#!/bin/sh # blacklist-ip.sh (C) Pawel Krawczyk 2006-2008 # This script will populate your iptables with three IP blacklists: # 1. Spamhaus droplist # 2. Dshield HPB # 3. Threatstop blacklist # 4. RBN SPAMHAUS_URL='http://www.spamhaus.org/drop/drop.lasso' # change this to your personal key URL (see www.dshield.org) #DSHIELD_URL='https://secure.dshield.org/hpb.html?key=Dsd2n+FNPeBBVO3zG9IhCA==' DSHIELD_URL='http://feeds.dshield.org/block.txt' # change if you have a custom chain for dropping and logging packets, especially # when using fwbuilder.org DROP_RULE='black_DROP' # 'threatstop.local' if you have pointed your nameservers to 66.240.219.28 and 67.89.120.20 # 'threatstop.com' if you didn't # see https://www.threatstop.com/index.php?page=instructions for details THREATSTOP_DOMAIN='threatstop.com' # Russian Bussiness Network spam ring # Visit http://rbnexploit.blogspot.com/ for more information RBN_URL=http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt export PATH="$PATH:/usr/local/sbin:/sbin" # check for ipset/ip_set if [ -x /usr/sbin/ipset -o -x /usr/local/sbin/ipset ]; then ipset -N spamhaus nethash >/dev/null 2>&1 if ipset -F; then ipset="YES" fi fi # initialize iptable for blacklists iptables -F blacklists 2> /dev/null iptables -X blacklists 2>/dev/null iptables -N blacklists 2>/dev/null if [ "$ipset" = "YES" ]; then # initialize ipsets for different blacklists ipset -F spamhaus 2>/dev/null ipset -X spamhaus 2>/dev/null ipset -N spamhaus nethash 2>/dev/null ipset -F rbncidr 2>/dev/null ipset -X rbncidr 2>/dev/null ipset -N rbncidr nethash 2>/dev/null ipset -F rbnip 2>/dev/null ipset -X rbnip 2>/dev/null ipset -N rbnip iphash 2>/dev/null ipset -F dshield 2>/dev/null ipset -X dshield 2>/dev/null ipset -N dshield iptreemap 2>/dev/null ipset -F threatstop 2>/dev/null ipset -X threatstop 2>/dev/null ipset -N threatstop iphash 2>/dev/null # link ipsets to iptables - smallest first iptables -A blacklists -m state --state NEW -m set --set dshield src,dst -j $DROP_RULE iptables -A blacklists -m state --state NEW -m set --set rbncidr src,dst -j $DROP_RULE iptables -A blacklists -m state --state NEW -m set --set rbnip src,dst -j $DROP_RULE iptables -A blacklists -m state --state NEW -m set --set spamhaus src,dst -j $DROP_RULE iptables -A blacklists -m state --state NEW -m set --set threatstop src,dst -j $DROP_RULE else # if no ipsets use iptables for table in spamhaus dshield threatstop rbncidr rbnip; do iptables -F $table 2> /dev/null iptables -X $table 2>/dev/null iptables -N $table 2>/dev/null iptables -A blacklists -m state --state NEW -j $table done fi # Initialize black_DROP table - it's only necessary if you actually want # to use it if [ "$DROP_RULE" = "black_DROP" ]; then # initialize common action iptable for DROP nd LOG iptables -F black_DROP 2> /dev/null iptables -X black_DROP 2>/dev/null iptables -N black_DROP 2>/dev/null iptables -A black_DROP -j LOG --log-prefix 'BLACKLISTED ' iptables -A black_DROP -j DROP fi #### Spamhaus droplist format #; Spamhaus DROP List 8/2/07 #122.8.0.0/15 ; SBL52788 tmp1=`mktemp` wget -q -O $tmp1 $SPAMHAUS_URL if [ -s $tmp1 ]; then tmp2=`mktemp` awk '{print $1;}' <$tmp1 | egrep -v '(^;|^$)' | egrep '[0-9]+' | tr -d '[\r]'>$tmp2 exec <$tmp2 while true; do read ip if [ "$ip" ]; then if [ "$ipset" = "YES" ]; then ipset -A spamhaus "$ip" else iptables -I spamhaus -s "$ip" -j $DROP_RULE iptables -I spamhaus -d "$ip" -j $DROP_RULE fi fi if [ -z "$ip" ]; then break; fi done fi rm $tmp1 $tmp2 #### DShield HPB format # #userid 11111 # Start End Netblock Attacks Name Country email # 218.050.001.000 218.050.001.255 24 1687 HANARO Telecom KR info@hananet.netA # DShield.org Recommended Block List # 219.94.38.0 219.94.38.255 24 26042 TMNET, TELEKOM MALAYSIA BERHAD MY mahadi@telekom.com.my tmp3=`mktemp` wget -q -O $tmp3 $DSHIELD_URL if [ -s $tmp3 ]; then tmp4=`mktemp` cat $tmp3 | egrep -v '(^#|^$|Start)' | egrep '[0-9]+' | tr -d '[\r]' >$tmp4 exec <$tmp4 while true; do read i1 i2 rest if [ "$i1" -a "$i2" ]; then if [ "$ipset" = "YES" ]; then ipset -A dshield "$i1:$i2" else iptables -I dshield -m iprange --src-range "$i1-$i2" -j $DROP_RULE iptables -I dshield -m iprange --dst-range "$i1-$i2" -j $DROP_RULE fi fi if [ -z "$i2" ]; then break; fi done fi rm $tmp3 $tmp4 # Threatstop nameservers #nameserver 66.240.219.28 #nameserver 67.89.120.20 THREATSTOP_NAMES='basic basic1 basic2 basic3 basic4' tmp5=`mktemp` for domain in $THREATSTOP_NAMES; do # pretty complicated way to get out the blacklist out of a DNS query # but the default Threatstop method by resolving DNS name inside iptables # sometimes doesn't work dig +tcp a $domain.$THREATSTOP_DOMAIN | grep $domain | grep A \ | egrep '[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+' | cut -f5 >>$tmp5 done if [ -s $tmp5 ]; then tmp6=`mktemp` sort -u <$tmp5 >$tmp6 exec <$tmp6 while true; do read ip rest if [ "$ip" ]; then if [ "$ipset" = "YES" ]; then ipset -A threatstop "$ip" else iptables -I threatstop -s "$ip" -j $DROP_RULE iptables -I threatstop -d "$ip" -j $DROP_RULE fi fi if [ -z "$ip" ]; then break; fi done fi rm $tmp5 $tmp6 # RBN # Format: # 58.65.232.0/21 tmp7=`mktemp` wget -q -O $tmp7 $RBN_URL if [ -s $tmp7 ]; then tmp8=`mktemp` awk '{print $1;}' <$tmp7 | egrep -v '(^;|^$)' | egrep '[0-9]+' | tr -d '[\r]'>$tmp8 exec <$tmp8 while true; do cidr="NO" read ip if [ "$ip" ]; then # RBN list publishes some IPs as CIDR some as non-CIDR if echo "$ip" | egrep -q "/[0-9]+"; then cidr="YES" fi if [ "$ipset" = "YES" ]; then # ipset cares about CIDR/non-CIDR if [ "$cidr" = "YES" ]; then ipset -A rbncidr "$ip" else ipset -A rbnip "$ip" fi else # iptables doesn't care about CIDR/non-CIDR # but we'll sort them anyway if [ "$cidr" = "YES" ]; then iptables -I rbncidr -s "$ip" -j $DROP_RULE iptables -I rbncidr -d "$ip" -j $DROP_RULE else iptables -I rbnip -s "$ip" -j $DROP_RULE iptables -I rbnip -d "$ip" -j $DROP_RULE fi fi fi if [ -z "$ip" ]; then break; fi done fi rm $tmp7 $tmp8 exit 0