Skip to content

Instantly share code, notes, and snippets.

@ixs
Created November 27, 2015 14:02
Show Gist options
  • Save ixs/48d1cb36d156e8a93cab to your computer and use it in GitHub Desktop.
Save ixs/48d1cb36d156e8a93cab to your computer and use it in GitHub Desktop.
Download a public blocklist of SSH brute scanning hosts and drop their connection attempts via firewalld
#!/bin/sh
curl -s http://lists.blocklist.de/lists/ssh.txt > /tmp/ssh-ips.txt
if [ "$1" == "--force" ]; then
firewall-cmd --direct --remove-chain ipv4 filter AUTO_BLACKLIST
firewall-cmd --direct --add-chain ipv4 filter AUTO_BLACKLIST
fi
# Create Chains if not available already
(firewall-cmd --direct --query-chain ipv4 filter AUTO_BLACKLIST || \
firewall-cmd --direct --add-chain ipv4 filter AUTO_BLACKLIST
firewall-cmd --direct --query-rule ipv4 filter INPUT_direct 0 -m tcp -p tcp --dport 22 -j AUTO_BLACKLIST || \
firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -m tcp -p tcp --dport 22 -j AUTO_BLACKLIST
) > /dev/null
/usr/sbin/iptables -L AUTO_BLACKLIST -n | awk '/^DROP / { print $4 }' > /tmp/ip_ssh_blocked
i=0
for src in $(cat /tmp/ssh-ips.txt); do
# Deactivated for now, as it doubles execution time. Just grep the iptables dump from earlier.
# firewall-cmd --direct --query-rule ipv4 filter AUTO_BLACKLIST 10 -s $src -j DROP
grep -q "^$src\$" /tmp/ip_ssh_blocked
if [ $? -ne 0 ]; then
firewall-cmd --direct --add-rule ipv4 filter AUTO_BLACKLIST 10 -s $src -j DROP > /dev/null
i=$(($i + 1))
fi
done
echo $i hosts added
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment