kuzmik/ban fuckers.sh

## ban fuckers.sh
#!/bin/bash
# The fuckfaces ipset will hold any ip that appears to be portscanning or brute forcing ssh connections.

ipset -q create fuckfaces hash:ip counters
zgrep "Bad protocol" /var/log/auth.* | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq | xargs -I{} ipset -q add fuckfaces {}
zgrep "Did not receive identification string from" /var/log/auth.* | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq | xargs -I{} ipset -q add fuckfaces {}
zgrep "Invalid user" /var/log/auth.* | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq | xargs -I{} ipset -q add fuckfaces {}

# buuuut remove anyone from the list who has a pk that works, just in case.
zgrep "Accepted publickey" /var/log/auth.log* | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq | xargs -I{} ipset -q del fuckfaces {}

## block-countries.sh
#!/bin/bash
# cribbed and adapted from :
#   https://mattwilcox.net/web-development/unexpected-ddos-blocking-china-with-ipset-and-iptables
#   http://www.ipdeny.com/ipblocks/

# Fuck off, tor
ipset -q create tor hash:net counters
# sticking with 8.8.8.8 rather than putting my ip in this.
curl -s https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=8.8.8.8 | sed '/^#/d' | while read IP
do
  ipset -q add tor $IP
done

# China
ipset -q create china hash:net counters
rm -f /etc/zones/cn.zone
wget -q -P /etc/zones http://www.ipdeny.com/ipblocks/data/countries/cn.zone
for i in $(cat /etc/zones/cn.zone); do ipset -q -A china $i; done
echo "added:" `wc -l /etc/zones/cn.zone`

# Russia
ipset -q create russia hash:net counters
rm -f /etc/zones/ru.zone
wget -q -P /etc/zones http://www.ipdeny.com/ipblocks/data/countries/ru.zone
for i in $(cat /etc/zones/ru.zone); do ipset -q -A russia $i; done
echo "added:" `wc -l /etc/zones/ru.zone`

# Ukraine
ipset -q create ukraine hash:net counters
rm -rf /etc/zones/ua.zone
wget -q -P /etc/zones http://www.ipdeny.com/ipblocks/data/countries/ua.zone
for i in $(cat /etc/zones/ua.zone); do ipset -q -A ukraine $i; done
echo "added:" `wc -l /etc/zones/ua.zone`

# North Korea (adorable, NK has only 1 ip block)
ipset -q create nkorea hash:net counters
rm -f /etc/zones/kp.zone
wget -q -P /etc/zones http://www.ipdeny.com/ipblocks/data/countries/kp.zone
for i in $(cat /etc/zones/kp.zone); do ipset -q -A nkorea $i; done
echo "added:" `wc -l /etc/zones/kp.zone`

## iptables.firewall.rules
# Generated by iptables-save v1.4.21 on Tue Jul 11 16:32:01 2017
*security
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Tue Jul 11 16:32:01 2017
# Generated by iptables-save v1.4.21 on Tue Jul 11 16:32:01 2017
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Tue Jul 11 16:32:01 2017
# Generated by iptables-save v1.4.21 on Tue Jul 11 16:32:01 2017
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Tue Jul 11 16:32:01 2017
# Generated by iptables-save v1.4.21 on Tue Jul 11 16:32:01 2017
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Tue Jul 11 16:32:01 2017
# Generated by iptables-save v1.4.21 on Tue Jul 11 16:32:01 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LOGDROP - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m set --match-set china src -j DROP
-A INPUT -p tcp -m set --match-set nkorea src -j DROP
-A INPUT -p tcp -m set --match-set russia src -j DROP
-A INPUT -p tcp -m set --match-set ukraine src -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m set --match-set tor src -j DROP
-A INPUT -p tcp -m set --match-set fuckfaces src -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport $SSH_PORT -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m state --state NEW -m tcp --dport $SSH_PORT -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --mask 255.255.255.255 --rsource -j LOGDROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport $SSH_PORT -m comment --comment ssh -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6667 -m comment --comment irc -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6697 -m comment --comment ssl_irc -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Tue Jul 11 16:32:01 2017
	#!/bin/bash
	# The fuckfaces ipset will hold any ip that appears to be portscanning or brute forcing ssh connections.

	ipset -q create fuckfaces hash:ip counters
	zgrep "Bad protocol" /var/log/auth.* \| grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' \| sort \| uniq \| xargs -I{} ipset -q add fuckfaces {}
	zgrep "Did not receive identification string from" /var/log/auth.* \| grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' \| sort \| uniq \| xargs -I{} ipset -q add fuckfaces {}
	zgrep "Invalid user" /var/log/auth.* \| grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' \| sort \| uniq \| xargs -I{} ipset -q add fuckfaces {}

