JadedDragoon/badips-ipset.sh

## badips-ipset.sh
#!/bin/bash
# Script for blocking IPs which have been reported to www.badips.com
#   via ipsets.
#
# - THIS SCRIPT DOES NOT BLOCK ANYTHING -
# This script only updates ipsets with applicable data from
# badips.com. Actually blocking the ips in that ipset is left
# up to the user (so that you may do so however you prefer).
#
# Additionally, this script does not persist the ipsets through
# a restart. This is because most distros now provide a method of
# doing so and any attempt to do so in this script would create
# redundant/conflicting functionality.
#
# Exit Codes:
#   0 - success
#   1 - failure - no changes made
#   2 - failure - possible changes made, inconsistent state
#
#===============================================================================
# MIT License
#
# Copyright (c) 2020 Jeremy Cliff Armstrong
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#===============================================================================

# Location of ipset binary
bin=/sbin/ipset     # REQUIRED!

# This is how long ago at most an ip must have last been reported to
#   badips.com. Values follow the format ##a where '##' is some non-
#   zero positive number and 'a' is either h, d, w, m, or y for hours,
#   days, weeks, months, or years.
#
# NOTE: comment out for all results - not recommended
# NOTE2: this script should be executed more often than this value.
age=2w

# Block level (1-5):
#   0 - not so bad/false report
#   3 - confirmed bad
#   5 - quite aggressively bad
# (see www.badips.com)
level=3             # REQUIRED!

# Logged service or "any"
# (see www.badips.com/get/categories {JSON})
service=ssh         # REQUIRED!

# This is how long (in seconds) an ip will remain in the ipset after it
#   stops showing up in the configured badips query result. It should be
#   longer than the time between executions of this script (double, at
#   least) and long enough when combined with age above that occasional
#   offenders don't get removed from the ipset prematurely.
#
# IMPORTANT: this script should be executed more often than this setting.
# NOTE: IPs returned by badips.com which are already in the ipset will
#   have their timeouts reset to this value (if it is greater than the
#   existing timeout)
timeout=604800      # REQUIRED! - default is 7 days

# Name of ipset to use
ipset=badips        # REQUIRED!


##################
## BEGIN SCRIPT ##
##################

# required parameters
if [[ ! ${ipset} || ! ${timeout} || ! ${bin} || ! ${level} || ! ${service} ]]
then
    echo "$0: Required parameter is missing! Edit this file for further info." >&2
    exit 1
fi

### Test an IP address for validity:
# Usage:
#      valid_ip IP_ADDRESS
function valid_ip()
{
    local _tip=$1
    local _stat=1

    if [[ ${_tip} =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
        local _oifs=$IFS
        IFS='.'
        local _ipa=(${_tip})
        IFS=${_oifs}

        if [[
            (
                # Check that all sections are between (but not including) 0 and
                # 256.
                ${_ipa[0]} -lt 256 &&
                ${_ipa[1]} -lt 256 &&
                ${_ipa[2]} -lt 256 &&
                ${_ipa[3]} -lt 256 &&
                ${_ipa[0]} -gt 0
            ) && (
                # Check that ip address is not 10.x.x.x
                ${_ipa[0]} -ne 10
            ) && (
                # Check that ip address is not 192.168.x.x
                ${_ipa[0]} -ne 192 || ${_ipa[1]} -ne 168
            ) && (
                # Check that ip address is not 172.16.x.x - 172.31.x.x
                ${_ipa[0]} -ne 172 || (
                    ${_ipa[1]} -lt 16 || ${_ipa[1]} -gt 31
                )
            )
        ]]; then
            _stat=0
        fi
    fi

    return $_stat
}

### Query badips.com
# compile url
_url="https://www.badips.com/get/list/${service}/${level}"
if [ $age ]; then _url+="?age=${age}"; fi

# Get the bad IPs and store in an array
_badips=( $( wget -qO- "${_url}" ) ) || { echo "$0: Unable to download ip list from ${_url}." >&2; exit 1; }

### Setup our black list ###
# Create ipset if it does not exist
if ! ${bin} list ${ipset} -name 2>/dev/null >/dev/null
then
    ${bin} create ${ipset} hash:ip timeout ${timeout} -exist || { echo "$0: Unable to create ipset: ${ipset}" >&2; exit 2; }
fi

# Add all retrieved ips to $_ipset, updating the timeout on duplicates
for _ip in "${_badips[@]}"
do
    # validate first
    if ! valid_ip "${_ip}"
    then
        echo "Invalid IP Address (${_ip}) from BadIPs query. Report this to https://badips.com . Continuing..." >&2
        continue
    fi

