Got Fail2Ban working? Have a Web Server running? Post a public blocklist for others to use! Complete guide: http://supratim-sanyal.blogspot.com/2016/09/got-fail2ban-working-have-web-server.html

dump-fail2ban-blocklist.sh

#!/bin/bash
#
# ------------
# /root/security/dump-fail2ban-blocklist.sh
# Dumps banned IPs into text file, for use by web-server for published blocklist
# Includes TOR exit nodes
# See http://supratim-sanyal.blogspot.com/2016/09/got-fail2ban-working-have-web-server.html
#
# License:
# "THE BEER-WARE LICENSE" (Revision 42):
# Supratim Sanyal <https://goo.gl/FqzyBW> wrote this file. As long as you retain this notice you
# can do whatever you want with this stuff. If we meet some day, and you think
# this stuff is worth it, you can buy me a beer in return.
# ------------

# ++
# Full path to file to create the blocklist
# --
dumpfile=/var/www/lighttpd/blocklist.txt

export TMP=/tmp
export TMPDIR=/tmp

tmpfile=/tmp/f2bd.tmp
/bin/echo "###" >$dumpfile
/bin/echo "# http://`hostname`/blocklist.txt" >>$dumpfile
/bin/echo "# `date`" >>$dumpfile
/bin/echo "# FREE IP ADDRESS BLOCKLIST WITH CIDR RANGES FOR YOUR FIREWALL" >>$dumpfile
/bin/echo "# Actual Brute force attacks to this server in last 48 hours"  >>$dumpfile
/bin/echo "# And also combined IP addresses from public blocklists from"  >>$dumpfile
/bin/echo "# other maintainers."  >>$dumpfile
/bin/echo "# License: GNU AGPLv3 http://tuklusan.decsystem.org/agpl-3.0.txt" >>$dumpfile
/bin/echo "###" >>$dumpfile

# ++
# One line for every jail you have configured on fail2ban
# Use "fail2ban-client -q status" to see a list of configured jails
# Jail list:
# dovecot, pam-generic, postfix, postfix-rbl, postfix-sasl, sendmail-auth, sendmail-reject, sshd, sshd-ddos
# --
/bin/fail2ban-client -q status dovecot | /bin/grep Banned |  /bin/cut -c 23- | /bin/tr ' ' '\n' >>$tmpfile
/bin/fail2ban-client -q status pam-generic | /bin/grep Banned |  /bin/cut -c 23- | /bin/tr ' ' '\n' >>$tmpfile
/bin/fail2ban-client -q status postfix | /bin/grep Banned |  /bin/cut -c 23- | /bin/tr ' ' '\n' >>$tmpfile
/bin/fail2ban-client -q status postfix-rbl | /bin/grep Banned |  /bin/cut -c 23- | /bin/tr ' ' '\n' >>$tmpfile
/bin/fail2ban-client -q status postfix-sasl | /bin/grep Banned |  /bin/cut -c 23- | /bin/tr ' ' '\n' >>$tmpfile
/bin/fail2ban-client -q status sendmail-auth | /bin/grep Banned |  /bin/cut -c 23- | /bin/tr ' ' '\n' >>$tmpfile
/bin/fail2ban-client -q status sendmail-reject | /bin/grep Banned |  /bin/cut -c 23- | /bin/tr ' ' '\n' >>$tmpfile
/bin/fail2ban-client -q status sshd | /bin/grep Banned |  /bin/cut -c 23- | /bin/tr ' ' '\n' >$tmpfile
/bin/fail2ban-client -q status sshd-ddos | /bin/grep Banned |  /bin/cut -c 23- | /bin/tr ' ' '\n' >>$tmpfile
# --

# ++
# Dump IP addresses blocked by pfSense at home
# --
#----  grep " filterlog: " /var/log/messages | grep "in,4" | grep "match,block" | cut -d "," -f 19 | sort | uniq | grep -v "^10.42." >>$tmpfile

# ++
# Dump whatever IPs are currently in IPSET lists
# --
ipset --list | egrep "^[0-9]" >>$tmpfile

# ++
# Dump TOR Exit Nodes
# ++
curl -o /tmp/torexit.tmp https://check.torproject.org/exit-addresses
grep ExitAddress /tmp/torexit.lis | cut -f 2 -d " " >>$tmpfile

# ++
# These tried root login
# ++
grep "Failed password for invalid user root from " /var/log/messages | cut -d " " -f 13 | egrep "^[0-9]" >>$tmpfile

/bin/sort -V $tmpfile | /bin/uniq | /bin/grep -v '^$' >>$dumpfile
numips=`/bin/grep -v '^#' $dumpfile | /bin/wc -l`
/bin/echo "###" >>$dumpfile
/bin/echo "# $numips list entries" >>$dumpfile
/bin/echo "###" >>$dumpfile

# ++
# For security, change ownership of blocklist to userid that your web servers runs under
# --
/bin/chown lighttpd:lighttpd $dumpfile
# --

/bin/chmod a+r $dumpfile
/bin/ls -l $dumpfile
/bin/cat $dumpfile
exit