Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- # +-----------------------------------------------------------------------+
- # | netfilter_drop_ipset_zeus_spamhaus.sh |
- # | |
- # | Create ipset lists from zeus project and spamhaus |
- # | Add netfilter INPUT rules matching ipset lists to DROP unwanted ips |
- # | |
- # | Add this script in /etc/cron.daily/netfilter_drop_ipset_zeus_spamhaus |
- # | #!/bin/sh |
- # | /path/to/netfilter_drop_ipset_zeus_spamhaus.sh |
- # | |
- # +-----------------------------------------------------------------------+
- LOGFILE=/var/log/$(basename $0 .sh).log
- DROP_RULE_POSITION=6 # Set the correct position according to your netfilter INPUT rules
- ZEUS_BLOCKLIST_URL='https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist'
- ZEUS_BLOCKLIST_FILE=/etc/zeus-list.txt
- SPAMHAUS_BLOCKLIST_URL='https://www.spamhaus.org/drop/drop.txt'
- SPAMHAUS_BLOCKLIST_FILE=/etc/spamhaus-list.txt
- function message {
- if [ ! -z "$1" ]; then
- echo "[$(date +'%d/%m/%Y %H:%M:%S')] $*" | tee -a ${LOGFILE}
- fi
- }
- function ok_failed {
- if [ ! -z "$1" ] && [ $1 -eq 0 ]; then
- message "OK"
- else
- message "Failed"
- exit $?
- fi
- }
- message "[+] Check if wget command is available"
- which wget &>/dev/null
- ok_failed $?
- message "[+] Check if ipset command is available"
- which ipset &>/dev/null
- ok_failed $?
- message "[+] Download https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist"
- /usr/bin/wget --no-check-certificate ${ZEUS_BLOCKLIST_URL} -O ${ZEUS_BLOCKLIST_FILE} &>/dev/null
- ok_failed $?
- sed -i -r -e '/^[#;].*$/d;/^\s*$/d' ${ZEUS_BLOCKLIST_FILE}
- message "[+] Download ${SPAMHAUS_BLOCKLIST_URL} to ${SPAMHAUS_BLOCKLIST_FILE}"
- /usr/bin/wget --no-check-certificate ${SPAMHAUS_BLOCKLIST_URL} -O ${SPAMHAUS_BLOCKLIST_FILE} &>/dev/null
- ok_failed $?
- sed -i -r -e '/^[#;].*$/d;/^\s*$/d' ${SPAMHAUS_BLOCKLIST_FILE}
- sed -i -r -e 's/\s*;.*$//' ${SPAMHAUS_BLOCKLIST_FILE}
- ZEUS_IPSET_IPS="zeus_ipset_ips"
- message "[+] Check ipset list ${ZEUS_IPSET_IPS}"
- ipset list ${ZEUS_IPSET_IPS} &>/dev/null
- if [ $? -ne 0 ]; then
- message "[+] Create ipset iphash ${ZEUS_IPSET_IPS}"
- ipset create ${ZEUS_IPSET_IPS} iphash
- ok_failed $?
- message "[+] Add DROP netfilter rule at position ${DROP_RULE_POSITION}"
- iptables -I INPUT ${DROP_RULE_POSITION} -m set --match-set ${ZEUS_IPSET_IPS} src -j DROP
- ok_failed $?
- else
- message "[+] Flush ipset ${ZEUS_IPSET_IPS}"
- ipset flush ${ZEUS_IPSET_IPS}
- fi
- message "[+] Adding IPs to be blocked from ${ZEUS_BLOCKLIST_FILE} $(wc -l ${ZEUS_BLOCKLIST_FILE} | awk '{print $1}') entries"
- for i in $(cat ${ZEUS_BLOCKLIST_FILE})
- do
- ipset add ${ZEUS_IPSET_IPS} $i
- done
- message "Done."
- SPAMHAUS_IPSET_IPRANGES="spamhaus_ipset_ipranges"
- message "[+] Check ipset list ${SPAMHAUS_IPSET_IPRANGES}"
- ipset list ${SPAMHAUS_IPSET_IPRANGES} &>/dev/null
- if [ $? -ne 0 ]; then
- message "[+] Create ipset hash:net ${SPAMHAUS_IPSET_IPRANGES}"
- ipset create ${SPAMHAUS_IPSET_IPRANGES} hash:net
- ok_failed $?
- message "[+] Add DROP netfilter rule at position ${DROP_RULE_POSITION}"
- iptables -I INPUT ${DROP_RULE_POSITION} -m set --match-set ${SPAMHAUS_IPSET_IPRANGES} src -j DROP
- ok_failed $?
- else
- message "[+] Flush ipset ${SPAMHAUS_IPSET_IPRANGES}"
- ipset flush ${SPAMHAUS_IPSET_IPRANGES}
- fi
- message "[+] Adding IP RANGES to be blocked from ${SPAMHAUS_BLOCKLIST_FILE} $(wc -l ${SPAMHAUS_BLOCKLIST_FILE} | awk '{print $1}') entries"
- for i in $(cat ${SPAMHAUS_BLOCKLIST_FILE})
- do
- ipset add ${SPAMHAUS_IPSET_IPRANGES} $i
- done
- message "Done."
- message "[+] Netfilter INPUT rules"
- iptables -L INPUT -n -v --line-numbers | tee -a ${LOGFILE}
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement