Scan Blocking MT

1. root@arr:~/block-shodan-stretchoid# ./linux-script.sh
2. + set -v
3.  
4. # Create ssh key pair for your router and use
5. # those credentials for logging in
6. router_ssh="ssh [email protected] -p 38022"
7. + router_ssh='ssh [email protected] -p 38022'
8.  
9. # Logging facility parameters
10. log_dir="/home/$(id -un)/scripts/fw_log"
11. ++ id -un
12. + log_dir=/home/root/scripts/fw_log
13. log_file="$log_dir/$(date +%Y-%m)_bad_hosts.log"
14. ++ date +%Y-%m
15. + log_file=/home/root/scripts/fw_log/2024-01_bad_hosts.log
16. log_file_alert="$log_dir/$(date +%Y-%m)_other_hosts.log"
17. ++ date +%Y-%m
18. + log_file_alert=/home/root/scripts/fw_log/2024-01_other_hosts.log
19.  
20. # Stage 1 dynamic address list on the remote MikroTik
21. router_stage1="fw_stage1"
22. + router_stage1=fw_stage1
23.  
24. # Blacklist address list on the remote MikroTik
25. router_blacklist="fw_blacklist"
26. + router_blacklist=fw_blacklist
27.  
28. # Temporary file we are using to store stage 1 access list
29. file="stage1"
30. + file=stage1
31.  
32. > "$file"
33.  
34. if [[ ! -d $log_dir ]]; then
35. mkdir -p $log_dir
36. fi
37. + [[ ! -d /home/root/scripts/fw_log ]]
38. if [[ ! -f $log_file ]]; then
39. touch $log_file
40. fi
41. + [[ ! -f /home/root/scripts/fw_log/2024-01_bad_hosts.log ]]
42. if [[ ! -f $log_file_alert ]]; then
43. touch $log_file_alert
44. fi
45. + [[ ! -f /home/root/scripts/fw_log/2024-01_other_hosts.log ]]
46.  
47. $router_ssh "/ip firewall address-list print where list=$router_stage1" | awk 'NR > 2 {print $4}' >> "$file"
48. + ssh [email protected] -p 38022 '/ip firewall address-list print where list=fw_stage1'
49. + awk 'NR > 2 {print $4}'
50.  
51. while read -r line || [[ "$line" ]]
52. do
53.  
54. ip=$(echo $line | tr -d '\r')
55. domain=$(dig -x "$ip" +short 2>&- | sed 's/.$//')
56.  
57. if [ ! -z "$domain" ]
58. then
59. if echo "$domain" | egrep -i "(^|[^a-zA-Z])(shodan|stretchoid|shadowserver|ezotech|alphastrike|censys|onyphe|binaryedge|caacbook|onlineprism|internet-census|netsystemsresearch|scan.*)($|[^a-zA-Z])" > /dev/null
60. then
61. $router_ssh -n "do { /ip firewall address-list add list=$router_blacklist comment=$domain address=$ip } on-error={}"
62. echo -e $(date +%Y-%m-%d) $ip"\t\t"$ptr >> $log_file
63. else
64. echo -e $(date +%Y-%m-%d) $ip "\t\t"$ptr >> $log_file_alert
65. fi
66. fi
67. done < "$file"
68. + read -r line
69. ++ echo CREATION-TIME
70. ++ tr -d '\r'
71. + ip=CREATION-TIME
72. ++ dig -x CREATION-TIME +short
73. ++ sed 's/.$//'
74. + domain=
75. + '[' '!' -z '' ']'
76. + read -r line
77. ++ echo 185.200.118.35
78. ++ tr -d '\r'
79. + ip=185.200.118.35
80. ++ dig -x 185.200.118.35 +short
81. ++ sed 's/.$//'
82. + domain=adscore.com
83. + '[' '!' -z adscore.com ']'
84. + echo adscore.com
85. + egrep -i '(^|[^a-zA-Z])(shodan|stretchoid|shadowserver|ezotech|alphastrike|censys|onyphe|binaryedge|caacbook|onlineprism|internet-census|netsystemsresearch|scan.*)($|[^a-zA-Z])'
86. ++ date +%Y-%m-%d
87. + echo -e 2024-01-27 185.200.118.35 '\t\t'
88. + read -r line
89. ++ echo 213.52.129.114
90. ++ tr -d '\r'
91. + ip=213.52.129.114
92. ++ dig -x 213.52.129.114 +short
93. ++ sed 's/.$//'
94. + domain=scanx18.pentest-tools.com
95. + '[' '!' -z scanx18.pentest-tools.com ']'
96. + echo scanx18.pentest-tools.com
97. + egrep -i '(^|[^a-zA-Z])(shodan|stretchoid|shadowserver|ezotech|alphastrike|censys|onyphe|binaryedge|caacbook|onlineprism|internet-census|netsystemsresearch|scan.*)($|[^a-zA-Z])'
98. + ssh [email protected] -p 38022 -n 'do { /ip firewall address-list add list=fw_blacklist comment=scanx18.pentest-tools.com address=213.52.129.114 } on-error={}'
99. ++ date +%Y-%m-%d
100. + echo -e 2024-01-27 '213.52.129.114\t\t'
101. + read -r line
102. ++ echo 178.79.168.123
103. ++ tr -d '\r'
104. + ip=178.79.168.123
105. ++ dig -x 178.79.168.123 +short
106. ++ sed 's/.$//'
107. + domain=scanx16.pentest-tools.com
108. + '[' '!' -z scanx16.pentest-tools.com ']'
109. + echo scanx16.pentest-tools.com
