mgaulton/badips-ipset.sh

## badips-ipset.sh
#!/bin/bash
# Script for blocking IPs which have been reported to www.badips.com
#   via ipsets.
#
# - THIS SCRIPT DOES NOT BLOCK ANYTHING -
# This script only updates ipsets with applicable data from
# badips.com. Actually blocking the ips in that ipset is left
# up to the user (so that you may do so however you prefer).
#
# Additionally, this script does not persist the ipsets through
# a restart. This is because most distros now provide a method of
# doing so and any attempt to do so in this script would create
# redundant/conflicting functionality.
#
# Exit Codes:
#   0 - success
#   1 - failure - no changes made
#   2 - failure - possible changes made, inconsistent state
#
#===============================================================================
# MIT License
#
# Copyright (c) 2017 Jeremy Cliff Armstrong
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#===============================================================================

# Location of ipset binary
bin=/sbin/ipset     # REQUIRED!

# This is how long ago at most an ip must have last been reported to
#   badips.com. Values follow the format ##a where '##' is some non-
#   zero positive number and 'a' is either h, d, w, m, or y for hours,
#   days, weeks, months, or years.
#
# NOTE: comment out for all results - not recommended
# NOTE2: this script should be executed more often than this value.
age=2w

# Blog level (1-5):
#   0 - not so bad/false report
#   3 - confirmed bad
#   5 - quite aggressively bad
# (see www.badips.com)
level=3     # REQUIRED!

# Logged service or "any"
# (see www.badips.com/get/categories {JSON})
service=ssh     # REQUIRED!

# This is how long (in seconds) an ip will remain in the ipset after it
#   stops showing up in the configured badips query result. It should be
#   longer than the time between executions of this script (double, at
#   least) and long enough when combined with age above that occasional
#   offenders don't get removed from the ipset prematurely.
#
# IMPORTANT: this script should be executed more often than this setting.
# NOTE: IPs returned by badips.com which are already in the ipset will
#   have their timeouts reset to this value (if it is greater than the
#   existing timeout)
timeout=604800      # REQUIRED! - default is 7 days

# Name of ipset to use
ipset=badips    # REQUIRED!


##################
## BEGIN SCRIPT ##
##################

# required parameters
if [ ! $ipset ] || [ ! $timeout ] || [ ! $bin ] || [ ! $level ] || [ ! $service ]
then
    echo "$0: Required parameter is missing! Edit this file for further info." >&2
    exit 1
fi


### Query badips.com
# compile url
_url="https://www.badips.com/get/list/${service}/$level"
if [ $age ]; then _url+="?age=$age"; fi

# Get the bad IPs and store in an array
_badips=( $( wget -qO- $_url ) ) || { echo "$0: Unable to download ip list from \'$_url\'." >&2; exit 1; }


### Setup our black list ###
# Create ipset if it does not exist
if ! $bin list $ipset -name 2>&1 >/dev/null
then
    $bin create $ipset hash:ip timeout $timeout -exist || { echo "$0: Unable to create ipset: $ipset" >&2; exit 2; }
fi

# Add all retrieved ips to $_ipset, updating the timeout on duplicates
for _ip in ${_badips[@]}
do
    $bin add $ipset $_ip timeout $timeout -exist || { echo "$0: Unable to add $_ip to $ipset, exiting early." >&2; exit 2; }
done

exit 0
	#!/bin/bash
	# Script for blocking IPs which have been reported to www.badips.com
	# via ipsets.
	#
	# - THIS SCRIPT DOES NOT BLOCK ANYTHING -
	# This script only updates ipsets with applicable data from
	# badips.com. Actually blocking the ips in that ipset is left
	# up to the user (so that you may do so however you prefer).
	#
	# Additionally, this script does not persist the ipsets through
	# a restart. This is because most distros now provide a method of
	# doing so and any attempt to do so in this script would create
	# redundant/conflicting functionality.
	#
	# Exit Codes:
	# 0 - success
	# 1 - failure - no changes made
	# 2 - failure - possible changes made, inconsistent state
	#
	#===============================================================================
	# MIT License
	#
	# Copyright (c) 2017 Jeremy Cliff Armstrong
	#
	# Permission is hereby granted, free of charge, to any person obtaining a copy
	# of this software and associated documentation files (the "Software"), to deal
	# in the Software without restriction, including without limitation the rights
	# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
	# copies of the Software, and to permit persons to whom the Software is
	# furnished to do so, subject to the following conditions:
	#
	# The above copyright notice and this permission notice shall be included in
	# all copies or substantial portions of the Software.
	#
	# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
	# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
	# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
	# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
	# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
	# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
	# SOFTWARE.
	#===============================================================================

	# Location of ipset binary
	bin=/sbin/ipset # REQUIRED!

	# This is how long ago at most an ip must have last been reported to
	# badips.com. Values follow the format ##a where '##' is some non-
	# zero positive number and 'a' is either h, d, w, m, or y for hours,
	# days, weeks, months, or years.
	#
	# NOTE: comment out for all results - not recommended
	# NOTE2: this script should be executed more often than this value.
	age=2w

	# Blog level (1-5):
	# 0 - not so bad/false report
	# 3 - confirmed bad
	# 5 - quite aggressively bad
	# (see www.badips.com)
	level=3 # REQUIRED!

	# Logged service or "any"
	# (see www.badips.com/get/categories {JSON})
	service=ssh # REQUIRED!

	# This is how long (in seconds) an ip will remain in the ipset after it
	# stops showing up in the configured badips query result. It should be
	# longer than the time between executions of this script (double, at
	# least) and long enough when combined with age above that occasional
	# offenders don't get removed from the ipset prematurely.
	#
	# IMPORTANT: this script should be executed more often than this setting.
	# NOTE: IPs returned by badips.com which are already in the ipset will
	# have their timeouts reset to this value (if it is greater than the
	# existing timeout)
	timeout=604800 # REQUIRED! - default is 7 days

	# Name of ipset to use
	ipset=badips # REQUIRED!


	##################
	## BEGIN SCRIPT ##
	##################

	# required parameters
	if [ ! $ipset ] \|\| [ ! $timeout ] \|\| [ ! $bin ] \|\| [ ! $level ] \|\| [ ! $service ]
	then
	echo "$0: Required parameter is missing! Edit this file for further info." >&2
	exit 1
	fi


	### Query badips.com
	# compile url
	_url="https://www.badips.com/get/list/${service}/$level"
	if [ $age ]; then _url+="?age=$age"; fi

	# Get the bad IPs and store in an array
	_badips=( $( wget -qO- $_url ) ) \|\| { echo "$0: Unable to download ip list from \'$_url\'." >&2; exit 1; }


	### Setup our black list ###
	# Create ipset if it does not exist
	if ! $bin list $ipset -name 2>&1 >/dev/null
	then
	$bin create $ipset hash:ip timeout $timeout -exist \|\| { echo "$0: Unable to create ipset: $ipset" >&2; exit 2; }
	fi

	# Add all retrieved ips to $_ipset, updating the timeout on duplicates
	for _ip in ${_badips[@]}
	do
	$bin add $ipset $_ip timeout $timeout -exist \|\| { echo "$0: Unable to add $_ip to $ipset, exiting early." >&2; exit 2; }
	done

	exit 0