/ipsum

Daily feed of bad IPs (with blacklist hit scores). Firewall-cmd script

Primary LanguageShellThe UnlicenseUnlicense

License

Intro

Original repository is here.

I added a script for firewall-cmd

About

IPsum is a threat intelligence feed based on 30+ different publicly available lists of suspicious and/or malicious IP addresses. All lists are automatically retrieved and parsed on a daily (24h) basis and the final result is pushed to this repository. List is made of IP addresses together with a total number of (black)list occurrence (for each). Greater the number, lesser the chance of false positive detection and/or dropping in (inbound) monitored traffic. Also, list is sorted from most (problematic) to least occurent IP addresses.

As an example, to get a fresh and ready-to-deploy auto-ban list of "bad IPs" that appear on at least 3 (black)lists you can run:

curl --compressed https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt 2>/dev/null | grep -v "#" | grep -v -E "\s[1-2]$" | cut -f 1

IPTables

If you want to try it with ipset, you can do the following:

sudo su
apt-get -qq install iptables ipset
ipset -q flush ipsum
ipset -q create ipsum hash:net
for ip in $(curl --compressed https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt 2>/dev/null | grep -v "#" | grep -v -E "\s[1-2]$" | cut -f 1); do ipset add ipsum $ip; done
iptables -D INPUT -m set --match-set ipsum src -j DROP 2>/dev/null
iptables -I INPUT -m set --match-set ipsum src -j DROP

Firewall-cmd

If you want to try it with firewall-cmd ipset, you can create ipsum.sh script:

#!/bin/bash

firewall-cmd --permanent --delete-ipset=ipsum-blacklist 
#create new ipset
firewall-cmd --permanent --new-ipset=ipsum-blacklist --type=hash:net
#load and add IPs into ipset 
for ip in $(curl --compressed https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt 2>/dev/null | grep -v "#" | grep -v -E "\s[1-2]$" | cut -f 1); do firewall-cmd --ipset=ipsum-blacklist --add-entry=$ip --permanent; done
#firewall-cmd rules
firewall-cmd --permanent --zone=public --remove-rich-rule='rule family="ipv4" source ipset="ipsum-blacklist" drop'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source ipset="ipsum-blacklist" drop'
#firewall-cmd reload and apply rules
firewall-cmd --reload

and add the script call into /etc/crontab

5 5   * * *   root    /path/to/ipsum.sh save > /dev/null