#!/bin/bash | |
# The fuckfaces ipset will hold any ip that appears to be portscanning or brute forcing ssh connections. | |
ipset -q create fuckfaces hash:ip counters | |
zgrep "Bad protocol" /var/log/auth.* | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq | xargs -I{} ipset -q add fuckfaces {} | |
zgrep "Did not receive identification string from" /var/log/auth.* | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq | xargs -I{} ipset -q add fuckfaces {} | |
zgrep "Invalid user" /var/log/auth.* | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq | xargs -I{} ipset -q add fuckfaces {} | |
# buuuut remove anyone from the list who has a pk that works, just in case. | |
zgrep "Accepted publickey" /var/log/auth.log* | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq | xargs -I{} ipset -q del fuckfaces {} |
#!/bin/bash | |
# cribbed and adapted from : | |
# https://mattwilcox.net/web-development/unexpected-ddos-blocking-china-with-ipset-and-iptables | |
# http://www.ipdeny.com/ipblocks/ | |
# Fuck off, tor | |
ipset -q create tor hash:net counters | |
# sticking with 8.8.8.8 rather than putting my ip in this. | |
curl -s https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=8.8.8.8 | sed '/^#/d' | while read IP | |
do | |
ipset -q add tor $IP | |
done | |
# China | |
ipset -q create china hash:net counters | |
rm -f /etc/zones/cn.zone | |
wget -q -P /etc/zones http://www.ipdeny.com/ipblocks/data/countries/cn.zone | |
for i in $(cat /etc/zones/cn.zone); do ipset -q -A china $i; done | |
echo "added:" `wc -l /etc/zones/cn.zone` | |
# Russia | |
ipset -q create russia hash:net counters | |
rm -f /etc/zones/ru.zone | |
wget -q -P /etc/zones http://www.ipdeny.com/ipblocks/data/countries/ru.zone | |
for i in $(cat /etc/zones/ru.zone); do ipset -q -A russia $i; done | |
echo "added:" `wc -l /etc/zones/ru.zone` | |
# Ukraine | |
ipset -q create ukraine hash:net counters | |
rm -rf /etc/zones/ua.zone | |
wget -q -P /etc/zones http://www.ipdeny.com/ipblocks/data/countries/ua.zone | |
for i in $(cat /etc/zones/ua.zone); do ipset -q -A ukraine $i; done | |
echo "added:" `wc -l /etc/zones/ua.zone` | |
# North Korea (adorable, NK has only 1 ip block) | |
ipset -q create nkorea hash:net counters | |
rm -f /etc/zones/kp.zone | |
wget -q -P /etc/zones http://www.ipdeny.com/ipblocks/data/countries/kp.zone | |
for i in $(cat /etc/zones/kp.zone); do ipset -q -A nkorea $i; done | |
echo "added:" `wc -l /etc/zones/kp.zone` |
# Generated by iptables-save v1.4.21 on Tue Jul 11 16:32:01 2017 | |
*security | |
:INPUT ACCEPT [0:0] | |
:FORWARD ACCEPT [0:0] | |
:OUTPUT ACCEPT [0:0] | |
COMMIT | |
# Completed on Tue Jul 11 16:32:01 2017 | |
# Generated by iptables-save v1.4.21 on Tue Jul 11 16:32:01 2017 | |
*raw | |
:PREROUTING ACCEPT [0:0] | |
:OUTPUT ACCEPT [0:0] | |
COMMIT | |
# Completed on Tue Jul 11 16:32:01 2017 | |
# Generated by iptables-save v1.4.21 on Tue Jul 11 16:32:01 2017 | |
*nat | |
:PREROUTING ACCEPT [0:0] | |
:INPUT ACCEPT [0:0] | |
:OUTPUT ACCEPT [0:0] | |
:POSTROUTING ACCEPT [0:0] | |
COMMIT | |
# Completed on Tue Jul 11 16:32:01 2017 | |
# Generated by iptables-save v1.4.21 on Tue Jul 11 16:32:01 2017 | |
*mangle | |
:PREROUTING ACCEPT [0:0] | |
:INPUT ACCEPT [0:0] | |
:FORWARD ACCEPT [0:0] | |
:OUTPUT ACCEPT [0:0] | |
:POSTROUTING ACCEPT [0:0] | |
COMMIT | |
# Completed on Tue Jul 11 16:32:01 2017 | |
# Generated by iptables-save v1.4.21 on Tue Jul 11 16:32:01 2017 | |
*filter | |
:INPUT ACCEPT [0:0] | |
:FORWARD ACCEPT [0:0] | |
:OUTPUT ACCEPT [0:0] | |
:LOGDROP - [0:0] | |
-A INPUT -i lo -j ACCEPT | |
-A INPUT -d 127.0.0.0/8 -j REJECT --reject-with icmp-port-unreachable | |
-A INPUT -p tcp -m set --match-set china src -j DROP | |
-A INPUT -p tcp -m set --match-set nkorea src -j DROP | |
-A INPUT -p tcp -m set --match-set russia src -j DROP | |
-A INPUT -p tcp -m set --match-set ukraine src -j DROP | |
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
-A INPUT -p tcp -m set --match-set tor src -j DROP | |
-A INPUT -p tcp -m set --match-set fuckfaces src -j DROP | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport $SSH_PORT -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport $SSH_PORT -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --mask 255.255.255.255 --rsource -j LOGDROP | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport $SSH_PORT -m comment --comment ssh -j ACCEPT | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6667 -m comment --comment irc -j ACCEPT | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6697 -m comment --comment ssl_irc -j ACCEPT | |
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT | |
-A INPUT -j DROP | |
-A FORWARD -j DROP | |
-A OUTPUT -j ACCEPT | |
COMMIT | |
# Completed on Tue Jul 11 16:32:01 2017 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment