Contents
Iptables – Blacklist IPs – linux.
Important!
Tested:
- Debian 7.8
- iptables v1.4.14
Install IPset.
sudo apt-get install ipset
sudo ipset create blacklist hash:net
Create auto-update script of ips database.
Download script for Debian/Ubuntu:
sudo wget "terminal28.com/wp-content/uploads/2015/04/update-blacklist.sh" -O /usr/local/bin/update-blacklist.sh
Script for other linux systems.
sudo nano /usr/local/bin/update-blacklist.sh
#!/bin/bash
IP_BLACKLIST_DIR=/etc/ipset-blacklist
IPSET_BLACKLIST_NAME=blacklist # change it if it collides with a pre-existing ipset list
IPSET_TMP_BLACKLIST_NAME=${IPSET_BLACKLIST_NAME}-tmp
IP_BLACKLIST_RESTORE=${IP_BLACKLIST_DIR}/ip-blacklist.restore
IP_BLACKLIST=${IP_BLACKLIST_DIR}/ip-blacklist.list
IP_BLACKLIST_CUSTOM=${IP_BLACKLIST_DIR}/ip-blacklist-custom.list # optional, for your personal nemeses (no typo, plural)
HASHSIZE=65536 # the initial hash size for the set. Don't touch unless you know what you're doing.
MAXELEM=65536 # the maximal number of elements which can be stored in the set
# List of URLs for IP blacklists. Currently, only IPv4 is supported in this script, everything else will be filtered.
BLACKLISTS=(
"http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1" # Project Honey Pot Directory of Dictionary Attacker IPs
"http://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1" # TOR Exit Nodes
"https://www.maxmind.com/en/anonymous-proxy-fraudulent-ip-address-list" # MaxMind GeoIP Anonymous Proxies
"http://danger.rulez.sk/projects/bruteforceblocker/blist.php" # BruteForceBlocker IP List
"http://www.spamhaus.org/drop/drop.lasso" # Spamhaus Don't Route Or Peer List (DROP)
"http://cinsscore.com/list/ci-badguys.txt" # C.I. Army Malicious IP List
"http://www.openbl.org/lists/base.txt" # OpenBL.org 30 day List
"http://www.autoshun.org/files/shunlist.csv" # Autoshun Shun List
"http://lists.blocklist.de/lists/all.txt" # blocklist.de attackers
"http://www.stopforumspam.com/downloads/toxic_ip_cidr.txt" # StopForumSpam
)
for command in ipset iptables egrep grep curl sort uniq wc
do
if ! which $command > /dev/null; then
echo "Error: please install $command"
exit 1
fi
done
if [ ! -d $IP_BLACKLIST_DIR ]; then
echo "Error: please create $IP_BLACKLIST_DIR directory"
exit 1
fi
if [ -f /etc/ip-blacklist.conf ]; then
echo "Error: please remove /etc/ip-blacklist.conf"
exit 1
fi
if [ -f /etc/ip-blacklist-custom.conf ]; then
echo "Error: please move /etc/ip-blacklist-custom.conf to the $IP_BLACKLIST_DIR directory and rename it to $IP_BLACKLIST_CUSTOM"
exit 1
fi
IP_BLACKLIST_TMP=$(mktemp)
for i in "${BLACKLISTS[@]}"
do
IP_TMP=$(mktemp)
HTTP_RC=`curl --connect-timeout 10 --max-time 10 -o $IP_TMP -s -w "%{http_code}" "$i"`
if [ $HTTP_RC -eq 200 -o $HTTP_RC -eq 302 ]; then
grep -Po '(?:\d{1,3}\.){3}\d{1,3}(?:/\d{1,2})?' $IP_TMP >> $IP_BLACKLIST_TMP
echo -n "."
else
echo -e "\nWarning: curl returned HTTP response code $HTTP_RC for URL $i"
fi
rm $IP_TMP
done
echo
sort $IP_BLACKLIST_TMP -n | uniq | sed -e '/^127.0.0.0\|127.0.0.1\|0.0.0.0/d' > $IP_BLACKLIST
rm $IP_BLACKLIST_TMP
echo "Number of blacklisted IP/networks found: `wc -l $IP_BLACKLIST | cut -d' ' -f1`"
echo "create $IPSET_TMP_BLACKLIST_NAME -exist hash:net family inet hashsize $HASHSIZE maxelem $MAXELEM" > $IP_BLACKLIST_RESTORE
echo "create $IPSET_BLACKLIST_NAME -exist hash:net family inet hashsize $HASHSIZE maxelem $MAXELEM" >> $IP_BLACKLIST_RESTORE
egrep -v "^#|^$" $IP_BLACKLIST | while IFS= read -r ip
do
echo "add $IPSET_TMP_BLACKLIST_NAME $ip" >> $IP_BLACKLIST_RESTORE
done
if [ -f $IP_BLACKLIST_CUSTOM ]; then
egrep -v "^#|^$" $IP_BLACKLIST_CUSTOM | while IFS= read -r ip
do
echo "add $IPSET_TMP_BLACKLIST_NAME $ip" >> $IP_BLACKLIST_RESTORE
done
echo "Number of IP/networks in custom blacklist: `wc -l $IP_BLACKLIST_CUSTOM | cut -d' ' -f1`"
fi
echo "swap $IPSET_BLACKLIST_NAME $IPSET_TMP_BLACKLIST_NAME" >> $IP_BLACKLIST_RESTORE
echo "destroy $IPSET_TMP_BLACKLIST_NAME" >> $IP_BLACKLIST_RESTORE
ipset restore < $IP_BLACKLIST_RESTORE
Change permission.
sudo chmod +x /usr/local/bin/update-blacklist.sh
Configure Iptables.
Add ipset rule to iptables:
... ipset create blacklist hash:net iptables -I INPUT -m set --match-set blacklist src -j DROP ...
Configure cron.
sudo crontab -e
22 1 * * * /usr/local/bin/update-blacklist.sh
First run:
sudo /usr/local/bin/update-blacklist.sh
……….
Number of blacklisted IP/networks found: 44129
Source:
https://github.com/trick77/ipset-blacklist
Notice
Support my work by donation. Thank You.