This is a simple firewall shield stopping known bad IPs.
The script will execute the following to get necessary packages installed:
apt-get -y update
apt-get install -y ipset iptables curl git wget
The script will execute the following to get necessary packages installed:
yum -y update
yum -y install ipset iptables curl git wget
git clone https://github.com/op7ic/Bad-Firewall.git
cd Bad-Firewall/ && chmod +x shieldme.sh
./shieldme.sh
shieldme.sh filter rules
The following known IP ranges are currently blocked:
- Alienvault IP Reputation
- BBcan177 DNSBL
- Blocklist.de Blocklist
- Blocklist.de export-all
- CI Bad Guys
- Emerging Threats
- Darklist
- Dictionary SSH Attacks
- TOR IPs - dan.me.uk
- TOR IPs - torproject.org
- Feodo Tracker
- GreenSnow Blacklist
- Talos IP Blacklist
- VoipBL
- Dshield
- Threatview.IO Twitter Feed
- Threatview.IO C2 List
- Bruteforce IPs
- URL abuse.ch IPs
- Cybercrime tracker
- SANS attacks
- Honeypot
In order to auto-update the blocks, copy the following code into /etc/cron.d/update-badfirewall or add cron entry for specific user to run the script.
0 0 * * 0 /home/user/BadFirewall/shieldme.sh
Using iptables, you can check how many packets got dropped using the filters:
iptables -L INPUT -v --line-numbers # for IPv4
ip6tables -L INPUT -v --line-numbers # for IPv6
The table should look similar to this:
Chain INPUT (policy ACCEPT 2111 packets, 126K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- any any anywhere anywhere match-set feodo src
2 0 0 DROP all -- any any anywhere anywhere match-set DNSBL src
3 12 668 DROP all -- any any anywhere anywhere match-set GreenSnow src
4 20 1200 DROP all -- any any anywhere anywhere match-set compromised_ips src
5 1 40 DROP all -- any any anywhere anywhere match-set darklist src
6 38 1631 DROP all -- any any anywhere anywhere match-set CI_BAD_GUYS src
7 0 0 DROP all -- any any anywhere anywhere match-set blocklist3 src
8 0 0 DROP all -- any any anywhere anywhere match-set blocklist2 src
9 4 240 DROP all -- any any anywhere anywhere match-set blocklist1 src
10 0 0 DROP all -- any any anywhere anywhere match-set emergingthreats_compromised src
11 0 0 DROP all -- any any anywhere anywhere match-set threatview_high_confidence_list src
12 1 40 DROP all -- any any anywhere anywhere match-set firehol src
13 2 88 DROP all -- any any anywhere anywhere match-set VoipBL src
14 0 0 DROP all -- any any anywhere anywhere match-set Talos src
15 0 0 DROP all -- any any anywhere anywhere match-set dshield src
16 1 40 DROP all -- any any anywhere anywhere match-set bruteforce-ips src
17 0 0 DROP all -- any any anywhere anywhere match-set ssh src
18 0 0 DROP all -- any any anywhere anywhere match-set alienvault src
19 0 0 DROP all -- any any anywhere anywhere match-set tor-individual-ip2 src
20 0 0 DROP all -- any any anywhere anywhere match-set tor-individual-ip1 src
21 0 0 DROP all -- any any anywhere anywhere match-set abusechtracker2 src
22 0 0 DROP all -- any any anywhere anywhere match-set abusechtracker1 src
23 0 0 DROP all -- any any anywhere anywhere match-set threatview_twitterfeed src
24 0 0 DROP all -- any any anywhere anywhere match-set threatview_c2feed src
If you would like to destory the set and all the associated rules, iptables needs to be cleared first, followed by deletion of ipset rules.
# Clean iptables list for IPv4 or delete individual rulesets using -D option for specific rule (i.e. ssh)
iptables --flush
# Clean iptables list for Ipv6 or delete individual rulesets using -D option for specific rule (i.e. ssh)
ip6tables --flush
# Remove all sets from ipset
ipset list | grep Name | awk -F ": " '{print $2}' | xargs -i ipset destroy {}
Edit shieldme.sh and add/remove specific lists. You can see URLs which this script feeds from. Simply modify them or comment them out. If you for some reason want to ban all IP addresses from a certain country, have a look at IPverse.net's aggregated IP lists which you can simply add to the list already implemented.