    # add/update ipset
    $bin add ${ipset} "${_ip}" timeout ${timeout} -exist || { echo "$0: Unable to add ${_ip} to ${ipset}, exiting early." >&2; exit 2; }
done

exit 0
	#!/bin/bash
	# Script for blocking IPs which have been reported to www.badips.com
	# via ipsets.
	#
	# - THIS SCRIPT DOES NOT BLOCK ANYTHING -
	# This script only updates ipsets with applicable data from
	# badips.com. Actually blocking the ips in that ipset is left
	# up to the user (so that you may do so however you prefer).
	#
	# Additionally, this script does not persist the ipsets through
	# a restart. This is because most distros now provide a method of
	# doing so and any attempt to do so in this script would create
	# redundant/conflicting functionality.
	#
	# Exit Codes:
	# 0 - success
	# 1 - failure - no changes made
	# 2 - failure - possible changes made, inconsistent state
	#
	#===============================================================================
	# MIT License
	#
	# Copyright (c) 2020 Jeremy Cliff Armstrong
	#
	# Permission is hereby granted, free of charge, to any person obtaining a copy
	# of this software and associated documentation files (the "Software"), to deal
	# in the Software without restriction, including without limitation the rights
	# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
	# copies of the Software, and to permit persons to whom the Software is
	# furnished to do so, subject to the following conditions:
	#
	# The above copyright notice and this permission notice shall be included in
	# all copies or substantial portions of the Software.
	#
	# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
	# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
	# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
	# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
	# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
	# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
	# SOFTWARE.
	#===============================================================================

	# Location of ipset binary
	bin=/sbin/ipset # REQUIRED!

	# This is how long ago at most an ip must have last been reported to
	# badips.com. Values follow the format ##a where '##' is some non-
	# zero positive number and 'a' is either h, d, w, m, or y for hours,
	# days, weeks, months, or years.
	#
	# NOTE: comment out for all results - not recommended
	# NOTE2: this script should be executed more often than this value.
	age=2w

	# Block level (1-5):
	# 0 - not so bad/false report
	# 3 - confirmed bad
	# 5 - quite aggressively bad
	# (see www.badips.com)
	level=3 # REQUIRED!

	# Logged service or "any"
	# (see www.badips.com/get/categories {JSON})
	service=ssh # REQUIRED!

	# This is how long (in seconds) an ip will remain in the ipset after it
	# stops showing up in the configured badips query result. It should be
	# longer than the time between executions of this script (double, at
	# least) and long enough when combined with age above that occasional
	# offenders don't get removed from the ipset prematurely.
	#
	# IMPORTANT: this script should be executed more often than this setting.
	# NOTE: IPs returned by badips.com which are already in the ipset will
	# have their timeouts reset to this value (if it is greater than the
	# existing timeout)
	timeout=604800 # REQUIRED! - default is 7 days

	# Name of ipset to use
	ipset=badips # REQUIRED!


	##################
	## BEGIN SCRIPT ##
	##################

	# required parameters
	if [[ ! ${ipset} \|\| ! ${timeout} \|\| ! ${bin} \|\| ! ${level} \|\| ! ${service} ]]
	then
	echo "$0: Required parameter is missing! Edit this file for further info." >&2
	exit 1
	fi

	### Test an IP address for validity:
	# Usage:
	# valid_ip IP_ADDRESS
	function valid_ip()
	{
	local _tip=$1
	local _stat=1

	if [[ ${_tip} =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
	local _oifs=$IFS
	IFS='.'
	local _ipa=(${_tip})
	IFS=${_oifs}

	if [[
	(
	# Check that all sections are between (but not including) 0 and
	# 256.
	${_ipa[0]} -lt 256 &&
	${_ipa[1]} -lt 256 &&
	${_ipa[2]} -lt 256 &&
	${_ipa[3]} -lt 256 &&
	${_ipa[0]} -gt 0
	) && (
	# Check that ip address is not 10.x.x.x
	${_ipa[0]} -ne 10
	) && (
	# Check that ip address is not 192.168.x.x
	${_ipa[0]} -ne 192 \|\| ${_ipa[1]} -ne 168
	) && (
	# Check that ip address is not 172.16.x.x - 172.31.x.x
	${_ipa[0]} -ne 172 \|\| (
	${_ipa[1]} -lt 16 \|\| ${_ipa[1]} -gt 31
	)
	)
	]]; then
	_stat=0
	fi
	fi

	return $_stat
	}

	### Query badips.com
	# compile url
	_url="https://www.badips.com/get/list/${service}/${level}"
	if [ $age ]; then _url+="?age=${age}"; fi

	# Get the bad IPs and store in an array
	_badips=( $( wget -qO- "${_url}" ) ) \|\| { echo "$0: Unable to download ip list from ${_url}." >&2; exit 1; }

	### Setup our black list ###
	# Create ipset if it does not exist
	if ! ${bin} list ${ipset} -name 2>/dev/null >/dev/null
	then
	${bin} create ${ipset} hash:ip timeout ${timeout} -exist \|\| { echo "$0: Unable to create ipset: ${ipset}" >&2; exit 2; }
	fi

	# Add all retrieved ips to $_ipset, updating the timeout on duplicates
	for _ip in "${_badips[@]}"
	do
	# validate first
	if ! valid_ip "${_ip}"
	then
	echo "Invalid IP Address (${_ip}) from BadIPs query. Report this to https://badips.com . Continuing..." >&2
	continue
	fi

	# add/update ipset
	$bin add ${ipset} "${_ip}" timeout ${timeout} -exist \|\| { echo "$0: Unable to add ${_ip} to ${ipset}, exiting early." >&2; exit 2; }
	done

	exit 0