	# buuuut remove anyone from the list who has a pk that works, just in case.
	zgrep "Accepted publickey" /var/log/auth.log* \| grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' \| sort \| uniq \| xargs -I{} ipset -q del fuckfaces {}
	#!/bin/bash
	# cribbed and adapted from :
	# https://mattwilcox.net/web-development/unexpected-ddos-blocking-china-with-ipset-and-iptables
	# http://www.ipdeny.com/ipblocks/

	# Fuck off, tor
	ipset -q create tor hash:net counters
	# sticking with 8.8.8.8 rather than putting my ip in this.
	curl -s https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=8.8.8.8 \| sed '/^#/d' \| while read IP
	do
	ipset -q add tor $IP
	done

	# China
	ipset -q create china hash:net counters
	rm -f /etc/zones/cn.zone
	wget -q -P /etc/zones http://www.ipdeny.com/ipblocks/data/countries/cn.zone
	for i in $(cat /etc/zones/cn.zone); do ipset -q -A china $i; done
	echo "added:" `wc -l /etc/zones/cn.zone`

	# Russia
	ipset -q create russia hash:net counters
	rm -f /etc/zones/ru.zone
	wget -q -P /etc/zones http://www.ipdeny.com/ipblocks/data/countries/ru.zone
	for i in $(cat /etc/zones/ru.zone); do ipset -q -A russia $i; done
	echo "added:" `wc -l /etc/zones/ru.zone`

	# Ukraine
	ipset -q create ukraine hash:net counters
	rm -rf /etc/zones/ua.zone
	wget -q -P /etc/zones http://www.ipdeny.com/ipblocks/data/countries/ua.zone
	for i in $(cat /etc/zones/ua.zone); do ipset -q -A ukraine $i; done
	echo "added:" `wc -l /etc/zones/ua.zone`

	# North Korea (adorable, NK has only 1 ip block)
	ipset -q create nkorea hash:net counters
	rm -f /etc/zones/kp.zone
	wget -q -P /etc/zones http://www.ipdeny.com/ipblocks/data/countries/kp.zone
	for i in $(cat /etc/zones/kp.zone); do ipset -q -A nkorea $i; done
	echo "added:" `wc -l /etc/zones/kp.zone`
	# Generated by iptables-save v1.4.21 on Tue Jul 11 16:32:01 2017
	*security
	:INPUT ACCEPT [0:0]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	COMMIT
	# Completed on Tue Jul 11 16:32:01 2017
	# Generated by iptables-save v1.4.21 on Tue Jul 11 16:32:01 2017
	*raw
	:PREROUTING ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	COMMIT
	# Completed on Tue Jul 11 16:32:01 2017
	# Generated by iptables-save v1.4.21 on Tue Jul 11 16:32:01 2017
	*nat
	:PREROUTING ACCEPT [0:0]
	:INPUT ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	:POSTROUTING ACCEPT [0:0]
	COMMIT
	# Completed on Tue Jul 11 16:32:01 2017
	# Generated by iptables-save v1.4.21 on Tue Jul 11 16:32:01 2017
	*mangle
	:PREROUTING ACCEPT [0:0]
	:INPUT ACCEPT [0:0]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	:POSTROUTING ACCEPT [0:0]
	COMMIT
	# Completed on Tue Jul 11 16:32:01 2017
	# Generated by iptables-save v1.4.21 on Tue Jul 11 16:32:01 2017
	*filter
	:INPUT ACCEPT [0:0]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	:LOGDROP - [0:0]
	-A INPUT -i lo -j ACCEPT
	-A INPUT -d 127.0.0.0/8 -j REJECT --reject-with icmp-port-unreachable
	-A INPUT -p tcp -m set --match-set china src -j DROP
	-A INPUT -p tcp -m set --match-set nkorea src -j DROP
	-A INPUT -p tcp -m set --match-set russia src -j DROP
	-A INPUT -p tcp -m set --match-set ukraine src -j DROP
	-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	-A INPUT -p tcp -m set --match-set tor src -j DROP
	-A INPUT -p tcp -m set --match-set fuckfaces src -j DROP
	-A INPUT -p tcp -m state --state NEW -m tcp --dport $SSH_PORT -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
	-A INPUT -p tcp -m state --state NEW -m tcp --dport $SSH_PORT -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --mask 255.255.255.255 --rsource -j LOGDROP
	-A INPUT -p tcp -m state --state NEW -m tcp --dport $SSH_PORT -m comment --comment ssh -j ACCEPT
	-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
	-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
	-A INPUT -p tcp -m state --state NEW -m tcp --dport 6667 -m comment --comment irc -j ACCEPT
	-A INPUT -p tcp -m state --state NEW -m tcp --dport 6697 -m comment --comment ssl_irc -j ACCEPT
	-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
	-A INPUT -j DROP
	-A FORWARD -j DROP
	-A OUTPUT -j ACCEPT
	COMMIT
	# Completed on Tue Jul 11 16:32:01 2017