With this script, another possibility is created to block incoming connections. With this PeerGuardian manages multiple IP blacklists and creates IPTables rules these incoming IPs locked out at the gateway.
A thanks again to burningpenguin for his preliminary work! For more Information see footnote1.
There are IP blacklists of malc0de.com, openbl.org the last 90 days blocklist and zeustracker.abuse.ch fetched, remove comments and sort the IPs and stored here /etc/sysconfig/blacklist.
Before running the script, should be under /etc/sysconfig/firewall.local are still being processed. Look at this how to Load IP-Blacklist from file.
When this is complete, put this script at your desired place on the IPFire.
filename = blacklist.sh
#!/bin/bash - ########################################################################### # 2014-03-03 by burningpenguin: scriptblacklistip # # add blocked IPs to the firewall to not be accessed from green/blue ########################################################################### # 2014-03-03 initial version # # ########################################################################### ########################################################################### # usage # extend by adding this section per blacklist url # #get list from ??service?? # printf "\n Get files: ??service???" # wget -O - http:???url??? > /etc/sysconfig/blacklisttmp # cat /etc/sysconfig/blacklisttmp >> /etc/sysconfig/blacklist # # ########################################################################### #empty temp file cat /dev/null > /etc/sysconfig/blacklist #get list from malc0de printf "\n Get files: malc0de" wget -O - http://malc0de.com/bl/IP_Blacklist.txt > /etc/sysconfig/blacklistmalc0de cat /etc/sysconfig/blacklistmalc0de >> /etc/sysconfig/blacklist printf "\n Amount of line %s \n" `cat /etc/sysconfig/blacklist | wc -l #get list from zeustracker printf "\n Get files: zeus" wget -O - --no-check-certificate https://zeustracker.abuse.ch/blocklist.php?download=badips > /etc/sysconfig/blacklistzeus cat /etc/sysconfig/blacklistzeus >> /etc/sysconfig/blacklist printf "\n Amount of line %s \n" `cat /etc/sysconfig/blacklist | wc -l #get list from openbl printf "\n Get files: openbl" wget -O - http://www.openbl.org/lists/base_90days.txt > /etc/sysconfig/blacklistopenbl cat /etc/sysconfig/blacklistopenbl >> /etc/sysconfig/blacklist ########################################################################### # script-extension categorys with ip-collection from www.blocklist.de # 2014-12-11 by 5p9 ########################################################################### # blall = alle categorys with IPs from the last 48h # blssh = attack ssh from the last 48h # blbf = attack webserver bruteforce from the last 48h # blbadip= ips over 5000 attacks from the last 5 month # blbots = RFI- REG- BadBot IRC attackts from the last 48h # !!! HINT !!! # if blall.txt active then disable openbl and # all others single categorys blssh,blbf,blbadip and blbots !!! ########################################################################### #get list from blacklist.de - all.txt over 32000 ip! very larg! #printf "\n Get files: blacklistede" #wget -O - http://lists.blocklist.de/lists/all.txt > /etc/sysconfig/blacklistblall #cat /etc/sysconfig/blacklistblall >> /etc/sysconfig/blacklist #get list from blacklist.de - ssh.txt #printf "\n Get files: blacklistede" #wget -O - http://lists.blocklist.de/lists/ssh.txt > /etc/sysconfig/blacklistblssh #cat /etc/sysconfig/blacklistblssh >> /etc/sysconfig/blacklist #get list from blacklist.de - bruteforce webserver.txt #printf "\n Get files: blacklistede" #wget -O - http://lists.blocklist.de/lists/bruteforcelogin.txt > /etc/sysconfig/blacklistblbf #cat /etc/sysconfig/blacklistblbf >> /etc/sysconfig/blacklist #get list from blacklist.de - strongip.txt #printf "\n Get files: blacklistede" #wget -O - http://lists.blocklist.de/lists/strongips.txt > /etc/sysconfig/blacklistblbadip #cat /etc/sysconfig/blacklistblbadip >> /etc/sysconfig/blacklist #get list from blacklist.de - bots.txt #printf "\n Get files: blacklistede" #wget -O - http://lists.blocklist.de/lists/bots.txt > /etc/sysconfig/blacklistblbots #cat /etc/sysconfig/blacklistblbots >> /etc/sysconfig/blacklist #check amount of lines before sorting and cleanup printf "\n Amount of line %s \n" `cat /etc/sysconfig/blacklist | wc -l printf "\n Sort ips uniq" cat /etc/sysconfig/blacklist | sort | uniq > /etc/sysconfig/blacklisttmp printf "\n Remove comments, ipv6 address etc." egrep -v '(^[](/space)*/|^[](/space)*#|^[](/space)*$)|/[0-9]|\:|/g' /etc/sysconfig/blacklisttmp > /etc/sysconfig/blacklist #check amount of lines after sorting and clean-up printf "\n Amount of line %s \n" `cat /etc/sysconfig/blacklist | wc -l #reload firewall - this might take some time /etc/init.d/firewall reload
After transfering / creating the script, it must be made executable:
chmod +x blacklist.sh
For a regular check by the above script can be called by a Cronjob:
fcrontab -e
Specify the desired frequency, here every 00:10 AM, for the cronjob.
# sys_info 10 00 * * * /mnt/harddisk/scripts/blacklist.sh
Since the blacklist contains many potentially dangerous addresses, there may be a large number of false positives, dynamic IP addresses that may not have been considered dangerous at once be dangerous and vice versa.
The script is loaded with nearly 10,000 IPs what to reload the firewall.local can run long and the call to iptabels -L takes forever.
Older Revisions • January 24 at 10:14 pm • Jon