Skip to content

Instantly share code, notes, and snippets.

@kuzmik kuzmik/ban fuckers.sh
Last active Dec 22, 2017

Embed
What would you like to do?
#!/bin/bash
# The fuckfaces ipset will hold any ip that appears to be portscanning or brute forcing ssh connections.
ipset -q create fuckfaces hash:ip counters
zgrep "Bad protocol" /var/log/auth.* | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq | xargs -I{} ipset -q add fuckfaces {}
zgrep "Did not receive identification string from" /var/log/auth.* | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq | xargs -I{} ipset -q add fuckfaces {}
zgrep "Invalid user" /var/log/auth.* | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq | xargs -I{} ipset -q add fuckfaces {}
# buuuut remove anyone from the list who has a pk that works, just in case.
zgrep "Accepted publickey" /var/log/auth.log* | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq | xargs -I{} ipset -q del fuckfaces {}
#!/bin/bash
# cribbed and adapted from :
# https://mattwilcox.net/web-development/unexpected-ddos-blocking-china-with-ipset-and-iptables
# http://www.ipdeny.com/ipblocks/
# Fuck off, tor
ipset -q create tor hash:net counters
# sticking with 8.8.8.8 rather than putting my ip in this.
curl -s https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=8.8.8.8 | sed '/^#/d' | while read IP
do
ipset -q add tor $IP
done
# China
ipset -q create china hash:net counters
rm -f /etc/zones/cn.zone
wget -q -P /etc/zones http://www.ipdeny.com/ipblocks/data/countries/cn.zone
for i in $(cat /etc/zones/cn.zone); do ipset -q -A china $i; done
echo "added:" `wc -l /etc/zones/cn.zone`
# Russia
ipset -q create russia hash:net counters
rm -f /etc/zones/ru.zone
wget -q -P /etc/zones http://www.ipdeny.com/ipblocks/data/countries/ru.zone
for i in $(cat /etc/zones/ru.zone); do ipset -q -A russia $i; done
echo "added:" `wc -l /etc/zones/ru.zone`
# Ukraine
ipset -q create ukraine hash:net counters
rm -rf /etc/zones/ua.zone
wget -q -P /etc/zones http://www.ipdeny.com/ipblocks/data/countries/ua.zone
for i in $(cat /etc/zones/ua.zone); do ipset -q -A ukraine $i; done
echo "added:" `wc -l /etc/zones/ua.zone`
# North Korea (adorable, NK has only 1 ip block)
ipset -q create nkorea hash:net counters
rm -f /etc/zones/kp.zone
wget -q -P /etc/zones http://www.ipdeny.com/ipblocks/data/countries/kp.zone
for i in $(cat /etc/zones/kp.zone); do ipset -q -A nkorea $i; done
echo "added:" `wc -l /etc/zones/kp.zone`
# Generated by iptables-save v1.4.21 on Tue Jul 11 16:32:01 2017
*security
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Tue Jul 11 16:32:01 2017
# Generated by iptables-save v1.4.21 on Tue Jul 11 16:32:01 2017
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Tue Jul 11 16:32:01 2017
# Generated by iptables-save v1.4.21 on Tue Jul 11 16:32:01 2017
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Tue Jul 11 16:32:01 2017
# Generated by iptables-save v1.4.21 on Tue Jul 11 16:32:01 2017
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Tue Jul 11 16:32:01 2017
# Generated by iptables-save v1.4.21 on Tue Jul 11 16:32:01 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LOGDROP - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m set --match-set china src -j DROP
-A INPUT -p tcp -m set --match-set nkorea src -j DROP
-A INPUT -p tcp -m set --match-set russia src -j DROP
-A INPUT -p tcp -m set --match-set ukraine src -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m set --match-set tor src -j DROP
-A INPUT -p tcp -m set --match-set fuckfaces src -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport $SSH_PORT -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m state --state NEW -m tcp --dport $SSH_PORT -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --mask 255.255.255.255 --rsource -j LOGDROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport $SSH_PORT -m comment --comment ssh -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6667 -m comment --comment irc -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6697 -m comment --comment ssl_irc -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Tue Jul 11 16:32:01 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.