-
Notifications
You must be signed in to change notification settings - Fork 0
/
paranoia.sh
86 lines (77 loc) · 5.67 KB
/
paranoia.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
#!/bin/bash
# WARNING, This script is one of the most aggressive blacklists you could possibly use short of dropping everything and whitelisting intended resources.
# This wil block approximately 1/4th of the usable IPV4 address space. Do not use this script unless you know exactly what you are doing.
################################################################################################################
#
# ██████╗ █████╗ ██████╗ █████╗ ███╗ ██╗ ██████╗ ██╗ █████╗ █████╗ ██████╗ ███████╗███╗ ██╗████████╗
# ██╔══██╗██╔══██╗██╔══██╗██╔══██╗████╗ ██║██╔═══██╗██║██╔══██╗ ██╔══██╗██╔════╝ ██╔════╝████╗ ██║╚══██╔══╝
# ██████╔╝███████║██████╔╝███████║██╔██╗ ██║██║ ██║██║███████║ ███████║██║ ███╗█████╗ ██╔██╗ ██║ ██║
# ██╔═══╝ ██╔══██║██╔══██╗██╔══██║██║╚██╗██║██║ ██║██║██╔══██║ ██╔══██║██║ ██║██╔══╝ ██║╚██╗██║ ██║
# ██║ ██║ ██║██║ ██║██║ ██║██║ ╚████║╚██████╔╝██║██║ ██║ ██║ ██║╚██████╔╝███████╗██║ ╚████║ ██║
# ╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═══╝ ╚═════╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚══════╝╚═╝ ╚═══╝ ╚═╝
# Firehol EXTREME IPSET Blacklist
# Name of database (will be downloaded with this name)
_input=badips.db
# Whitelist Local Network Traffic
_network="192.168.1.0/24"
_intface=$(route | grep '^default' | grep -o '[^ ]*$')
## Get bad IP data using https://github.com/firehol/blocklist-ipsets
if [ ! -d blocklist-ipsets ]; then
git clone https://github.com/firehol/blocklist-ipsets
cd blocklist-ipsets || exit
# Primary Lists (Does not include ISP's)
find . -maxdepth 1 -iname '*.*set' -not -name '*isp*.*set' | sort | xargs cat >> ../$_input
# Country Blacklisting (Default whitelist US, GB, AU, CA, NZ)
find ./geolite2_country/ -iname "country_*.*set" ! -name "*_us*.*set" ! -name "*_gb*.*set" ! -name "*_au*.*set" ! -name "*_ca*.*set" ! -name "*_nz*.*set" | sort | xargs cat >> ../$_input
cd .. || exit
else
cd blocklist-ipsets || exit
git pull
# Primary Lists (Does not include ISP's)
find . -maxdepth 1 -iname '*.*set' -not -name '*isp*.*set' | sort | xargs cat >> ../$_input
# Country Blacklisting (Default whitelist US, GB, AU, CA, NZ)
find ./geolite2_country/ -iname "country_*.*set" ! -name "*_us*.*set" ! -name "*_gb*.*set" ! -name "*_au*.*set" ! -name "*_ca*.*set" ! -name "*_nz*.*set" | sort | xargs cat >> ../$_input
cd .. || exit
fi
# Verify or create our IP sets.
if ipset -L hash_ip | grep -q 'hash_ip'; then true;else ipset create hash_ip hash:ip maxelem 5000000; fi
if ipset -L hash_net | grep -q 'hash_net'; then true;else ipset create hash_net hash:net maxelem 5000000; fi
# Flush the IP Sets.
ipset flush hash_ip
ipset flush hash_net
# Filter and create our datasets
grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" $_input | sort -n > hash_ip
grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}/[0-9]{1,2}" $_input | sort -n > hash_net
sed -i -e 's/0.0.0.0//g' hash_ip
sed -i '/^$/d' hash_ip
# Create our ipset lists
echo "create hash_ip hash:ip family inet hashsize 1024 maxelem 5000000" > hash_ip.ipset
echo "create hash_net hash:net family inet hashsize 1024 maxelem 5000000" > hash_net.ipset
sed -e 's/^/add hash_ip /' hash_ip >> hash_ip.ipset
sed -e 's/^/add hash_net /' hash_net >> hash_net.ipset
rm hash_ip
rm hash_net
# Import blacklist to IPSET
ipset restore -! < hash_ip.ipset
ipset restore -! < hash_net.ipset
# Create a backup of our IPTables Firewall Prior to Editing.
iptables-save > iptables.bak
# Whitelist our local network
iptables -C INPUT -s 127.0.0.1 -j ACCEPT || iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -C INPUT -s $_network -j ACCEPT || iptables -A INPUT -s $_network -j ACCEPT
iptables -C INPUT -i $_intface -j ACCEPT || iptables -A INPUT -i $_intface -j ACCEPT
# Insert or append to iptables
iptables -C INPUT -m set --match-set hash_ip src -j LOG --log-prefix "Drop Bad IP List " || iptables -A INPUT -m set --match-set hash_ip src -j LOG --log-prefix "Drop Bad IP List "
iptables -C INPUT -m set --match-set hash_ip src -j DROP || iptables -A INPUT -m set --match-set hash_ip src -j DROP
iptables -C INPUT -m set --match-set hash_net src -j LOG --log-prefix "Drop Bad IP List " || iptables -A INPUT -m set --match-set hash_net src -j LOG --log-prefix "Drop Bad IP List "
iptables -C INPUT -m set --match-set hash_net src -j DROP || iptables -A INPUT -m set --match-set hash_net src -j DROP
# Prompt the user to confirm changes to iptables (Prevents getting locked out of your own network)
read -r -t 20 -p $'Type "confirm" to commit changes to iptables:\n' confirm
if [[ $confirm = +(confirm|yes|Y|y) ]]
then echo "Changes have been commited."
else echo "Restoring previous configuration." && iptables-restore < iptables.bak
fi
# Remove temporary files
rm $_input
rm ./*.ipset
exit 0