#!/usr/bin/env bash # # Add new IPs to the RBL based on these detection methods: # - undetected spam # - fail2ban banned IPs # # $1 parameter tells if it goes to an IPv4 or IPv6 list listtype=$1 if ! [[ "$listtype" =~ ^[4,6]+$ ]]; then echo "first parameter is mandatory and must be either 4 or 6." exit 1 fi rblfile="/var/lib/rbldns/listv$listtype" function dnsq { if [ $listtype == "4" ]; then echo "$(dig +short $1)" elif [ $listtype == "6" ]; then echo "$(dig +short AAAA $1)" else echo "unknown, fix it" fi } static_white=( $(dnsq lugh.ch) $(dnsq ipv6.lugh.ch) $(dnsq urmama.farted.net) $(dnsq oxi.ch) $(dnsq mail.zephry.ch) ) static_black=( $(dnsq www.uceprotect.net) $(dnsq rsync-mirrors.uceprotect.net) $(dnsq www.backscatterer.org) $(dnsq unimatrix.admins.ws) $(dnsq nirvana.admins.ws) ) fail2ban_chains=$(/usr/sbin/iptables -nL | grep ^f2b | awk {'print $1'}) ban_ip=() # Get currently banned IPs from fail2ban chains iptables_banned=( $(for chain in $fail2ban_chains; do /usr/sbin/iptables -w 1 -nL "$chain" | grep '^REJECT' | awk {'print $4'} | grep -v '0.0.0.0/0' done | sort | uniq) ) # Get SPAM mails sent to specific address spamtrap=( $(grep ' -> ' /var/log/mail.log | awk -F'[][]' '{print $6}') ) if [ $listtype -eq 4 ]; then testentry="127.0.0.2 RFC 5782 test entry # 0 # Test entry RFC 5782" elif [ $listtype -eq 6 ]; then testentry="::ffff:7f00:2 RFC 5782 test entry # 0 # Test entry RFC 5782" fi if [ ! -s $rblfile ]; then cat << HEREDOC > $rblfile # Automatically generated at $(date) by $0 $1 # Test entry http://www.ietf.org/rfc/rfc5782.txt $testentry :127.0.0.2:$ is listed because of misbehaviour. See https://lugh.ch/dnsbl.html for details # Whitelist $(printf "!%s # 0\n" "${static_white[@]}") # Blacklist $(printf "%s # 0 # Infinite listing (UCEPROTECT)\n" "${static_black[@]}") # Recent temporary listings HEREDOC fi # fail2ban (IPv4 only) if [ $listtype -eq 4 ]; then for ip in ${iptables_banned[@]}; do if [[ $(grep -c "$ip" $rblfile) -lt 1 ]]; then # Add IP geoip=$(geoiplookup $ip | sed 's/GeoIP Country Edition: //' | awk {' if($1=="IP") print $0; else print $2,$3,$4,$5,$6,$7,$8'}) printf "%s # $(date +%s) # Service login attempts/misconfiguration # %s\n" "$ip" "$geoip" >> $rblfile fi done fi # SPAM for ip in ${spamtrap[@]}; do if [[ $(grep -c "$ip" $rblfile) -lt 1 ]]; then # Add IP # IPv4 or IPv6 switch if [ $(echo "$ip" | grep -c ':') -gt 0 ]; then if [ $listtype -eq 6 ]; then geoip=$(geoiplookup6 $ip | sed 's/GeoIP Country V6 Edition: //' | awk {' if($1=="IP") print $0; else print $2,$3,$4,$5,$6,$7,$8'}) printf "%s # $(date +%s) # SPAM mail to trap address # %s\n" "$ip" "$geoip" >> $rblfile fi else if [ $listtype -eq 4 ]; then geoip=$(geoiplookup $ip | sed 's/GeoIP Country Edition: //' | awk {' if($1=="IP") print $0; else print $2,$3,$4,$5,$6,$7,$8'}) printf "%s # $(date +%s) # SPAM mail to trap address # %s\n" "$ip" "$geoip" >> $rblfile fi fi fi done # Generate user friendly web-viewable list echo -e "IP\t\tDate listed\t\t\tCause\t\t\t\t\tCountry" > /var/www/virtsrv/lugh.ch/listv$listtype.txt echo -e "--\t\t-----------\t\t\t-----\t\t\t\t\t-------" >> /var/www/virtsrv/lugh.ch/listv$listtype.txt cat $rblfile | grep -v -i uceprotect | grep '^[1-9]' | grep -v '^127.0.0.2' | sed 's/ # /\t/g' >> /var/www/virtsrv/lugh.ch/listv$listtype.txt for timestamp in $(grep -e '^[0-9]' /var/www/virtsrv/lugh.ch/listv$listtype.txt | awk {'print $2'}); do newtime=$(date -d @$(echo $timestamp)) sed -i "s/$timestamp/$newtime/" /var/www/virtsrv/lugh.ch/listv$listtype.txt done # Concatenate IPv4 and IPv6 lists together echo -e "IP\t\tDate listed\t\t\tCause\t\t\t\t\tCountry" > /var/www/virtsrv/lugh.ch/list.txt echo -e "--\t\t-----------\t\t\t-----\t\t\t\t\t-------" >> /var/www/virtsrv/lugh.ch/list.txt tail -n+3 /var/www/virtsrv/lugh.ch/listv4.txt >> /var/www/virtsrv/lugh.ch/list.txt tail -n+3 /var/www/virtsrv/lugh.ch/listv6.txt >> /var/www/virtsrv/lugh.ch/list.txt # vim: tabstop=4 expandtab shiftwidth=4 softtabstop=4