# I found this script somewhere a long time ago and modified it #!/bin/bash IPTABLES=/sbin/iptables URL=http://feeds.dshield.org/block.txt FILE=/tmp/dshield_block.text CHAIN=dshield IP_TMP=/tmp/ip.tmp IP_BLACKLIST=/etc/ip-blacklist.conf IP_BLACKLIST_TMP=/tmp/ip-blacklist.tmp IP_BLACKLIST_CUSTOM=/etc/ip-blacklist-custom.conf # optional BLACKLISTS=( # Project Honey Pot Directory of Dictionary Attacker IPs "http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1" # TOR Exit Nodes "http://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1" # BruteForceBlocker "http://danger.rulez.sk/projects/bruteforceblocker/blist.php" # Spamhaus "http://www.spamhaus.org/drop/drop.lasso" # C.I. Army "http://cinsscore.com/list/ci-badguys.txt" # OpenBL.org "http://www.openbl.org/lists/base.txt" # Autoshun "http://www.autoshun.org/files/shunlist.csv" # Blocklist.de "http://lists.blocklist.de/lists/all.txt" # Malware Domain List "https://www.malwaredomainlist.com/hostslist/ip.txt" # ZeusTracker "https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist" ) for i in "${BLACKLISTS[@]}" do curl "$i" > $IP_TMP grep -Po '(?:\d{1,3}\.){3}\d{1,3}(?:/\d{1,2})?' $IP_TMP >> $IP_BLACKLIST_TMP done sort $IP_BLACKLIST_TMP -n | uniq > $IP_BLACKLIST rm $IP_BLACKLIST_TMP wc -l $IP_BLACKLIST ipset flush blacklist egrep -v "^#|^$" $IP_BLACKLIST | while IFS= read -r ip do ipset add blacklist $ip done # Written by Onder Vincent Koc # @url: https://github.com/koconder/dshield_automatic_iptables # @credits: http://wiki.brokenpoet.org/wiki/Get_DShield_Blocklist # # Dshield Automatic Import to iptables # Import Dshield Blocklist in a basic shell script which will run silently via cron # and also use a seprate chain file to support other iptables rules without flushing # i.e. fail2ban and ddosdeflate # check to see if the chain already exists $IPTABLES -L $CHAIN -n # check to see if the chain already exists if [ $? -eq 0 ]; then # flush the old rules $IPTABLES -F $CHAIN echo "Flushed old rules. Applying updated dshield list...." else # create a new chain set $IPTABLES -N $CHAIN # tie chain to input rules so it runs $IPTABLES -A INPUT -j $CHAIN # don't allow this traffic through $IPTABLES -A FORWARD -j $CHAIN echo "Chain not detected. Creating new chain and adding dshield list...." fi; # get a copy of the spam list wget -qc $URL -O $FILE blocklist=$( cat $FILE | awk '/^[0-9]/' | awk '{print $1"/"$3}'| sort -n) for IP in $blocklist do # add the ip address log rule to the chain $IPTABLES -A $CHAIN -p 0 -s $IP -j LOG --log-prefix "[dshield BLOCK]" -m limit --limit 3/min --limit-burst 10 # add the ip address to the chain $IPTABLES -A $CHAIN -p 0 -s $IP -j DROP echo $IP done echo "Done!" # remove the spam list unlink $FILE # Persistence ipset save > /etc/ipset.up.rules iptables-save > /etc/iptables.up.rules