Last active
June 11, 2025 17:44
-
-
Save klepsydra/ecf975984b32b1c8291a to your computer and use it in GitHub Desktop.
Block globally reported hack attempts using your local iptables firewall rules
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
## Update fail2ban iptables with globally known attackers. | |
## Actually, runs 100% independently now, without needing fail2ban installed. | |
## | |
## /etc/cron.daily/sync-fail2ban | |
## | |
## Author: Marcos Kobylecki <[email protected]> | |
## http://www.reddit.com/r/linux/comments/2nvzur/shared_blacklists_from_fail2ban/ | |
## Quit if fail2ban is missing. Maybe this fake requirement can be skipped? YES. | |
#PROGRAM=/etc/init.d/fail2ban | |
#[ -x $PROGRAM ] || exit 0 | |
datadir=/etc/fail2ban | |
[[ -d "$datadir" ]] || datadir=/tmp | |
## Get default settings of fail2ban (optional?) | |
[ -r /etc/default/fail2ban ] && . /etc/default/fail2ban | |
umask 000 | |
blacklistf=$datadir/blacklist.blocklist.de.txt | |
mv -vf $blacklistf $blacklistf.last | |
badlisturls="http://antivirus.neu.edu.cn/ssh/lists/base_30days.txt http://lists.blocklist.de/lists/ssh.txt http://lists.blocklist.de/lists/bruteforcelogin.txt" | |
iptables -vN fail2ban-ssh # Create the chain if it doesn't exist. Harmless if it does. | |
# Grab list(s) at https://www.blocklist.de/en/export.html . Block. | |
echo "Adding new blocks:" | |
time curl -s http://lists.blocklist.de/lists/ssh.txt http://lists.blocklist.de/lists/bruteforcelogin.txt \ | |
|sort -u \ | |
|tee $blacklistf \ | |
|grep -v '^#\|:' \ | |
|while read IP; do iptables -I fail2ban-ssh 1 -s $IP -j DROP; done | |
# Which listings had been removed since last time? Unblock. | |
echo "Removing old blocks:" | |
if [[ -r $blacklistf.diff ]]; then | |
# comm is brittle, cannot use sort -rn | |
time comm -23 $blacklistf.last $blacklistf \ | |
|tee $blacklistf.delisted \ | |
|grep -v '^#\|:' \ | |
|while read IP; do iptables -w -D fail2ban-ssh -s $IP -j DROP || iptables -wv -D fail2ban-ssh -s $IP -j LOGDROP; done | |
fi | |
# prepare for next time. | |
diff -wbay $blacklistf.last $blacklistf > $blacklistf.diff | |
# Saves a copy of current iptables rules, should you like to check them later. | |
(set -x; iptables -wnv -L --line-numbers; iptables -wnv -t nat -L --line-numbers) &> /tmp/iptables.fail2ban.log & | |
exit | |
# iptables v1.4.21: host/network `2a00:1210:fffe:145::1' not found | |
# So weed out IPv6, try |grep -v ':' | |
## http://ix.io/fpC | |
# Option: actionban | |
# Notes.: command executed when banning an IP. Take care that the | |
# command is executed with Fail2Ban user rights. | |
# Tags: See jail.conf(5) man page | |
# Values: CMD | |
# | |
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype># Option: actionunban | |
# Notes.: command executed when unbanning an IP. Take care that the | |
# command is executed with Fail2Ban user rights. | |
# Tags: See jail.conf(5) man page | |
# Values: CMD | |
# | |
actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@klepsydra, check out this LLM-assisted revision, works on Ubuntu and adds logging and handles duplicates within the same set, not duplicate lines in general. The script now handles the first run gracefully by: