The PeerGuardian Script

With this script, another possibility is created to block incoming connections. With this PeerGuardian manages multiple IP blacklists and creates IPTables rules these incoming IPs locked out at the gateway.

A thanks again to burningpenguin for his preliminary work! For more Information: IPFire Forum - [Feature Request] Peergaurdian CLI

There are IP blacklists of malc0de.com, openbl.org the last 90 days blocklist and zeustracker.abuse.ch fetched, remove comments and sort the IPs and stored here /etc/sysconfig/blacklist.

Edit IPTabels

Before running the script, should be under /etc/sysconfig/firewall.local are still being processed. Look at this how to Load IP-Blacklist from file.

PeerGuardian Script

When this is complete, put this script at your desired place on the IPFire.

filename = blacklist.sh

#!/bin/bash -

###########################################################################
# 2014-03-03 by burningpenguin: scriptblacklistip
#
# add blocked IPs to the firewall to not be accessed from green/blue
###########################################################################
# 2014-03-03 initial version
#
#
###########################################################################
# forum: http://forum.ipfire.org/index.php?topic=10028.0
###########################################################################
# usage
#  extend by adding this section per blacklist url
#   #get list from ??service??
#   printf "\n Get files: ??service???"
#   wget -O - http:???url??? > /etc/sysconfig/blacklisttmp
#   cat /etc/sysconfig/blacklisttmp >> /etc/sysconfig/blacklist
#
#
###########################################################################
#empty temp file
cat /dev/null > /etc/sysconfig/blacklist

#get list from malc0de
printf "\n Get files: malc0de"
wget -O -  http://malc0de.com/bl/IP_Blacklist.txt > /etc/sysconfig/blacklistmalc0de
cat /etc/sysconfig/blacklistmalc0de >> /etc/sysconfig/blacklist
printf "\n Amount of line %s \n"  `cat /etc/sysconfig/blacklist | wc -l

#get list from zeustracker
printf "\n Get files: zeus"
wget -O - --no-check-certificate https://zeustracker.abuse.ch/blocklist.php?download=badips > /etc/sysconfig/blacklistzeus
cat /etc/sysconfig/blacklistzeus >> /etc/sysconfig/blacklist
printf "\n Amount of line %s \n"  `cat /etc/sysconfig/blacklist | wc -l

#get list from openbl
printf "\n Get files: openbl"
wget -O - http://www.openbl.org/lists/base_90days.txt > /etc/sysconfig/blacklistopenbl
cat /etc/sysconfig/blacklistopenbl >> /etc/sysconfig/blacklist

###########################################################################
# script-extension categorys with ip-collection from www.blocklist.de
# 2014-12-11 by 5p9
###########################################################################
# blall  = alle categorys with IPs from the last 48h
# blssh  = attack ssh from the last 48h
# blbf   = attack webserver bruteforce from the last 48h
# blbadip= ips over 5000 attacks from the last 5 month
# blbots = RFI- REG- BadBot IRC attackts from the last 48h
# !!! HINT !!!
# if blall.txt active then disable openbl and
# all others single categorys blssh,blbf,blbadip and blbots !!!
###########################################################################

#get list from blacklist.de - all.txt over 32000 ip! very larg!
#printf "\n Get files: blacklistede"
#wget -O - http://lists.blocklist.de/lists/all.txt > /etc/sysconfig/blacklistblall
#cat /etc/sysconfig/blacklistblall >> /etc/sysconfig/blacklist

#get list from blacklist.de - ssh.txt
#printf "\n Get files: blacklistede"
#wget -O - http://lists.blocklist.de/lists/ssh.txt > /etc/sysconfig/blacklistblssh
#cat /etc/sysconfig/blacklistblssh >> /etc/sysconfig/blacklist

#get list from blacklist.de - bruteforce webserver.txt
#printf "\n Get files: blacklistede"
#wget -O - http://lists.blocklist.de/lists/bruteforcelogin.txt > /etc/sysconfig/blacklistblbf
#cat /etc/sysconfig/blacklistblbf >> /etc/sysconfig/blacklist

#get list from blacklist.de - strongip.txt
#printf "\n Get files: blacklistede"
#wget -O - http://lists.blocklist.de/lists/strongips.txt > /etc/sysconfig/blacklistblbadip
#cat /etc/sysconfig/blacklistblbadip >> /etc/sysconfig/blacklist

#get list from blacklist.de - bots.txt
#printf "\n Get files: blacklistede"
#wget -O - http://lists.blocklist.de/lists/bots.txt > /etc/sysconfig/blacklistblbots
#cat /etc/sysconfig/blacklistblbots >> /etc/sysconfig/blacklist

#check amount of lines before sorting and cleanup
printf "\n Amount of line %s \n"  `cat /etc/sysconfig/blacklist | wc -l

printf "\n Sort ips uniq"
cat /etc/sysconfig/blacklist | sort | uniq > /etc/sysconfig/blacklisttmp

printf "\n Remove comments, ipv6 address etc."
egrep -v '(^[](/space)*/|^[](/space)*#|^[](/space)*$)|/[0-9]|\:|/g' /etc/sysconfig/blacklisttmp > /etc/sysconfig/blacklist

#check amount of lines after sorting and clean-up
printf "\n Amount of line %s \n"  `cat /etc/sysconfig/blacklist | wc -l

#reload firewall - this might take some time
/etc/init.d/firewall reload

Make Script Executable

After transfering / creating the script, it must be made executable:

chmod +x blacklist.sh

Timing

For a regular check by the above script can be called by a Cronjob:

fcrontab -e

Specify the desired frequency, here every 00:10 AM, for the cronjob.

# sys_info
10 00 * * *     /mnt/harddisk/scripts/blacklist.sh

The disadvantages

Since the blacklist contains many potentially dangerous addresses, there may be a large number of false positives, dynamic IP addresses that may not have been considered dangerous at once be dangerous and vice versa.

The script is loaded with nearly 10,000 IPs what to reload the firewall.local can run long and the call to iptabels -L takes forever.

Edit Page ‐ Yes, you can edit!

Older Revisions • December 7 at 11:21 pm • Jon