A bash script to ban large numbers of IP addresses published in blacklists.
A Bash shell script which uses ipset and iptables to ban a large number of IP addresses published in IP blacklists. ipset uses a hashtable to store/fetch IP addresses and thus the IP lookup is a lot (!) faster than thousands of sequentially parsed iptables ban rules. ~~However, the limit of an ipset list is 2^16 entries.~~
The ipset command doesn't work under OpenVZ. It works fine on dedicated and fully virtualized servers like KVM though.
to generate the /etc/ipset-blacklist/ip-blacklist.restore
# Enable blacklists ipset restore < /etc/ipset-blacklist/ip-blacklist.restore iptables -I INPUT 1 -m set --match-set blacklist src -j DROP
Make sure to run this snippet in a firewall script or just insert it to /etc/rc.local.
In order to auto-update the blacklist, copy the following code into /etc/cron.d/update-blacklist. Don't update the list too often or some blacklist providers will ban your IP address. Once a day should be OK though.
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root 33 23 * * * root /usr/local/sbin/update-blacklist.sh /etc/ipset-blacklist/ipset-blacklist.conf
Using iptables, you can check how many packets got dropped using the blacklist:
[email protected]:~# iptables -L INPUT -v --line-numbers Chain INPUT (policy DROP 60 packets, 17733 bytes) num pkts bytes target prot opt in out source destination 1 15 1349 DROP all -- any any anywhere anywhere match-set blacklist src 2 0 0 fail2ban-vsftpd tcp -- any any anywhere anywhere multiport dports ftp,ftp-data,ftps,ftps-data 3 912 69233 fail2ban-ssh-ddos tcp -- any any anywhere anywhere multiport dports ssh 4 912 69233 fail2ban-ssh tcp -- any any anywhere anywhere multiport dports ssh
Since iptable rules are parsed sequentally, the ipset-blacklist is most effective if it's the topmost rule in iptable's INPUT chain. However, restarting fail2ban usually leads to a situation, where fail2ban inserts its rules above our blacklist drop rule. To prevent this from happening we have to tell fail2ban to insert its rules at the 2nd position. Since the iptables-multiport action is the default ban-action we have to add a file to /etc/fail2ban/action.d:
tee << EOF /etc/fail2ban/action.d/iptables-multiport.local [Definition] actionstart = -N f2b- -A f2b- -j -I 2 -p -m multiport --dports -j f2b- EOF(Please keep in in mind this is entirely optional, it just makes dropping blacklisted IP addresses most effective)
Edit the BLACKLIST array in /etc/ipset-blacklist/ipset-blacklist.conf to add or remove blacklists, or use it to add your own blacklists. ``` BLACKLISTS=( "http://www.mysite.me/files/mycustomblacklist.txt" # Your personal blacklist "http://www.projecthoneypot.org/listofips.php?t=d&rss=1" # Project Honey Pot Directory of Dictionary Attacker IPs
) ``` If you for some reason want to ban all IP addresses from a certain country, have a look at IPverse.net's aggregated IP lists which you can simply add to the BLACKLISTS variable. For a ton of spam and malware related blacklists, check out this github repo: https://github.com/firehol/blocklist-ipsets
Set blacklist-tmp is full, maxelem 65536 reached
ipset v6.20.1: Error in line 2: Set cannot be created: set with the same name already exists
ipset v6.12: No command specified: unknown argument -fileYou're using an outdated version of ipset which is not supported.