Last active
December 22, 2017 16:17
-
-
Save kuzmik/316b4a13c2455e45866b8fd4edd0470d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# The fuckfaces ipset will hold any ip that appears to be portscanning or brute forcing ssh connections. | |
ipset -q create fuckfaces hash:ip counters | |
zgrep "Bad protocol" /var/log/auth.* | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq | xargs -I{} ipset -q add fuckfaces {} | |
zgrep "Did not receive identification string from" /var/log/auth.* | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq | xargs -I{} ipset -q add fuckfaces {} | |
zgrep "Invalid user" /var/log/auth.* | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq | xargs -I{} ipset -q add fuckfaces {} | |
# buuuut remove anyone from the list who has a pk that works, just in case. | |
zgrep "Accepted publickey" /var/log/auth.log* | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq | xargs -I{} ipset -q del fuckfaces {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# cribbed and adapted from : | |
# https://mattwilcox.net/web-development/unexpected-ddos-blocking-china-with-ipset-and-iptables | |
# http://www.ipdeny.com/ipblocks/ | |
# Fuck off, tor | |
ipset -q create tor hash:net counters | |
# sticking with 8.8.8.8 rather than putting my ip in this. | |
curl -s https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=8.8.8.8 | sed '/^#/d' | while read IP | |
do | |
ipset -q add tor $IP | |
done | |
# China | |
ipset -q create china hash:net counters | |
rm -f /etc/zones/cn.zone | |
wget -q -P /etc/zones http://www.ipdeny.com/ipblocks/data/countries/cn.zone | |
for i in $(cat /etc/zones/cn.zone); do ipset -q -A china $i; done | |
echo "added:" `wc -l /etc/zones/cn.zone` | |
# Russia | |
ipset -q create russia hash:net counters | |
rm -f /etc/zones/ru.zone | |
wget -q -P /etc/zones http://www.ipdeny.com/ipblocks/data/countries/ru.zone | |
for i in $(cat /etc/zones/ru.zone); do ipset -q -A russia $i; done | |
echo "added:" `wc -l /etc/zones/ru.zone` | |
# Ukraine | |
ipset -q create ukraine hash:net counters | |
rm -rf /etc/zones/ua.zone | |
wget -q -P /etc/zones http://www.ipdeny.com/ipblocks/data/countries/ua.zone | |
for i in $(cat /etc/zones/ua.zone); do ipset -q -A ukraine $i; done | |
echo "added:" `wc -l /etc/zones/ua.zone` | |
# North Korea (adorable, NK has only 1 ip block) | |
ipset -q create nkorea hash:net counters | |
rm -f /etc/zones/kp.zone | |
wget -q -P /etc/zones http://www.ipdeny.com/ipblocks/data/countries/kp.zone | |
for i in $(cat /etc/zones/kp.zone); do ipset -q -A nkorea $i; done | |
echo "added:" `wc -l /etc/zones/kp.zone` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Generated by iptables-save v1.4.21 on Tue Jul 11 16:32:01 2017 | |
*security | |
:INPUT ACCEPT [0:0] | |
:FORWARD ACCEPT [0:0] | |
:OUTPUT ACCEPT [0:0] | |
COMMIT | |
# Completed on Tue Jul 11 16:32:01 2017 | |
# Generated by iptables-save v1.4.21 on Tue Jul 11 16:32:01 2017 | |
*raw | |
:PREROUTING ACCEPT [0:0] | |
:OUTPUT ACCEPT [0:0] | |
COMMIT | |
# Completed on Tue Jul 11 16:32:01 2017 | |
# Generated by iptables-save v1.4.21 on Tue Jul 11 16:32:01 2017 | |
*nat | |
:PREROUTING ACCEPT [0:0] | |
:INPUT ACCEPT [0:0] | |
:OUTPUT ACCEPT [0:0] | |
:POSTROUTING ACCEPT [0:0] | |
COMMIT | |
# Completed on Tue Jul 11 16:32:01 2017 | |
# Generated by iptables-save v1.4.21 on Tue Jul 11 16:32:01 2017 | |
*mangle | |
:PREROUTING ACCEPT [0:0] | |
:INPUT ACCEPT [0:0] | |
:FORWARD ACCEPT [0:0] | |
:OUTPUT ACCEPT [0:0] | |
:POSTROUTING ACCEPT [0:0] | |
COMMIT | |
# Completed on Tue Jul 11 16:32:01 2017 | |
# Generated by iptables-save v1.4.21 on Tue Jul 11 16:32:01 2017 | |
*filter | |
:INPUT ACCEPT [0:0] | |
:FORWARD ACCEPT [0:0] | |
:OUTPUT ACCEPT [0:0] | |
:LOGDROP - [0:0] | |
-A INPUT -i lo -j ACCEPT | |
-A INPUT -d 127.0.0.0/8 -j REJECT --reject-with icmp-port-unreachable | |
-A INPUT -p tcp -m set --match-set china src -j DROP | |
-A INPUT -p tcp -m set --match-set nkorea src -j DROP | |
-A INPUT -p tcp -m set --match-set russia src -j DROP | |
-A INPUT -p tcp -m set --match-set ukraine src -j DROP | |
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
-A INPUT -p tcp -m set --match-set tor src -j DROP | |
-A INPUT -p tcp -m set --match-set fuckfaces src -j DROP | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport $SSH_PORT -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport $SSH_PORT -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --mask 255.255.255.255 --rsource -j LOGDROP | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport $SSH_PORT -m comment --comment ssh -j ACCEPT | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6667 -m comment --comment irc -j ACCEPT | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6697 -m comment --comment ssl_irc -j ACCEPT | |
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT | |
-A INPUT -j DROP | |
-A FORWARD -j DROP | |
-A OUTPUT -j ACCEPT | |
COMMIT | |
# Completed on Tue Jul 11 16:32:01 2017 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment