Skip to content

Instantly share code, notes, and snippets.

@jult
Last active March 7, 2020 15:41
Show Gist options
  • Save jult/e2087274f27933ce8574cf6d34ec5cd1 to your computer and use it in GitHub Desktop.
Save jult/e2087274f27933ce8574cf6d34ec5cd1 to your computer and use it in GitHub Desktop.
iptables blocklist script (using ipset hash..)
#!/bin/bash
IP_TMP=/tmp/ip.tmp
IP_BLACKLIST=/etc/ip-blacklist.conf
IP_BLACKLIST_TMP=/tmp/ip-blacklist.tmp
IP_BLACKLIST_CUSTOM=/etc/ip-blacklist-custom.conf # optional
list="chinese nigerian russian lacnic exploited-servers"
BLACKLISTS=(
"http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1" # Project Honey Pot Directory of Dictionary Attacker IPs
# "http://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1" # TOR Exit Nodes, who would refuse those accessing your server?
# "http://www.maxmind.com/en/anonymous_proxies" # MaxMind GeoIP Anonymous Proxies
"http://danger.rulez.sk/projects/bruteforceblocker/blist.php" # BruteForceBlocker IP List
"http://rules.emergingthreats.net/blockrules/rbn-ips.txt" # Emerging Threats - Russian Business Networks List
# "http://www.spamhaus.org/drop/drop.lasso" # Spamhaus Don't Route Or Peer List (DROP) This one once mistakenly blocked my own ISP..
# "http://cinsscore.com/list/ci-badguys.txt" # C.I. Army Malicious IP List
"http://www.openbl.org/lists/base.txt" # OpenBL.org 30 day List
#"http://www.autoshun.org/files/shunlist.csv" # Autoshun Shun List
"http://lists.blocklist.de/lists/all.txt" # blocklist.de attackers
)
for i in "${BLACKLISTS[@]}"
do
curl "$i" > $IP_TMP
grep -Po '(?:\d{1,3}\.){3}\d{1,3}(?:/\d{1,2})?' $IP_TMP >> $IP_BLACKLIST_TMP
done
for i in `echo $list`; do
# Download
wget --quiet http://www.wizcrafts.net/$i-iptables-blocklist.html
# Grep out all but ip blocks
cat $i-iptables-blocklist.html | grep -v \< | grep -v \: | grep -v \; | grep -v \# | grep [0-9] > $i.txt
# Consolidate blocks into master list
cat $i.txt >> $IP_BLACKLIST_TMP
done
sort $IP_BLACKLIST_TMP -n | uniq > $IP_BLACKLIST
rm $IP_BLACKLIST_TMP
wc -l $IP_BLACKLIST
ipset flush blacklist
egrep -v "^#|^$" $IP_BLACKLIST | while IFS= read -r ip
do
ipset add blacklist $ip
done
@jult
Copy link
Author

jult commented Nov 9, 2016

# AutoShun list
# Details: https://www.autoshun.org
AUTOSHUN|86400|0|https://www.autoshun.org/download/?api_key= [get your own api key] &format=csv

# Project Honey Pot Directory of Dictionary Attacker IPs
# Details: http://www.projecthoneypot.org
HONEYPOT|86400|0|http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1

# BruteForceBlocker IP List
# Details: http://danger.rulez.sk/index.php/bruteforceblocker/
BFB|86400|0|http://danger.rulez.sk/projects/bruteforceblocker/blist.php

# DShield.org Recommended Block List
# Details: http://dshield.org
DSHIELD|86400|0|http://www.dshield.org/block.txt

# BOGON list
# Details: http://www.team-cymru.org/Services/Bogons/
BOGON|86400|0|http://www.cymru.com/Documents/bogon-bn-agg.txt

# OpenBL.org 30 day List
# Set URLGET in csf.conf to use LWP as this list uses an SSL connection
# Details: https://www.openbl.org
OPENBL|86400|0|https://www.openbl.org/lists/base_30days.txt

# GreenSnow Hack List
# Details: http://greensnow.co
GREENSNOW|86400|0|http://blocklist.greensnow.co/greensnow.txt

# bl.blocklist.de tail!
BLBLDE|30000|0|http://api.blocklist.de/getlast.php?time=30000

# Emerging Threats - Russian Business Networks List
# Details: http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork
RBN|86400|0|http://rules.emergingthreats.net/blockrules/rbn-ips.txt

@newspeer
Copy link

newspeer commented Jan 2, 2017

I think wizcrafts.net can't be used with wget anymore. Wget shows an 503 error code, but you can still access the website via browser.

Edit: Just a wild guess. I think the author has blocked some or most server-hoster ip-ranges to sell the iptable-lists.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment