mietzen · April 8, 2021 18:28
diff --git a/block_badips.sh b/block_badips.sh
 #!/bin/bash
 # This a replacement Aikhjarto/block_badips.sh, using https://www.abuseipdb.com/ since badips.com seems to be offline :(
 # This script downloads a list of IPs known for brute force attacking.
 # The fetched IPs get blocked with iptables with the special comment "BADIP". This script only
 # modifies iptables rules with that comment. This measure makes it well compatible with other firewall
 # scripts like the SUSEFirewall.
 # The iptables rules are updated every time this script is executed. Additionally this script is
 # quiet on stdout, which makes it well suited for being executed as a cronjob.

 # TODO Block ipv6

 IPTABLES_BIN=/usr/sbin/iptables
 IPTABLES_SAVE_BIN=/usr/sbin/iptables-save
 # Set your api key
 ABUSEIPDB_API_KEY=<YOUR-API-KEY>

 LOGGER_OPTS="-t add_badips"

 # fetch IP list from badips.com
 URL="https://api.abuseipdb.com/api/v2/blacklist"

 ### download
 logger $LOGGER_OPTS "fetching list of bad IPs from $URL"
 FILE_MIXED=`mktemp`
 FILE_V4=`mktemp`
 FILE_V6=`mktemp`

 curl -G $URL -d confidenceMinimum=95 -d limit=9999999 -H "Key:$ABUSEIPDB_API_KEY" -H "Accept: text/plain" > $FILE_MIXED
 cat FILE_MIXED | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" > FILE_V4
 cat FILE_MIXED | grep -oE "\b(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b" > FILE_V6

 if [ $? -ne 0 ]; then 
        logger $LOGGER_OPTS -s "ERROR: download of $URL failed"
        exit 1
 else
        logger $LOGGER_OPTS "got "`wc -l $FILE_MIXED | awk '{ print $1 }'` " IPs"
 fi
  
 ### remove old blocked entries
 FILE_OLD_IPS=`mktemp`
 # export all rules with comment "BADIP"
 $IPTABLES_SAVE_BIN  | grep -e "--comment BADIP" | sed 's/-A/-D/' > $FILE_OLD_IPS
 logger $LOGGER_OPTS "removing "`wc -l $FILE_OLD_IPS | awk '{ print $1 }'` " old entries"
 # remove all IPs previously known as bad
 # HINT: use a while loop here since a for loop would require changing the IFS due to spaces in $FILE_OLD_IPS
 while read RULE; do
        $IPTABLES_BIN $RULE
 done < $FILE_OLD_IPS
 rm $FILE_OLD_IPS

 ### add new IPs
 for IP in $(cat $FILE_V4); do
        $IPTABLES_BIN -I INPUT $RULE -s $IP -j DROP -m comment --comment "BADIP"
 done
 rm $FILE_V4
 rm $FILE_V6
 rm $FILE_MIXED
 logger $LOGGER_OPTS "done applying IPs"
	#!/bin/bash
	# This a replacement Aikhjarto/block_badips.sh, using https://www.abuseipdb.com/ since badips.com seems to be offline :(
	# This script downloads a list of IPs known for brute force attacking.
	# The fetched IPs get blocked with iptables with the special comment "BADIP". This script only
	# modifies iptables rules with that comment. This measure makes it well compatible with other firewall
	# scripts like the SUSEFirewall.
	# The iptables rules are updated every time this script is executed. Additionally this script is
	# quiet on stdout, which makes it well suited for being executed as a cronjob.

	# TODO Block ipv6

	IPTABLES_BIN=/usr/sbin/iptables
	IPTABLES_SAVE_BIN=/usr/sbin/iptables-save
	# Set your api key
	ABUSEIPDB_API_KEY=<YOUR-API-KEY>

	LOGGER_OPTS="-t add_badips"

	# fetch IP list from badips.com
	URL="https://api.abuseipdb.com/api/v2/blacklist"

	### download
	logger $LOGGER_OPTS "fetching list of bad IPs from $URL"
	FILE_MIXED=`mktemp`
	FILE_V4=`mktemp`
	FILE_V6=`mktemp`

	curl -G $URL -d confidenceMinimum=95 -d limit=9999999 -H "Key:$ABUSEIPDB_API_KEY" -H "Accept: text/plain" > $FILE_MIXED
	cat FILE_MIXED \| grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" > FILE_V4
	cat FILE_MIXED \| grep -oE "\b(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}\|([0-9a-fA-F]{1,4}:){1,7}:\|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}\|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}\|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}\|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}\|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}\|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})\|:((:[0-9a-fA-F]{1,4}){1,7}\|:)\|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}\|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9])\|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9]))\b" > FILE_V6

	if [ $? -ne 0 ]; then
	logger $LOGGER_OPTS -s "ERROR: download of $URL failed"
	exit 1
	else
	logger $LOGGER_OPTS "got "`wc -l $FILE_MIXED \| awk '{ print $1 }'` " IPs"
	fi

	### remove old blocked entries
	FILE_OLD_IPS=`mktemp`
	# export all rules with comment "BADIP"
	$IPTABLES_SAVE_BIN \| grep -e "--comment BADIP" \| sed 's/-A/-D/' > $FILE_OLD_IPS
	logger $LOGGER_OPTS "removing "`wc -l $FILE_OLD_IPS \| awk '{ print $1 }'` " old entries"
	# remove all IPs previously known as bad
	# HINT: use a while loop here since a for loop would require changing the IFS due to spaces in $FILE_OLD_IPS
	while read RULE; do
	$IPTABLES_BIN $RULE
	done < $FILE_OLD_IPS
	rm $FILE_OLD_IPS

	### add new IPs
	for IP in $(cat $FILE_V4); do
	$IPTABLES_BIN -I INPUT $RULE -s $IP -j DROP -m comment --comment "BADIP"
	done
	rm $FILE_V4
	rm $FILE_V6
	rm $FILE_MIXED
	logger $LOGGER_OPTS "done applying IPs"