Recently I found lots of attacks logged by Fail2ban in my private servers. Basically they are made mostly by script kiddies. This script fetches all the IP's found in Logwatch daily report (or any source file, at your choice), look for their range and generates chains you can add to your Iptables. Please be careful using it because you might blo…

failtoban2iptables.sh

#!/bin/bash

### Variables
# Binaries
GREP=`which grep`
SORT=`which sort`
MKDIR=`which mkdir`
WHOIS=`which whois`
AWK=`which awk`
SED=`which sed`
CAT=`which cat`
TAIL=`which tail`
CURL=`which curl`

declare -a REQUISITES=("whois" "ipcalc ")

TMP='tmp' # TMP directory
RAW='raw.txt' # Source file
ASSHOLES="$TMP/imbecils.txt" # List of lamers
CIDR="$TMP/cidr" # List of ranges in CIDR format
NONCIDR="$TMP/noncidr" # List of ranges in a non-CIDR format
WHITELIST='whitelist.txt'
MY_IP=''
MY_RANGE=''

declare -a PRIVATE_RANGES=("10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16")

### Functions
# Discard other text than IP addresses from a given file ($1) and
# save them into $2
function checkOsFamily {
    OSFAMILY=""
    OSFAMILY=`$GREP "^ID=" /etc/os-release | $AWK -F= {'print $2'}`
    if [[ "$OSFAMILY" = "centos" ]]
        then PACKAGE_MANAGER="yum"
        elif [[ "$OSFAMILY" = "debian" ]] || [[ "$OSFAMILY" = "raspbian" ]]
            then PACKAGE_MANAGER="dpkg"
    fi
}

function checkRequisites {
checkOsFamily

    for i in "${REQUISITES[@]}"
    do
        if [[ $PACKAGE_MANAGER == "dpkg" ]]
            then
                 $PACKAGE_MANAGER -s $i > /dev/null 2>&1
                 RESULT=$?

            elif [[ $PACKAGE_MANAGER == "yum" ]]
                 then
                     $PACKAGE_MANAGER list installed $i
                     RESULT=$?

        fi
        if [ $RESULT -ne 0 ]
        then
            echo "$i is not installed. Avorting."
                exit 1
        fi

    done

    if [ ! -f $RAW ]
     then
        echo "$RAW file not found"
        exit 1
    fi
}

function getIp {
    $GREP -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" $1 > $2
}

function printDone {
    echo "done"
}

### Main

mkdir -p $TMP

checkRequisites

echo -n "Looking for IP's… "
getIp $RAW $ASSHOLES
$SORT -u $ASSHOLES -o $ASSHOLES
printDone

# Do a whois query for each one
echo -n "Doing a whois (it might take a while)… "
while IFS='' read -r IP || [[ -n "$IP" ]]; do
    whois -H $IP > $TMP/ip-$IP
done < "$ASSHOLES"
printDone

# Some of IP maintainers publish their ranges using both CIDR and
# non-CIDR formats, so we have to fetch ranges twice
echo -n "Parsing IP's… "
$AWK '/route/ && /\// {print $NF}' $TMP/ip-* > $CIDR
$AWK '/-/ && /NetRange/ {print $2" "$3" "$4}' $TMP/ip-* > $NONCIDR

# Convert ranges into CIDR format
while IFS='' read -r RANGE || [[ -n "$RANGE" ]]; do
    ipcalc $RANGE | $TAIL -n +2 >> $CIDR
done < "$NONCIDR"
$SORT $CIDR -o $CIDR
printDone

# Exclude non-routable IPs
for i in "${PRIVATE_RANGES[@]}"
do
    $GREP -v $i $CIDR > $CIDR-tmp
    mv $CIDR-tmp $CIDR
done

# Exclude white-listed IPs
while IFS='' read -r WHITELISTED || [[ -n "$WHITELISTED" ]]; do
    $GREP -v $WHITELISTED $CIDR > $CIDR-tmp
    mv $CIDR-tmp $CIDR
done < "$WHITELIST"

# Exlude my own range
MY_IP=`$CURL --silent ipinfo.io/ip` # Get my IP
MY_RANGE=`$WHOIS -H $MY_IP | $AWK '/route/ && /\// {print $NF}'`

while IFS='' read -r WHITELISTED || [[ -n "$WHITELISTED" ]]; do
    $GREP -v $MY_RANGE $CIDR > $CIDR-tmp
    mv $CIDR-tmp $CIDR
done < "$WHITELIST"


# Create iptables strings
echo -n "Creating Iptables chains… "
$SED -i -e 's/^/-A INPUT -s /' $CIDR
$SED -i -e 's/$/ -j DROP/' $CIDR
# Remove duplicates if any
$SORT -u $CIDR -o $CIDR
printDone

echo "Please append below chains to your Iptables:"
$CAT $CIDR

Found some minor issues on CentOS (no time to look at yet). It runs smoothly on Debian-based boxes.