#!/bin/bash ## Update fail2ban iptables with globally known attackers. ## Actually, runs 100% independently now, without needing fail2ban installed. ## ## /etc/cron.daily/sync-fail2ban ## ## Author: Marcos Kobylecki ## http://www.reddit.com/r/linux/comments/2nvzur/shared_blacklists_from_fail2ban/ ## Quit if fail2ban is missing. Maybe this fake requirement can be skipped? YES. #PROGRAM=/etc/init.d/fail2ban #[ -x $PROGRAM ] || exit 0 datadir=/etc/fail2ban [[ -d "$datadir" ]] || datadir=/tmp ## Get default settings of fail2ban (optional?) [ -r /etc/default/fail2ban ] && . /etc/default/fail2ban umask 000 blacklistf=$datadir/blacklist.blocklist.de.txt mv -vf $blacklistf $blacklistf.last badlisturls="http://antivirus.neu.edu.cn/ssh/lists/base_30days.txt http://lists.blocklist.de/lists/ssh.txt http://lists.blocklist.de/lists/bruteforcelogin.txt" iptables -vN fail2ban-ssh # Create the chain if it doesn't exist. Harmless if it does. # Grab list(s) at https://www.blocklist.de/en/export.html . Block. echo "Adding new blocks:" time curl -s http://lists.blocklist.de/lists/ssh.txt http://lists.blocklist.de/lists/bruteforcelogin.txt \ |sort -u \ |tee $blacklistf \ |grep -v '^#\|:' \ |while read IP; do iptables -I fail2ban-ssh 1 -s $IP -j DROP; done # Which listings had been removed since last time? Unblock. echo "Removing old blocks:" if [[ -r $blacklistf.diff ]]; then # comm is brittle, cannot use sort -rn time comm -23 $blacklistf.last $blacklistf \ |tee $blacklistf.delisted \ |grep -v '^#\|:' \ |while read IP; do iptables -w -D fail2ban-ssh -s $IP -j DROP || iptables -wv -D fail2ban-ssh -s $IP -j LOGDROP; done fi # prepare for next time. diff -wbay $blacklistf.last $blacklistf > $blacklistf.diff # Saves a copy of current iptables rules, should you like to check them later. (set -x; iptables -wnv -L --line-numbers; iptables -wnv -t nat -L --line-numbers) &> /tmp/iptables.fail2ban.log & exit # iptables v1.4.21: host/network `2a00:1210:fffe:145::1' not found # So weed out IPv6, try |grep -v ':' ## http://ix.io/fpC # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionban = iptables -I fail2ban- 1 -s -j # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionunban = iptables -D fail2ban- -s -j