API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jan 11th, 2014
39
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 2.26 KB | None | 0 0
raw download clone embed print report
  1.  
  2.  
  3. #! /bin/bash
  4.  
  5. # /usr/local/sbin/block
  6. # BoneKracker
  7. # Rev. 11 October 2012
  8. # Tested with ipset 6.13
  9.  
  10. # Purpose: Load DShield.org Recommended Block List into an ipset in a running
  11. # firewall.  That list contains the networks from which the most malicious
  12. # traffic is being reported by DShield participants.
  13.  
  14. # Notes: Call this from crontab. Feed updated every 15 minutes.
  15. # netmask=24: dshield's list is all class C networks
  16. # hashsize=64: default is 1024 but 64 is more than needed here
  17.  
  18.  
  19. target="http://myip.ms/files/blacklist/general/latest_blacklist.txt"
  20. ipset_params="hash:net --hashsize 1024"
  21.  
  22. filename=$(basename ${target})
  23. firewall_ipset=${filename%.*}           # ipset will be filename minus ext
  24. data_dir="/var/tmp/${firewall_ipset}"   # data directory will be same
  25. data_file="${data_dir}/${filename}"
  26.  
  27. # if data directory does not exist, create it
  28. mkdir -pm 0750 ${data_dir}
  29.  
  30. # function to get modification time of the file in log-friendly format
  31. # stderr redirected in case file is not present
  32. get_timestamp() {
  33.     date -r $1 +%m/%d' '%R
  34. }
  35.  
  36. # file modification time on server is preserved during wget download
  37. [ -w $data_file ] && old_timestamp=$(get_timestamp ${data_file})
  38.  
  39. # fetch file only if newer than the version we already have
  40. wget -qNP ${data_dir} ${target}
  41.  
  42. if [ "$?" -ne "0" ]; then
  43.     logger -p cron.err "IPSet: ${firewall_ipset} wget failed."
  44.     exit 1
  45. fi
  46.  
  47. timestamp=$(get_timestamp ${data_file})
  48.  
  49. # compare timestamps because wget returns success even if no newer file
  50. if [ "${timestamp}" != "${old_timestamp}" ]; then
  51.  
  52.     temp_ipset="${firewall_ipset}_temp"
  53.     ipset create ${temp_ipset} ${ipset_params}
  54.  
  55.     networks=$(sed -rn 's/(^([0-9]{1,3}\.){3}[0-9]{1,3}).*$/\1/p' ${data_file})
  56.  
  57.     for net in $networks; do
  58.         ipset add ${temp_ipset} ${net}
  59.     done
  60.  
  61.     # if ipset does not exist, create it
  62.     ipset create -exist ${firewall_ipset} ${ipset_params}
  63.  
  64.     # swap the temp ipset for the live one
  65.     ipset swap ${temp_ipset} ${firewall_ipset}
  66.     ipset destroy ${temp_ipset}
  67.  
  68.     # log the file modification time for use in minimizing lag in cron schedule
  69.     logger -p cron.notice "IPSet: ${firewall_ipset} updated (as of: ${timestamp})."
  70.  
  71. fi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!