#!/bin/bash IPTABLES=/sbin/iptables URL=http://feeds.dshield.org/block.txt FILE=/tmp/dshield_block.text CHAIN=dshield IP_TMP=/tmp/ip.tmp IP_BLACKLIST=/etc/ip-blacklist.conf IP_BLACKLIST_TMP=/tmp/ip-blacklist.tmp BLACKLISTS=( # Project Honey Pot Directory of Dictionary Attacker IPs "http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1" # TOR Exit Nodes this will block all access to Tor "http://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1" # BruteForceBlocker "http://danger.rulez.sk/projects/bruteforceblocker/blist.php" # Spamhaus "http://www.spamhaus.org/drop/drop.lasso" # C.I. Army "http://cinsscore.com/list/ci-badguys.txt" # OpenBL.org "http://www.openbl.org/lists/base.txt" # Autoshun "http://www.autoshun.org/files/shunlist.csv" # Blocklist.de "http://lists.blocklist.de/lists/all.txt" # Malware Domain List "https://www.malwaredomainlist.com/hostslist/ip.txt" # ZeusTracker "https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist" # malc0de IP blacklist "http://malc0de.com/bl/IP_Blacklist.txt" ) for i in "${BLACKLISTS[@]}" do curl "$i" > $IP_TMP grep -Po '(?:\d{1,3}\.){3}\d{1,3}(?:/\d{1,2})?' $IP_TMP >> $IP_BLACKLIST_TMP done sort $IP_BLACKLIST_TMP -n | uniq > $IP_BLACKLIST rm $IP_BLACKLIST_TMP wc -l $IP_BLACKLIST ipset flush blacklist egrep -v "^#|^$" $IP_BLACKLIST | while IFS= read -r ip do ipset add blacklist $ip done # Written by Onder Vincent Koc # @url: https://github.com/koconder/dshield_automatic_iptables # @credits: http://wiki.brokenpoet.org/wiki/Get_DShield_Blocklist # # Dshield Automatic Import to iptables # Import Dshield Blocklist in a basic shell script which will run silently via cron # and also use a seprate chain file to support other iptables rules without flushing # i.e. fail2ban and ddosdeflate # some modifications by Alon Ganon (alon@ganon.me) # check to see if the chain already exists $IPTABLES -L $CHAIN -n # check to see if the chain already exists if [ $? -eq 0 ]; then # flush the old rules $IPTABLES -F $CHAIN echo "Flushed old rules..." else # create a new chain set $IPTABLES -N $CHAIN # tie chain to input rules so it runs $IPTABLES -A INPUT -j $CHAIN # don't allow this traffic through $IPTABLES -A FORWARD -j $CHAIN echo "Chain not detected. Creating new chain and adding dshield list...." fi; # get a copy of the spam list wget -qc $URL -O $FILE blocklist=$( cat $FILE | awk '/^[0-9]/' | awk '{print $1"/"$3}'| sort -n) for IP in $blocklist do # add the ip address log rule to the chain $IPTABLES -A $CHAIN -p 0 -s $IP -j LOG --log-prefix "[dshield BLOCK]" -m limit --limit 3/min --limit-burst 10 # add the ip address to the chain $IPTABLES -A $CHAIN -p 0 -s $IP -j DROP echo $IP done echo "Done!" # remove the spam list unlink $FILE /etc/init.d/iptables-persistent save