Iptables – Blacklist IPs – linux.

[important]

Tested:

• Debian 7.8
• iptables v1.4.14

[/important]

Install IPset.

sudo apt-get install ipset

sudo ipset create blacklist hash:net

Create auto-update script of ips database.

Download script for Debian/Ubuntu:

sudo wget "terminal28.com/wp-content/uploads/2015/04/update-blacklist.sh" -O /usr/local/bin/update-blacklist.sh

Script for other linux systems.

sudo nano /usr/local/bin/update-blacklist.sh

#!/bin/bash
IP_BLACKLIST_DIR=/etc/ipset-blacklist
IPSET_BLACKLIST_NAME=blacklist # change it if it collides with a pre-existing ipset list
IPSET_TMP_BLACKLIST_NAME=${IPSET_BLACKLIST_NAME}-tmp
IP_BLACKLIST_RESTORE=${IP_BLACKLIST_DIR}/ip-blacklist.restore
IP_BLACKLIST=${IP_BLACKLIST_DIR}/ip-blacklist.list
IP_BLACKLIST_CUSTOM=${IP_BLACKLIST_DIR}/ip-blacklist-custom.list # optional, for your personal nemeses (no typo, plural)
HASHSIZE=65536 # the initial hash size for the set. Don't touch unless you know what you're doing.
MAXELEM=65536 # the maximal number of elements which can be stored in the set

# List of URLs for IP blacklists. Currently, only IPv4 is supported in this script, everything else will be filtered.
BLACKLISTS=(
"http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1" # Project Honey Pot Directory of Dictionary Attacker IPs
"http://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1"  # TOR Exit Nodes
"https://www.maxmind.com/en/anonymous-proxy-fraudulent-ip-address-list" # MaxMind GeoIP Anonymous Proxies
"http://danger.rulez.sk/projects/bruteforceblocker/blist.php" # BruteForceBlocker IP List
"http://www.spamhaus.org/drop/drop.lasso" # Spamhaus Don't Route Or Peer List (DROP)
"http://cinsscore.com/list/ci-badguys.txt" # C.I. Army Malicious IP List
"http://www.openbl.org/lists/base.txt"  # OpenBL.org 30 day List
"http://www.autoshun.org/files/shunlist.csv" # Autoshun Shun List
"http://lists.blocklist.de/lists/all.txt" # blocklist.de attackers
"http://www.stopforumspam.com/downloads/toxic_ip_cidr.txt" # StopForumSpam
)

for command in ipset iptables egrep grep curl sort uniq wc
do
    if ! which $command > /dev/null; then
        echo "Error: please install $command"
        exit 1
    fi
done

if [ ! -d $IP_BLACKLIST_DIR ]; then
    echo "Error: please create $IP_BLACKLIST_DIR directory"
    exit 1
fi

if [ -f /etc/ip-blacklist.conf ]; then
    echo "Error: please remove /etc/ip-blacklist.conf"
    exit 1
fi

if [ -f /etc/ip-blacklist-custom.conf ]; then
    echo "Error: please move /etc/ip-blacklist-custom.conf to the $IP_BLACKLIST_DIR directory and rename it to $IP_BLACKLIST_CUSTOM"
    exit 1
fi

IP_BLACKLIST_TMP=$(mktemp)
for i in "${BLACKLISTS[@]}"
do
    IP_TMP=$(mktemp)
    HTTP_RC=`curl --connect-timeout 10 --max-time 10 -o $IP_TMP -s -w "%{http_code}" "$i"`
    if [ $HTTP_RC -eq 200 -o $HTTP_RC -eq 302 ]; then
        grep -Po '(?:\d{1,3}\.){3}\d{1,3}(?:/\d{1,2})?' $IP_TMP >> $IP_BLACKLIST_TMP
	echo -n "."
    else
        echo -e "\nWarning: curl returned HTTP response code $HTTP_RC for URL $i"
    fi
    rm $IP_TMP
done
echo
sort $IP_BLACKLIST_TMP -n | uniq | sed -e '/^127.0.0.0\|127.0.0.1\|0.0.0.0/d'  > $IP_BLACKLIST
rm $IP_BLACKLIST_TMP
echo "Number of blacklisted IP/networks found: `wc -l $IP_BLACKLIST | cut -d' ' -f1`"
echo "create $IPSET_TMP_BLACKLIST_NAME -exist hash:net family inet hashsize $HASHSIZE maxelem $MAXELEM" > $IP_BLACKLIST_RESTORE
echo "create $IPSET_BLACKLIST_NAME -exist hash:net family inet hashsize $HASHSIZE maxelem $MAXELEM" >> $IP_BLACKLIST_RESTORE

egrep -v "^#|^$" $IP_BLACKLIST | while IFS= read -r ip
do
    echo "add $IPSET_TMP_BLACKLIST_NAME $ip" >> $IP_BLACKLIST_RESTORE
done

if [ -f $IP_BLACKLIST_CUSTOM ]; then
    egrep -v "^#|^$" $IP_BLACKLIST_CUSTOM | while IFS= read -r ip
    do
        echo "add $IPSET_TMP_BLACKLIST_NAME $ip" >> $IP_BLACKLIST_RESTORE
    done
    echo "Number of IP/networks in custom blacklist: `wc -l $IP_BLACKLIST_CUSTOM | cut -d' ' -f1`"
fi

echo "swap $IPSET_BLACKLIST_NAME $IPSET_TMP_BLACKLIST_NAME" >> $IP_BLACKLIST_RESTORE
echo "destroy $IPSET_TMP_BLACKLIST_NAME" >> $IP_BLACKLIST_RESTORE
ipset restore < $IP_BLACKLIST_RESTORE

Change permission.

sudo chmod +x /usr/local/bin/update-blacklist.sh

Configure Iptables.

Add ipset rule to iptables:

...
ipset create blacklist hash:net
iptables -I INPUT -m set --match-set blacklist src -j DROP
...

Configure cron.

sudo crontab -e

22 1 * * * /usr/local/bin/update-blacklist.sh

First run:

sudo /usr/local/bin/update-blacklist.sh

……….
Number of blacklisted IP/networks found: 44129

Source:

https://github.com/trick77/ipset-blacklist
[notice]
Support my work by donation. Thank You.

[/notice]

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 4.0 International