-
-
Save jacanales/661eaa818c025f460ba339b181985e2b to your computer and use it in GitHub Desktop.
Block globally reported hack attempts using your local iptables firewall rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
## Update fail2ban iptables with globally known attackers. | |
## Actually, runs 100% independently now, without needing fail2ban installed. | |
## | |
## /etc/cron.daily/sync-fail2ban | |
## | |
## Author: Marcos Kobylecki <fail2ban.globalBlackList@askmarcos.com> | |
## http://www.reddit.com/r/linux/comments/2nvzur/shared_blacklists_from_fail2ban/ | |
## Quit if fail2ban is missing. Maybe this fake requirement can be skipped? YES. | |
#PROGRAM=/etc/init.d/fail2ban | |
#[ -x $PROGRAM ] || exit 0 | |
datadir=/etc/fail2ban | |
[[ -d "$datadir" ]] || datadir=/tmp | |
## Get default settings of fail2ban (optional?) | |
[ -r /etc/default/fail2ban ] && . /etc/default/fail2ban | |
umask 000 | |
blacklistf=$datadir/blacklist.blocklist.de.txt | |
mv -vf $blacklistf $blacklistf.last | |
badlisturls="http://antivirus.neu.edu.cn/ssh/lists/base_30days.txt http://lists.blocklist.de/lists/ssh.txt http://lists.blocklist.de/lists/bruteforcelogin.txt" | |
iptables -vN fail2ban-ssh # Create the chain if it doesn't exist. Harmless if it does. | |
# Grab list(s) at https://www.blocklist.de/en/export.html . Block. | |
echo "Adding new blocks:" | |
time curl -s http://lists.blocklist.de/lists/ssh.txt http://lists.blocklist.de/lists/bruteforcelogin.txt \ | |
|sort -u \ | |
|tee $blacklistf \ | |
|grep -v '^#\|:' \ | |
|while read IP; do iptables -I fail2ban-ssh 1 -s $IP -j DROP; done | |
# Which listings had been removed since last time? Unblock. | |
echo "Removing old blocks:" | |
if [[ -r $blacklistf.diff ]]; then | |
# comm is brittle, cannot use sort -rn | |
time comm -23 $blacklistf.last $blacklistf \ | |
|tee $blacklistf.delisted \ | |
|grep -v '^#\|:' \ | |
|while read IP; do iptables -w -D fail2ban-ssh -s $IP -j DROP || iptables -wv -D fail2ban-ssh -s $IP -j LOGDROP; done | |
fi | |
# prepare for next time. | |
diff -wbay $blacklistf.last $blacklistf > $blacklistf.diff | |
# Saves a copy of current iptables rules, should you like to check them later. | |
(set -x; iptables -wnv -L --line-numbers; iptables -wnv -t nat -L --line-numbers) &> /tmp/iptables.fail2ban.log & | |
exit | |
# iptables v1.4.21: host/network `2a00:1210:fffe:145::1' not found | |
# So weed out IPv6, try |grep -v ':' | |
## http://ix.io/fpC | |
# Option: actionban | |
# Notes.: command executed when banning an IP. Take care that the | |
# command is executed with Fail2Ban user rights. | |
# Tags: See jail.conf(5) man page | |
# Values: CMD | |
# | |
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype># Option: actionunban | |
# Notes.: command executed when unbanning an IP. Take care that the | |
# command is executed with Fail2Ban user rights. | |
# Tags: See jail.conf(5) man page | |
# Values: CMD | |
# | |
actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment