually, runs 100% independently now, without needing fail2ban installed. +## +## /etc/cron.daily/sync-fail2ban +## +## Author: Marcos Kobylecki <fail2ban.globalBlackList@askmarcos.com> +## http://www.reddit.com/r/linux/comments/2nvzur/shared_blacklists_from_fail2ban/ + + +## Quit if fail2ban is missing. Maybe this fake requirement can be skipped? YES. +#PROGRAM=/etc/init.d/fail2ban +#[ -x $PROGRAM ] || exit 0 + +datadir=/etc/fail2ban +[[ -d "$datadir" ]] || datadir=/tmp + +## Get default settings of fail2ban (optional?) +[ -r /etc/default/fail2ban ] && . /etc/default/fail2ban + +umask 000 +blacklistf=$datadir/blacklist.blocklist.de.txt + +mv -vf $blacklistf $blacklistf.last + +badlisturls="http://antivirus.neu.edu.cn/ssh/lists/base_30days.txt http://lists.blocklist.de/lists/ssh.txt http://lists.blocklist.de/lists/bruteforcelogin.txt" + + + iptables -vN fail2ban-ssh # Create the chain if it doesn't exist. Harmless if it does. + +# Grab list(s) at https://www.blocklist.de/en/export.html . Block. +echo "Adding new blocks:" + time curl -s http://lists.blocklist.de/lists/ssh.txt http://lists.blocklist.de/lists/bruteforcelogin.txt \ + |sort -u \ + |tee $blacklistf \ + |grep -v '^#\|:' \ + |while read IP; do iptables -I fail2ban-ssh 1 -s $IP -j DROP; done + + + +# Which listings had been removed since last time? Unblock. +echo "Removing old blocks:" +if [[ -r $blacklistf.diff ]]; then + # comm is brittle, cannot use sort -rn + time comm -23 $blacklistf.last $blacklistf \ + |tee $blacklistf.delisted \ + |grep -v '^#\|:' \ + |while read IP; do iptables -w -D fail2ban-ssh -s $IP -j DROP || iptables -wv -D fail2ban-ssh -s $IP -j LOGDROP; done + +fi + + +# prepare for next time. + diff -wbay $blacklistf.last $blacklistf > $blacklistf.diff + +# save IPtable rules +iptables-save > /etc/iptables/rules.v4 +ip6tables-save > /etc/iptables/rules.v6 + + +# Saves a copy of current iptables rules, should you like to check them later. +(set -x; iptables -wnv -L --line-numbers; iptables -wnv -t nat -L --line-numbers) &> /tmp/iptables.fail2ban.log & + + +exit + +# iptables v1.4.21: host/network `2a00:1210:fffe:145::1' not found +# So weed out IPv6, try |grep -v ':' + +## http://ix.io/fpC + + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype># Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype> \ No newline at end of file