weeheavy/scripts
1
0
Fork 0
Code Pull requests Activity
scripts/rbl_generate.sh

127 lines
3.7 KiB
Bash
Executable file
Raw Blame History

#!/usr/bin/env bash
#
# Add new IPs to the RBL based on these detection methods:
# - undetected spam
# - fail2ban banned IPs
#
# $1 parameter tells if it goes to an IPv4 or IPv6 list
listtype=$1
if ! [[ "$listtype" =~ ^[4,6]+$ ]]; then
echo "first parameter is mandatory and must be either 4 or 6."
exit 1
fi
rblfile="/var/lib/rbldns/listv$listtype"
function dnsq {
if [ $listtype == "4" ]; then
echo "$(dig +short $1)"
elif [ $listtype == "6" ]; then
echo "$(dig +short AAAA $1)"
else
echo "unknown, fix it"
fi
}
static_white=(
$(dnsq lugh.ch)
$(dnsq ipv6.lugh.ch)
$(dnsq oxi.ch)
$(dnsq mail.zephry.ch)
$(dnsq moni-und-oli.ch)
)
static_black=(
$(dnsq www.uceprotect.net)
$(dnsq rsync-mirrors.uceprotect.net)
$(dnsq www.backscatterer.org)
$(dnsq unimatrix.admins.ws)
)
fail2ban_chains=(
fail2ban-dovecot
fail2ban-sasl
fail2ban-ssh
fail2ban-ssh-ddos
fail2ban-tumgreyspf
fail2ban-apache-digest
)
ban_ip=()
# Get currently banned IPs from fail2ban chains
iptables_banned=(
$(for chain in ${fail2ban_chains[@]}; do
/sbin/iptables -nL $chain | grep '^DROP' | awk {'print $4'} | grep -v '0.0.0.0/0'
done | sort | uniq)
)
# Get SPAM mails sent to specific address
spamtrap=(
$(grep ' -> <hans.muster@lugh.ch>' /var/log/mail.log | awk -F'[][]' '{print $6}')
)
if [ $listtype -eq 4 ]; then
testentry="127.0.0.2 RFC 5782 test entry # 0 # Test entry RFC 5782"
elif [ $listtype -eq 6 ]; then
testentry="::ffff:7f00:2 RFC 5782 test entry # 0 # Test entry RFC 5782"
fi
if [ ! -s $rblfile ]; then
cat << HEREDOC > $rblfile
# Automatically generated at $(date) by $0 $1
# Test entry http://www.ietf.org/rfc/rfc5782.txt
$testentry
:127.0.0.2:$ is listed because of misbehaviour. See http://lugh.ch/dnsbl.html for details
# Whitelist
$(printf "!%s # 0\n" "${static_white[@]}")
# Blacklist
$(printf "%s # 0 # Infinite listing (UCEPROTECT)\n" "${static_black[@]}")
# Recent temporary listings
HEREDOC
fi
# fail2ban (IPv4 only)
if [ $listtype -eq 4 ]; then
for ip in ${iptables_banned[@]}; do
if [[ $(grep -c "$ip" $rblfile) -lt 1 ]]; then
# Add IP
geoip=$(geoiplookup $ip | sed 's/GeoIP Country Edition: //' | awk {' if($1=="IP") print $0; else print $2,$3,$4,$5,$6,$7,$8'})
printf "%s # $(date +%s) # Service login attempts/misconfiguration # %s\n" "$ip" "$geoip" >> $rblfile
fi
done
fi
# SPAM
for ip in ${spamtrap[@]}; do
if [[ $(grep -c "$ip" $rblfile) -lt 1 ]]; then
# Add IP
# IPv4 or IPv6 switch
if [ $(echo "$ip" | grep -c ':') -gt 0 ]; then
if [ $listtype -eq 6 ]; then
geoip=$(geoiplookup6 $ip | sed 's/GeoIP Country V6 Edition: //' | awk {' if($1=="IP") print $0; else print $2,$3,$4,$5,$6,$7,$8'})
printf "%s # $(date +%s) # SPAM mail to trap address # %s\n" "$ip" "$geoip" >> $rblfile
fi
else
if [ $listtype -eq 4 ]; then
geoip=$(geoiplookup $ip | sed 's/GeoIP Country Edition: //' | awk {' if($1=="IP") print $0; else print $2,$3,$4,$5,$6,$7,$8'})
printf "%s # $(date +%s) # SPAM mail to trap address # %s\n" "$ip" "$geoip" >> $rblfile
fi
fi
fi
done
# Generate user friendly web-viewable list
echo -e "IP\t\tDate listed\t\t\tCause\t\t\t\t\tCountry" > /var/www/virtsrv/lugh.ch/listv$listtype.txt
echo -e "--\t\t-----------\t\t\t-----\t\t\t\t\t-------" >> /var/www/virtsrv/lugh.ch/listv$listtype.txt
cat $rblfile | grep -v -i uceprotect | grep '^[1-9]' | grep -v '^127.0.0.2' | sed 's/ # /\t/g' >> /var/www/virtsrv/lugh.ch/listv$listtype.txt
for timestamp in $(grep -e '^[0-9]' /var/www/virtsrv/lugh.ch/listv$listtype.txt | awk {'print $2'}); do
newtime=$(date -d @$(echo $timestamp))
sed -i "s/$timestamp/$newtime/" /var/www/virtsrv/lugh.ch/listv$listtype.txt
done
# Concatenate IPv4 and IPv6 lists together
cat /var/www/virtsrv/lugh.ch/listv4.txt $(grep -e '^[0-9]' /var/www/virtsrv/lugh.ch/listv6.txt) > /var/www/virtsrv/lugh.ch/list.txt
View git blame Copy permalink