Download a public blocklist of SSH brute scanning hosts and drop their connection attempts via firewalld

ssh-blocks-firewalld.sh

#!/bin/sh

curl -s http://lists.blocklist.de/lists/ssh.txt > /tmp/ssh-ips.txt

if [ "$1" == "--force" ]; then
	firewall-cmd --direct --remove-chain ipv4 filter AUTO_BLACKLIST
	firewall-cmd --direct --add-chain ipv4 filter AUTO_BLACKLIST
fi

# Create Chains if not available already
(firewall-cmd --direct --query-chain ipv4 filter AUTO_BLACKLIST || \
	firewall-cmd --direct --add-chain ipv4 filter AUTO_BLACKLIST
firewall-cmd --direct --query-rule ipv4 filter INPUT_direct 0 -m tcp -p tcp --dport 22 -j AUTO_BLACKLIST || \
	firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -m tcp -p tcp --dport 22 -j AUTO_BLACKLIST
) > /dev/null

/usr/sbin/iptables -L AUTO_BLACKLIST -n | awk '/^DROP / { print $4 }' > /tmp/ip_ssh_blocked

i=0
for src in $(cat /tmp/ssh-ips.txt); do
# Deactivated for now, as it doubles execution time. Just grep the iptables dump from earlier.
#	firewall-cmd --direct --query-rule ipv4 filter AUTO_BLACKLIST 10 -s $src -j DROP
	grep -q "^$src\$" /tmp/ip_ssh_blocked
	if [ $? -ne 0 ]; then
		firewall-cmd --direct --add-rule ipv4 filter AUTO_BLACKLIST 10 -s $src -j DROP > /dev/null
		i=$(($i + 1))
	fi
done
echo $i hosts added