From ddaead417f8f33e8a50ee7ba12641d1908347782 Mon Sep 17 00:00:00 2001 From: Josef 'veloc1ty' Stautner Date: Fri, 23 Jan 2015 12:38:12 +0100 Subject: [PATCH] Stuff corrected --- README.md | 3 ++ blocklist-update.sh | 127 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 130 insertions(+) create mode 100644 blocklist-update.sh diff --git a/README.md b/README.md index 71d7596..175b91d 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,5 @@ # Blocklist.de-Sync Synchronize an iptables chain with your desired entries from banlists generated by blocklist.de + +# Further Reading (in german) +https://blog.veloc1ty.de/2013/07/22/blocklist-de-script-fur-automatischen-abgleich-mit-synchronisation/ diff --git a/blocklist-update.sh b/blocklist-update.sh new file mode 100644 index 0000000..254442f --- /dev/null +++ b/blocklist-update.sh @@ -0,0 +1,127 @@ +#!/bin/bash + +## +## Configuration +## + +# Files which should be downloaded +TO_DOWNLOAD[0]="http://lists.blocklist.de/lists/ftp.txt" +#TO_DOWNLOAD[1]="http://lists.blocklist.de/lists/bots.txt" +#TO_DOWNLOAD[2]="http://lists.blocklist.de/lists/ssh.txt" +TO_DOWNLOAD[1]="http://lists.blocklist.de/lists/bruteforcelogin.txt" +TO_DOWNLOAD[2]="http://lists.blocklist.de/lists/apache.txt" + +# Other settings; Edit if necesarry +CHAINNAME="blocklist-de" +ACTION="REJECT" # Can be DROP +PRINT_REPORT=1 + +########## Do not edit anything below this line ########## + +# +## Needed variables +# +started=`date` +version="1.0.0" +amountDownloaded=0 +amountAfterSortAndUnique=0 +amountInserted=0 +amountDeleted=-1 + +fileUnfiltered="/tmp/blocklist-ips-unfiltered.txt" +fileFiltered="/tmp/blocklist-ips-filtered.txt" + +# +## Download every file and concat to one file +# +for currentFile in "${TO_DOWNLOAD[@]}" +do + wget -qO - $currentFile >> $fileUnfiltered +done + +# +## Sort and filter +# +cat $fileUnfiltered | sort | uniq > $fileFiltered + +amountDownloaded=`cat $fileUnfiltered | wc -l` +amountAfterSortAndUnique=`cat $fileFiltered | wc -l` + +# +## Create chain if it does not exist +# +iptables --new-chain $CHAINNAME >/dev/null 2>&1 + +# Insert rule (if necesarry) into INPUT chain so the chain above will also be used +if [ `iptables -L INPUT | grep $CHAINNAME | wc -l` -eq 0 ] +then + + # Insert rule because it is not present + iptables -I INPUT -j $CHAINNAME + +fi + +# +## Insert all IPs from the downloaded list if there is no rule stored +# +while read currentIP +do + + # Check via command + iptables -C $CHAINNAME -s $currentIP -j $ACTION >/dev/null 2>&1 + + # Now we have to check the exit code of iptables via $? + # + # 0 = rule exists and don't has to be stored again + # 1 = rule does not exist and has to be stored + + if [ $? -eq 1 ] + then + + # Append the IP + iptables -A $CHAINNAME -s $currentIP -j $ACTION >/dev/null 2>&1 + + # Increment the counter + amountInserted=$((amountInserted + 1)) + + fi + +done < $fileFiltered + +## Now we delete the IPs which are stored in iptables but not anymore in the list +while read currentIP +do + # Check if the ip is in the downloaded list + if [ `cat $fileFiltered | grep $currentIP | wc -l` -eq 0 ] + then + # Delete the rule by its rulenumber + # Because changing the action would result in errors + iptables -D $CHAINNAME -s $currentIP -j $ACTION >/dev/null 2>&1 + + # Increment the counter + amountDeleted=$((amountDeleted + 1)) + +fi + +done <<< "`iptables -n -L blocklist-de | awk '{print $4}'`" + +## Print report +if [ $PRINT_REPORT -eq 1 ] +then + echo "--- Blockliste.de :: Update-Report" + echo "" + echo "Script Version: $version" + echo "Started: $started" + echo "Finished: `date`" + echo "" + echo "--> Downloaded IPs: $amountDownloaded" + echo "--> Unique IPs: $amountAfterSortAndUnique" + echo "--> Inserted: $amountInserted" + echo "--> Deleted: $amountDeleted" +fi + +# +## Cleanup +# +rm -f /tmp/blocklist-ips-unfiltered.txt +rm -f /tmp/blocklist-ips-filtered.txt \ No newline at end of file