Nill-R · May 1, 2019 02:46
diff --git a/badips-ipset.sh b/badips-ipset.sh
 #!/bin/bash
 # Script for blocking IPs which have been reported to www.badips.com
 #   via ipsets.
 #
 # - THIS SCRIPT DOES NOT BLOCK ANYTHING -
 # This script only updates ipsets with applicable data from
 # badips.com. Actually blocking the ips in that ipset is left
 # up to the user (so that you may do so however you prefer).
 #
 # Additionally, this script does not persist the ipsets through
 # a restart. This is because most distros now provide a method of
 # doing so and any attempt to do so in this script would create
 # redundant/conflicting functionality.
 #
 # Exit Codes:
 #   0 - success
 #   1 - failure - no changes made
 #   2 - failure - possible changes made, inconsistent state
 #
 #===============================================================================
 # MIT License
 # 
 # Copyright (c) 2018 Jeremy Cliff Armstrong
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
 # in the Software without restriction, including without limitation the rights
 # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 # copies of the Software, and to permit persons to whom the Software is
 # furnished to do so, subject to the following conditions:
 #
 # The above copyright notice and this permission notice shall be included in
 # all copies or substantial portions of the Software.
 #
 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 # SOFTWARE.
 #===============================================================================
 
 # Location of ipset binary
 bin=/sbin/ipset     # REQUIRED!

 # This is how long ago at most an ip must have last been reported to
 #   badips.com. Values follow the format ##a where '##' is some non-
 #   zero positive number and 'a' is either h, d, w, m, or y for hours,
 #   days, weeks, months, or years.
 #
 # NOTE: comment out for all results - not recommended
 # NOTE2: this script should be executed more often than this value.
 age=2w

 # Block level (1-5):
 #   0 - not so bad/false report
 #   3 - confirmed bad
 #   5 - quite aggressively bad
 # (see www.badips.com)
 level=3     # REQUIRED!

 # Logged service or "any"
 # (see www.badips.com/get/categories {JSON})
 service=ssh     # REQUIRED!

 # This is how long (in seconds) an ip will remain in the ipset after it
 #   stops showing up in the configured badips query result. It should be
 #   longer than the time between executions of this script (double, at
 #   least) and long enough when combined with age above that occasional
 #   offenders don't get removed from the ipset prematurely.
 #
 # IMPORTANT: this script should be executed more often than this setting.
 # NOTE: IPs returned by badips.com which are already in the ipset will
 #   have their timeouts reset to this value (if it is greater than the
 #   existing timeout)
 timeout=604800      # REQUIRED! - default is 7 days

 # Name of ipset to use
 ipset=badips    # REQUIRED!


 ##################
 ## BEGIN SCRIPT ##
 ##################

 # required parameters
 if [[ ! ${ipset} || ! ${timeout} || ! ${bin} || ! ${level} || ! ${service} ]]
 then
    echo "$0: Required parameter is missing! Edit this file for further info." >&2
    exit 1
 fi

 ### Test an IP address for validity:
 # Usage:
 #      valid_ip IP_ADDRESS
 function valid_ip()
 {
    local _tip=$1
    local _stat=1

    if [[ ${_tip} =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
        local _oifs=$IFS
        IFS='.'
        local _ipa=(${_tip})
        IFS=${_oifs}

        if [[
            (
                # Check that all sections are between (but not including) 0 and
                # 256.
                ${_ipa[0]} -lt 256 &&
                ${_ipa[1]} -lt 256 &&
                ${_ipa[2]} -lt 256 &&
                ${_ipa[3]} -lt 256 &&
                ${_ipa[0]} -gt 0
            ) && (
                # Check that ip address is not 10.x.x.x
                ${_ipa[0]} -ne 10
            ) && (
                # Check that ip address is not 192.168.x.x
                ${_ipa[0]} -ne 192 || ${_ipa[1]} -ne 168
            ) && (
                # Check that ip address is not 172.16.x.x - 172.31.x.x
                ${_ipa[0]} -ne 172 || (
                    ${_ipa[1]} -lt 16 || ${_ipa[1]} -gt 31
                )
            )
        ]]; then
            _stat=0
        fi
    fi

    return $_stat
 }

 ### Query badips.com
 # compile url
 _url="https://www.badips.com/get/list/${service}/${level}"
 if [ $age ]; then _url+="?age=${age}"; fi

 # Get the bad IPs and store in an array
 _badips=( $( wget -qO- ${_url} ) ) || { echo "$0: Unable to download ip list from \'${_url}\'." >&2; exit 1; }

 ### Setup our black list ###
 # Create ipset if it does not exist
 if ! ${bin} list ${ipset} -name 2>&1 >/dev/null
 then
    ${bin} create ${ipset} hash:ip timeout ${timeout} -exist || { echo "$0: Unable to create ipset: ${ipset}" >&2; exit 2; }
 fi

 # Add all retrieved ips to $_ipset, updating the timeout on duplicates
 for _ip in ${_badips[@]}
 do
    # validate first
    if ! valid_ip ${_ip}
    then
        echo "Invalid IP Address (${_ip}) from BadIPs query. Report this to https://badips.com . Continuing..." >&2
        continue
    fi

