alainwolf · July 25, 2024 17:11
diff --git a/ip-blocklist-update b/ip-blocklist-update
 #!/usr/bin/env ash
 # shellcheck shell=dash
 # ---------------------------------------------------------------------------
 #
 # Download and update ip blacklist
 # for Turris Omnia 7.x or earlier or Openwrt before 22.03 (fw3/iptables)
 # See
 # - https://www.abuseipdb.com/
 # - https://github.com/borestad/blocklist-abuseipdb
 #
 # This script is intended to be run preiodically (no less then every 5 hours)
 #
 # How to use:
 # In /etc/config/firewall add a new ipset with the following configurations:
 # config ipset
 #	option name 'AbuseIPDBv4'
 #	option storage 'hash'
 #	option family 'ipv4'
 #	option match 'src_ip'
 #	option loadfile '/tmp/lib/ip_blacklists/abuseipdb-s100-14d.ipv4'
 #	option enabled '1'
 #
 # config rule
 # 	option name "Block AbuseIPDB"
 # 	option src 'wan'
 # 	option dest 'lan'
 # 	option family 'ipv4'
 # 	option proto 'tcp udp'
 # 	option ipset 'AbuseIPDBv4'
 # 	option target 'DROP'
 # ---------------------------------------------------------------------------

 # ---------------------------------------------
 # Configuration Settings
 # ---------------------------------------------

 # Name of the ipset - must mnatch the name in the firewall rules
 IPSET_NAME="AbuseIPDBv4"

 # The Blacklist Download URL
 BLACKLIST_URL="https://raw.githubusercontent.com/borestad/blocklist-abuseipdb/main/abuseipdb-s100-14d.ipv4"

 # Where blacklists are stored - make sure its a tmpfs or similar - not on disk
 LOCAL_DIR="/tmp/lib/ip_blacklists"
 LOCAL_FILE="$LOCAL_DIR/abuseipdb-s100-14d.ipv4"

 # How long to keep addresses in the blacklist
 EXPIRE_DAYS=14

 # ---------------------------------------------

 # Uncomment to debug
 # set -x

 # Exit on error
 set -e -u -o pipefail

 # Calculate the expiration time in seconds
 EXPIRE_SECONDS=$((EXPIRE_DAYS * 24 * 60 * 60))

 # Create the directory if it doesn't exist
 mkdir -p "$LOCAL_DIR"

 # Create a temporary file to download the root hints to
 TEMP_FILE=$(mktemp "/tmp/$(basename $LOCAL_FILE).XXXXXX")

 # Download the file, if its newer then what we already have installed
 echo -n "Checking for blacklist updates since "
 echo -n "$(date -r $LOCAL_FILE) ... "
 if curl --fail --silent --show-error --location --remote-time \
    --time-cond "$LOCAL_FILE" \
    --output "$TEMP_FILE" \
    "$BLACKLIST_URL"; then
    echo "Done."
 else
    echo "Download failed!"
    exit
 fi

 # Do we have a download (file exists and is greater then zero)?
 if [ -s "$TEMP_FILE" ]; then

    echo "Downloaded fresh blacklist from $(date -r "$TEMP_FILE")."
    echo -n "Installing blacklist file ... "

    # Install the file
    cp -p -f -u "$TEMP_FILE" "$LOCAL_FILE"
    touch -r "${TEMP_FILE}" "${LOCAL_FILE}"
    chmod 644 "$LOCAL_FILE"
    echo "Done."

    # Count the number of entries in the blacklist file
    echo -n "Counting records ... "
    # shellcheck disable=SC2126
    ENTRY_COUNT=$(grep -v '^\s*$\|^\s*#' "$LOCAL_FILE" | wc -l)
    printf "%s records found\n" "$ENTRY_COUNT"

    # Calculate hashsize and maxelem
    echo -n "Calculating size ... "
    HASH_SIZE=$((ENTRY_COUNT / 64))
    [ $HASH_SIZE -lt 1024 ] && HASH_SIZE=1024
    MAX_ELEM=$((ENTRY_COUNT + 1000))
    printf "a hash size of %s and an max lenght of %s is recommended.\n" "$HASH_SIZE" "$MAX_ELEM"

    # Create a temporary ipset
    TEMP_IPSET_NAME="${IPSET_NAME}_temp"
    echo -n "Creating a temporary ipset ... "
    ipset create "$TEMP_IPSET_NAME" hash:ip family inet \
        hashsize $HASH_SIZE maxelem $MAX_ELEM timeout $EXPIRE_SECONDS

    # Create a temporary file for ipset restore
    IPSET_TEMP_FILE=$(mktemp "/tmp/ipset-restore.XXXXXX")

    # Write ipset commands to the temporary file
    {
        while IFS= read -r ip; do
            # Skip comments and empty lines
            case "$ip" in
            '' | \#*) continue ;;
            *) echo "add $TEMP_IPSET_NAME $ip" ;;
            esac
        done <"$LOCAL_FILE"
    } >"$IPSET_TEMP_FILE"

    # Restore the temporary ipset from the temporary file
    ipset restore <"$IPSET_TEMP_FILE"
    echo "Done."

    # Swap the temporary ipset with the original ipset
    echo -n "Swapping new temporary ipset with old one ... "
    ipset swap "$TEMP_IPSET_NAME" "$IPSET_NAME"
    echo "ipsets swapped."

