mietzen/block_badips.sh

## block_badips.sh
#!/bin/bash
# This a replacement Aikhjarto/block_badips.sh, using https://www.abuseipdb.com/ since badips.com seems to be offline :(
# This script downloads a list of IPs known for brute force attacking.
# The fetched IPs get blocked with iptables with the special comment "BADIP". This script only
# modifies iptables rules with that comment. This measure makes it well compatible with other firewall
# scripts like the SUSEFirewall.
# The iptables rules are updated every time this script is executed. Additionally this script is
# quiet on stdout, which makes it well suited for being executed as a cronjob.

# TODO Block ipv6

IPTABLES_BIN=/usr/sbin/iptables
IPTABLES_SAVE_BIN=/usr/sbin/iptables-save
# Set your api key
ABUSEIPDB_API_KEY=<YOUR-API-KEY>

LOGGER_OPTS="-t add_badips"

# fetch IP list from badips.com
URL="https://api.abuseipdb.com/api/v2/blacklist"

### download
logger $LOGGER_OPTS "fetching list of bad IPs from $URL"
FILE_MIXED=`mktemp`
FILE_V4=`mktemp`
FILE_V6=`mktemp`

curl -G $URL -d confidenceMinimum=95 -d limit=9999999 -H "Key:$ABUSEIPDB_API_KEY" -H "Accept: text/plain" > $FILE_MIXED
cat FILE_MIXED | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" > FILE_V4
cat FILE_MIXED | grep -oE "\b(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b" > FILE_V6

if [ $? -ne 0 ]; then
        logger $LOGGER_OPTS -s "ERROR: download of $URL failed"
        exit 1
else
        logger $LOGGER_OPTS "got "`wc -l $FILE_MIXED | awk '{ print $1 }'` " IPs"
fi

### remove old blocked entries
FILE_OLD_IPS=`mktemp`
# export all rules with comment "BADIP"
$IPTABLES_SAVE_BIN  | grep -e "--comment BADIP" | sed 's/-A/-D/' > $FILE_OLD_IPS
logger $LOGGER_OPTS "removing "`wc -l $FILE_OLD_IPS | awk '{ print $1 }'` " old entries"
# remove all IPs previously known as bad
# HINT: use a while loop here since a for loop would require changing the IFS due to spaces in $FILE_OLD_IPS
while read RULE; do
        $IPTABLES_BIN $RULE
done < $FILE_OLD_IPS
rm $FILE_OLD_IPS

### add new IPs
for IP in $(cat $FILE_V4); do
        $IPTABLES_BIN -I INPUT $RULE -s $IP -j DROP -m comment --comment "BADIP"
done
rm $FILE_V4
rm $FILE_V6
rm $FILE_MIXED
logger $LOGGER_OPTS "done applying IPs"
	#!/bin/bash
	# This a replacement Aikhjarto/block_badips.sh, using https://www.abuseipdb.com/ since badips.com seems to be offline :(
	# This script downloads a list of IPs known for brute force attacking.
	# The fetched IPs get blocked with iptables with the special comment "BADIP". This script only
	# modifies iptables rules with that comment. This measure makes it well compatible with other firewall
	# scripts like the SUSEFirewall.
	# The iptables rules are updated every time this script is executed. Additionally this script is
	# quiet on stdout, which makes it well suited for being executed as a cronjob.

	# TODO Block ipv6

	IPTABLES_BIN=/usr/sbin/iptables
	IPTABLES_SAVE_BIN=/usr/sbin/iptables-save
	# Set your api key
	ABUSEIPDB_API_KEY=<YOUR-API-KEY>

	LOGGER_OPTS="-t add_badips"

	# fetch IP list from badips.com
	URL="https://api.abuseipdb.com/api/v2/blacklist"

	### download
	logger $LOGGER_OPTS "fetching list of bad IPs from $URL"
	FILE_MIXED=`mktemp`
	FILE_V4=`mktemp`
	FILE_V6=`mktemp`

	curl -G $URL -d confidenceMinimum=95 -d limit=9999999 -H "Key:$ABUSEIPDB_API_KEY" -H "Accept: text/plain" > $FILE_MIXED
	cat FILE_MIXED \| grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" > FILE_V4
	cat FILE_MIXED \| grep -oE "\b(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}\|([0-9a-fA-F]{1,4}:){1,7}:\|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}\|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}\|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}\|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}\|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}\|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})\|:((:[0-9a-fA-F]{1,4}){1,7}\|:)\|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}\|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9])\|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9]))\b" > FILE_V6

	if [ $? -ne 0 ]; then
	logger $LOGGER_OPTS -s "ERROR: download of $URL failed"
	exit 1
	else
	logger $LOGGER_OPTS "got "`wc -l $FILE_MIXED \| awk '{ print $1 }'` " IPs"
	fi

	### remove old blocked entries
	FILE_OLD_IPS=`mktemp`
	# export all rules with comment "BADIP"
	$IPTABLES_SAVE_BIN \| grep -e "--comment BADIP" \| sed 's/-A/-D/' > $FILE_OLD_IPS
	logger $LOGGER_OPTS "removing "`wc -l $FILE_OLD_IPS \| awk '{ print $1 }'` " old entries"
	# remove all IPs previously known as bad
	# HINT: use a while loop here since a for loop would require changing the IFS due to spaces in $FILE_OLD_IPS
	while read RULE; do
	$IPTABLES_BIN $RULE
	done < $FILE_OLD_IPS
	rm $FILE_OLD_IPS

	### add new IPs
	for IP in $(cat $FILE_V4); do
	$IPTABLES_BIN -I INPUT $RULE -s $IP -j DROP -m comment --comment "BADIP"
	done
	rm $FILE_V4
	rm $FILE_V6
	rm $FILE_MIXED
	logger $LOGGER_OPTS "done applying IPs"