    # add/update ipset
    $bin add ${ipset} ${_ip} timeout ${timeout} -exist || { echo "$0: Unable to add ${_ip} to ${ipset}, exiting early." >&2; exit 2; }
 done

 exit 0
	#!/bin/bash
	# Script for blocking IPs which have been reported to www.badips.com
	# via ipsets.
	#
	# - THIS SCRIPT DOES NOT BLOCK ANYTHING -
	# This script only updates ipsets with applicable data from
	# badips.com. Actually blocking the ips in that ipset is left
	# up to the user (so that you may do so however you prefer).
	#
	# Additionally, this script does not persist the ipsets through
	# a restart. This is because most distros now provide a method of
	# doing so and any attempt to do so in this script would create
	# redundant/conflicting functionality.
	#
	# Exit Codes:
	# 0 - success
	# 1 - failure - no changes made
	# 2 - failure - possible changes made, inconsistent state
	#
	#===============================================================================
	# MIT License
	#
	# Copyright (c) 2018 Jeremy Cliff Armstrong
	#
	# Permission is hereby granted, free of charge, to any person obtaining a copy
	# of this software and associated documentation files (the "Software"), to deal
	# in the Software without restriction, including without limitation the rights
	# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
	# copies of the Software, and to permit persons to whom the Software is
	# furnished to do so, subject to the following conditions:
	#
	# The above copyright notice and this permission notice shall be included in
	# all copies or substantial portions of the Software.
	#
	# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
	# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
	# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
	# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
	# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
	# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
	# SOFTWARE.
	#===============================================================================

	# Location of ipset binary
	bin=/sbin/ipset # REQUIRED!

	# This is how long ago at most an ip must have last been reported to
	# badips.com. Values follow the format ##a where '##' is some non-
	# zero positive number and 'a' is either h, d, w, m, or y for hours,
	# days, weeks, months, or years.
	#
	# NOTE: comment out for all results - not recommended
	# NOTE2: this script should be executed more often than this value.
	age=2w

	# Block level (1-5):
	# 0 - not so bad/false report
	# 3 - confirmed bad
	# 5 - quite aggressively bad
	# (see www.badips.com)
	level=3 # REQUIRED!

	# Logged service or "any"
	# (see www.badips.com/get/categories {JSON})
	service=ssh # REQUIRED!

	# This is how long (in seconds) an ip will remain in the ipset after it
	# stops showing up in the configured badips query result. It should be
	# longer than the time between executions of this script (double, at
	# least) and long enough when combined with age above that occasional
	# offenders don't get removed from the ipset prematurely.
	#
	# IMPORTANT: this script should be executed more often than this setting.
	# NOTE: IPs returned by badips.com which are already in the ipset will
	# have their timeouts reset to this value (if it is greater than the
	# existing timeout)
	timeout=604800 # REQUIRED! - default is 7 days

	# Name of ipset to use
	ipset=badips # REQUIRED!


	##################
	## BEGIN SCRIPT ##
	##################

	# required parameters
	if [[ ! ${ipset} \|\| ! ${timeout} \|\| ! ${bin} \|\| ! ${level} \|\| ! ${service} ]]
	then
	echo "$0: Required parameter is missing! Edit this file for further info." >&2
	exit 1
	fi

	### Test an IP address for validity:
	# Usage:
	# valid_ip IP_ADDRESS
	function valid_ip()
	{
	local _tip=$1
	local _stat=1

	if [[ ${_tip} =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
	local _oifs=$IFS
	IFS='.'
	local _ipa=(${_tip})
	IFS=${_oifs}

	if [[
	(
	# Check that all sections are between (but not including) 0 and
	# 256.
	${_ipa[0]} -lt 256 &&
	${_ipa[1]} -lt 256 &&
	${_ipa[2]} -lt 256 &&
	${_ipa[3]} -lt 256 &&
	${_ipa[0]} -gt 0
	) && (
	# Check that ip address is not 10.x.x.x
	${_ipa[0]} -ne 10
	) && (
	# Check that ip address is not 192.168.x.x
	${_ipa[0]} -ne 192 \|\| ${_ipa[1]} -ne 168
	) && (
	# Check that ip address is not 172.16.x.x - 172.31.x.x
	${_ipa[0]} -ne 172 \|\| (
	${_ipa[1]} -lt 16 \|\| ${_ipa[1]} -gt 31
	)
	)
	]]; then
	_stat=0
	fi
	fi

	return $_stat
	}

	### Query badips.com
	# compile url
	_url="https://www.badips.com/get/list/${service}/${level}"
	if [ $age ]; then _url+="?age=${age}"; fi

	# Get the bad IPs and store in an array
	_badips=( $( wget -qO- ${_url} ) ) \|\| { echo "$0: Unable to download ip list from \'${_url}\'." >&2; exit 1; }

	### Setup our black list ###
	# Create ipset if it does not exist
	if ! ${bin} list ${ipset} -name 2>&1 >/dev/null
	then
	${bin} create ${ipset} hash:ip timeout ${timeout} -exist \|\| { echo "$0: Unable to create ipset: ${ipset}" >&2; exit 2; }
	fi

	# Add all retrieved ips to $_ipset, updating the timeout on duplicates
	for _ip in ${_badips[@]}
	do
	# validate first
	if ! valid_ip ${_ip}
	then
	echo "Invalid IP Address (${_ip}) from BadIPs query. Report this to https://badips.com . Continuing..." >&2
	continue
	fi

	# add/update ipset
	$bin add ${ipset} ${_ip} timeout ${timeout} -exist \|\| { echo "$0: Unable to add ${_ip} to ${ipset}, exiting early." >&2; exit 2; }
	done

	exit 0