    # Clean-up
    ipset destroy "$TEMP_IPSET_NAME"
    rm "$IPSET_TEMP_FILE"
 else
    echo "No new updates."
 fi

 # Clean-up
 rm "${TEMP_FILE}"

 # -*- mode: sh; indent-tabs-mode: nil; tab-width: 4; -*-
	#!/usr/bin/env ash
	# shellcheck shell=dash
	# ---------------------------------------------------------------------------
	#
	# Download and update ip blacklist
	# for Turris Omnia 7.x or earlier or Openwrt before 22.03 (fw3/iptables)
	# See
	# - https://www.abuseipdb.com/
	# - https://github.com/borestad/blocklist-abuseipdb
	#
	# This script is intended to be run preiodically (no less then every 5 hours)
	#
	# How to use:
	# In /etc/config/firewall add a new ipset with the following configurations:
	# config ipset
	# option name 'AbuseIPDBv4'
	# option storage 'hash'
	# option family 'ipv4'
	# option match 'src_ip'
	# option loadfile '/tmp/lib/ip_blacklists/abuseipdb-s100-14d.ipv4'
	# option enabled '1'
	#
	# config rule
	# option name "Block AbuseIPDB"
	# option src 'wan'
	# option dest 'lan'
	# option family 'ipv4'
	# option proto 'tcp udp'
	# option ipset 'AbuseIPDBv4'
	# option target 'DROP'
	# ---------------------------------------------------------------------------

	# ---------------------------------------------
	# Configuration Settings
	# ---------------------------------------------

	# Name of the ipset - must mnatch the name in the firewall rules
	IPSET_NAME="AbuseIPDBv4"

	# The Blacklist Download URL
	BLACKLIST_URL="https://raw.githubusercontent.com/borestad/blocklist-abuseipdb/main/abuseipdb-s100-14d.ipv4"

	# Where blacklists are stored - make sure its a tmpfs or similar - not on disk
	LOCAL_DIR="/tmp/lib/ip_blacklists"
	LOCAL_FILE="$LOCAL_DIR/abuseipdb-s100-14d.ipv4"

	# How long to keep addresses in the blacklist
	EXPIRE_DAYS=14

	# ---------------------------------------------

	# Uncomment to debug
	# set -x

	# Exit on error
	set -e -u -o pipefail

	# Calculate the expiration time in seconds
	EXPIRE_SECONDS=$((EXPIRE_DAYS * 24 * 60 * 60))

	# Create the directory if it doesn't exist
	mkdir -p "$LOCAL_DIR"

	# Create a temporary file to download the root hints to
	TEMP_FILE=$(mktemp "/tmp/$(basename $LOCAL_FILE).XXXXXX")

	# Download the file, if its newer then what we already have installed
	echo -n "Checking for blacklist updates since "
	echo -n "$(date -r $LOCAL_FILE) ... "
	if curl --fail --silent --show-error --location --remote-time \
	--time-cond "$LOCAL_FILE" \
	--output "$TEMP_FILE" \
	"$BLACKLIST_URL"; then
	echo "Done."
	else
	echo "Download failed!"
	exit
	fi

	# Do we have a download (file exists and is greater then zero)?
	if [ -s "$TEMP_FILE" ]; then

	echo "Downloaded fresh blacklist from $(date -r "$TEMP_FILE")."
	echo -n "Installing blacklist file ... "

	# Install the file
	cp -p -f -u "$TEMP_FILE" "$LOCAL_FILE"
	touch -r "${TEMP_FILE}" "${LOCAL_FILE}"
	chmod 644 "$LOCAL_FILE"
	echo "Done."

	# Count the number of entries in the blacklist file
	echo -n "Counting records ... "
	# shellcheck disable=SC2126
	ENTRY_COUNT=$(grep -v '^\s$\\|^\s#' "$LOCAL_FILE" \| wc -l)
	printf "%s records found\n" "$ENTRY_COUNT"

	# Calculate hashsize and maxelem
	echo -n "Calculating size ... "
	HASH_SIZE=$((ENTRY_COUNT / 64))
	[ $HASH_SIZE -lt 1024 ] && HASH_SIZE=1024
	MAX_ELEM=$((ENTRY_COUNT + 1000))
	printf "a hash size of %s and an max lenght of %s is recommended.\n" "$HASH_SIZE" "$MAX_ELEM"

	# Create a temporary ipset
	TEMP_IPSET_NAME="${IPSET_NAME}_temp"
	echo -n "Creating a temporary ipset ... "
	ipset create "$TEMP_IPSET_NAME" hash:ip family inet \
	hashsize $HASH_SIZE maxelem $MAX_ELEM timeout $EXPIRE_SECONDS

	# Create a temporary file for ipset restore
	IPSET_TEMP_FILE=$(mktemp "/tmp/ipset-restore.XXXXXX")

	# Write ipset commands to the temporary file
	{
	while IFS= read -r ip; do
	# Skip comments and empty lines
	case "$ip" in
	'' \| \#*) continue ;;
	*) echo "add $TEMP_IPSET_NAME $ip" ;;
	esac
	done <"$LOCAL_FILE"
	} >"$IPSET_TEMP_FILE"

	# Restore the temporary ipset from the temporary file
	ipset restore <"$IPSET_TEMP_FILE"
	echo "Done."

	# Swap the temporary ipset with the original ipset
	echo -n "Swapping new temporary ipset with old one ... "
	ipset swap "$TEMP_IPSET_NAME" "$IPSET_NAME"
	echo "ipsets swapped."

	# Clean-up
	ipset destroy "$TEMP_IPSET_NAME"
	rm "$IPSET_TEMP_FILE"
	else
	echo "No new updates."
	fi

	# Clean-up
	rm "${TEMP_FILE}"

	# -- mode: sh; indent-tabs-mode: nil; tab-width: 4; --