110. + egrep -i '(^|[^a-zA-Z])(shodan|stretchoid|shadowserver|ezotech|alphastrike|censys|onyphe|binaryedge|caacbook|onlineprism|internet-census|netsystemsresearch|scan.*)($|[^a-zA-Z])'
111. + ssh [email protected] -p 38022 -n 'do { /ip firewall address-list add list=fw_blacklist comment=scanx16.pentest-tools.com address=178.79.168.123 } on-error={}'
112. ++ date +%Y-%m-%d
113. + echo -e 2024-01-27 '178.79.168.123\t\t'
114. + read -r line
115. ++ echo 139.162.202.208
116. ++ tr -d '\r'
117. + ip=139.162.202.208
118. ++ dig -x 139.162.202.208 +short
119. ++ sed 's/.$//'
120. + domain=scanx2.pentest-tools.com
121. + '[' '!' -z scanx2.pentest-tools.com ']'
122. + echo scanx2.pentest-tools.com
123. + egrep -i '(^|[^a-zA-Z])(shodan|stretchoid|shadowserver|ezotech|alphastrike|censys|onyphe|binaryedge|caacbook|onlineprism|internet-census|netsystemsresearch|scan.*)($|[^a-zA-Z])'
124. + ssh [email protected] -p 38022 -n 'do { /ip firewall address-list add list=fw_blacklist comment=scanx2.pentest-tools.com address=139.162.202.208 } on-error={}'
125. ++ date +%Y-%m-%d
126. + echo -e 2024-01-27 '139.162.202.208\t\t'
127. + read -r line
128. ++ echo 139.144.154.251
129. ++ tr -d '\r'
130. + ip=139.144.154.251
131. ++ dig -x 139.144.154.251 +short
132. ++ sed 's/.$//'
133. + domain=scanx32.pentest-tools.com
134. + '[' '!' -z scanx32.pentest-tools.com ']'
135. + echo scanx32.pentest-tools.com
136. + egrep -i '(^|[^a-zA-Z])(shodan|stretchoid|shadowserver|ezotech|alphastrike|censys|onyphe|binaryedge|caacbook|onlineprism|internet-census|netsystemsresearch|scan.*)($|[^a-zA-Z])'
137. + ssh [email protected] -p 38022 -n 'do { /ip firewall address-list add list=fw_blacklist comment=scanx32.pentest-tools.com address=139.144.154.251 } on-error={}'
138. ++ date +%Y-%m-%d
139. + echo -e 2024-01-27 '139.144.154.251\t\t'
140. + read -r line
141. ++ echo 207.231.109.106
142. ++ tr -d '\r'
143. + ip=207.231.109.106
144. ++ dig -x 207.231.109.106 +short
145. ++ sed 's/.$//'
146. + domain=
147. + '[' '!' -z '' ']'
148. + read -r line
149. ++ echo 109.248.200.183
150. ++ tr -d '\r'
151. + ip=109.248.200.183
152. ++ dig -x 109.248.200.183 +short
153. ++ sed 's/.$//'
154. + domain=msk.z1
155. + '[' '!' -z msk.z1 ']'
156. + echo msk.z1
157. + egrep -i '(^|[^a-zA-Z])(shodan|stretchoid|shadowserver|ezotech|alphastrike|censys|onyphe|binaryedge|caacbook|onlineprism|internet-census|netsystemsresearch|scan.*)($|[^a-zA-Z])'
158. ++ date +%Y-%m-%d
159. + echo -e 2024-01-27 109.248.200.183 '\t\t'
160. + read -r line
161. ++ echo 74.82.47.61
162. ++ tr -d '\r'
163. + ip=74.82.47.61
164. ++ dig -x 74.82.47.61 +short
165. ++ sed 's/.$//'
166. + domain=scan-12m.shadowserver.org
167. + '[' '!' -z scan-12m.shadowserver.org ']'
168. + echo scan-12m.shadowserver.org
169. + egrep -i '(^|[^a-zA-Z])(shodan|stretchoid|shadowserver|ezotech|alphastrike|censys|onyphe|binaryedge|caacbook|onlineprism|internet-census|netsystemsresearch|scan.*)($|[^a-zA-Z])'
170. + ssh [email protected] -p 38022 -n 'do { /ip firewall address-list add list=fw_blacklist comment=scan-12m.shadowserver.org address=74.82.47.61 } on-error={}'
171. ++ date +%Y-%m-%d
172. + echo -e 2024-01-27 '74.82.47.61\t\t'
173. + read -r line
174. ++ echo 151.106.42.185
175. ++ tr -d '\r'
176. + ip=151.106.42.185
177. ++ dig -x 151.106.42.185 +short
178. ++ sed 's/.$//'
179. + domain=ns31465342.ip-151-106-42.eu
180. + '[' '!' -z ns31465342.ip-151-106-42.eu ']'
181. + egrep -i '(^|[^a-zA-Z])(shodan|stretchoid|shadowserver|ezotech|alphastrike|censys|onyphe|binaryedge|caacbook|onlineprism|internet-census|netsystemsresearch|scan.*)($|[^a-zA-Z])'
182. + echo ns31465342.ip-151-106-42.eu
183. ++ date +%Y-%m-%d
184. + echo -e 2024-01-27 151.106.42.185 '\t\t'
185. + read -r line
186. ++ echo 195.230.103.245
187. ++ tr -d '\r'
188. + ip=195.230.103.245
189. ++ dig -x 195.230.103.245 +short
190. ++ sed 's/.$//'
191. + domain=
192. + '[' '!' -z '' ']'
193. + read -r line
194. ++ echo
195. ++ tr -d '\r'
196. + ip=
197. ++ dig -x '' +short
198. ++ sed 's/.$//'
199. + domain=
200. + '[' '!' -z '' ']'
201. + read -r line
202. + [[ -n '' ]]
203.  
204.