https://git.nabium.net / admin-script.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (initial)
Added block-ip scripts.
authorHisataka Kasuga <hkasuga@nabium.com>
Tue, 12 Jan 2021 20:26:20 +0000 (05:26 +0900)
committerHisataka Kasuga <hkasuga@nabium.com>
Tue, 12 Jan 2021 20:27:18 +0000 (05:27 +0900)
13 files changed:
.gitignore [new file with mode: 0644] patch | blob
block-ip/block-add-smtp.sh [new file with mode: 0755] patch | blob
block-ip/block-add-ssh.sh [new file with mode: 0755] patch | blob
block-ip/block-ip.md [new file with mode: 0644] patch | blob
block-ip/block-remove-smtp.sh [new file with mode: 0755] patch | blob
block-ip/block-remove-ssh.sh [new file with mode: 0755] patch | blob
block-ip/block-show-all.sh [new file with mode: 0755] patch | blob
block-ip/block-show-smtp.sh [new file with mode: 0755] patch | blob
block-ip/block-show-ssh.sh [new file with mode: 0755] patch | blob
block-ip/block-stat-all.sh [new file with mode: 0755] patch | blob
block-ip/block-stat-smtp.sh [new file with mode: 0755] patch | blob
block-ip/block-stat-ssh.sh [new file with mode: 0755] patch | blob
install.sh [new file with mode: 0755] patch | blob

diff --git a/.gitignore b/.gitignore
new file mode 100644 (file)
index 0000000..e69de29
diff --git a/block-ip/block-add-smtp.sh b/block-ip/block-add-smtp.sh
new file mode 100755 (executable)
index 0000000..c50a8e9
--- /dev/null
+++ b/block-ip/block-add-smtp.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+set -eu
+
+function print_usage() {
+    echo "Usage: $0 <netaddr> [<netaddr>...]"
+}
+
+if [ $# -lt 1 ]
+then
+    print_usage
+    exit 1
+fi
+
+while [ $# -gt 0 ]
+do
+    netaddr=$1
+    shift
+
+    echo "ban ${netaddr}"
+    sudo firewall-cmd --zone=drop --add-source=${netaddr}
+    sudo firewall-cmd --permanent --zone=drop --add-source=${netaddr}
+done
diff --git a/block-ip/block-add-ssh.sh b/block-ip/block-add-ssh.sh
new file mode 100755 (executable)
index 0000000..992427b
--- /dev/null
+++ b/block-ip/block-add-ssh.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+set -e
+
+priorities=(
+misc
+ck
+CenturyLink
+DigitalOcean
+)
+
+function print_usage() {
+    local priorange=$(
+    for key in "${!priorities[@]}"
+    do
+        echo -n "${key}:${priorities[${key}]} "
+    done
+    )
+    echo "Usage: $0 <prio> <netaddr> [<netaddr>...]"
+    echo "  prio=${priorange}"
+}
+
+if [ $# -lt 2 ]
+then
+    print_usage
+    exit 1
+fi
+
+prio=$1
+shift
+if [ -z "${priorities[${prio}]}" ]
+then
+    echo "Error: invalid priority"
+    print_usage
+    exit 2
+fi
+
+while [ $# -gt 0 ]
+do
+    netaddr=$1
+    shift
+
+    echo "ban ${netaddr}"
+    sudo firewall-cmd --direct --add-rule ipv4 filter nabium-ssh ${prio} -s ${netaddr}
+    sudo firewall-cmd --permanent --direct --add-rule ipv4 filter nabium-ssh ${prio} -s ${netaddr}
+done
+
diff --git a/block-ip/block-ip.md b/block-ip/block-ip.md
new file mode 100644 (file)
index 0000000..df8c718
--- /dev/null
+++ b/block-ip/block-ip.md
@@ -0,0 +1,182 @@
+Banning IPs
+============================================================
+
+ban incl. SNMP
+------------------------------------------------------------
+
+    sudo firewall-cmd --zone=drop --add-source=81.161.63.0/24
+    sudo firewall-cmd --zone=drop --add-source=81.161.63.0/24 --permanent
+
+
+unban
+------------------------------------------------------------
+
+    sudo firewall-cmd --zone=drop --remove-source=81.161.63.0/24
+    sudo firewall-cmd --zone=drop --remove-source=81.161.63.0/24 --permanent
+
+ban access to SSH, for big ISPs
+------------------------------------------------------------
+
+### init
+
+    sudo firewall-cmd --direct --add-chain ipv4 filter nabium-ssh
+    sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 1 ---protocol tcp --dport 22 j nabium-ssh
+
+    sudo firewall-cmd --permanent --direct --add-chain ipv4 filter nabium-ssh
+    sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 1 ---protocol tcp --dport 22 j nabium-ssh
+
+
+### ban per network
+
+    sudo firewall-cmd --direct --add-rule ipv4 filter nabium-ssh 1 -s 63.224.0.0/13
+    sudo firewall-cmd --permanent --direct --add-rule ipv4 filter nabium-ssh 1 -s 63.224.0.0/13
+
+
+### unban per network
+
+    sudo firewall-cmd --direct --remove-rule ipv4 filter nabium-ssh 1 -s 63.224.0.0/13
+    sudo firewall-cmd --permanent --direct --remove-rule ipv4 filter nabium-ssh 1 -s 63.224.0.0/13
+
+
+list banned
+------------------------------------------------------------
+
+    sudo firewall-cmd --direct --get-all-chains
+    sudo firewall-cmd --direct --get-all-rules
+    sudo firewall-cmd --direct --get-all-rules --permanent
+    sudo firewall-cmd --list-rich-rules
+    sudo firewall-cmd --list-rich-rules --permanent
+
+
+### banned by fail2ban JAIL
+
+    sudo firewall-cmd --list-rich-rules --zone=public
+
+### banned by fail2ban recidive
+
+    sudo firewall-cmd --direct --get-rules ipv4 filter INPUT_direct
+    sudo firewall-cmd --direct --get-rules ipv4 filter f2b-recidive
+
+### banned IP incl. SMTP
+
+    sudo firewall-cmd --get-active-zones
+    sudo firewall-cmd --zone=drop --list-sources
+    sudo firewall-cmd --zone=drop --list-sources --permanent
+
+### banned access to SSH
+
+    sudo firewall-cmd --direct --get-rules ipv4 filter nabium-ssh
+
+
+show counters
+------------------------------------------------------------
+
+    sudo iptables -nvL INPUT
+    sudo iptables -nvL INPUT_direct
+    sudo iptables -nvL IN_public_deny
+    sudo iptables -nvL f2b-recidive
+    sudo iptables -nvL INPUT_ZONES_SOURCE
+    sudo iptables -nvL nabium-ssh
+
+
+clear counters
+------------------------------------------------------------
+
+    sudo iptables -nvZL INPUT_ZONES_SOURCE
+    sudo iptables -nvZL nabium-ssh
+
+
+blacklist for SMTP
+------------------------------------------------------------
+
+# Serverion BV
+37.46.150.0/24
+# RACKWEB-NET
+78.128.113.0/24
+# VietServer
+103.207.38.234
+# Internet-Hosting
+212.70.149.0/24
+
+
+blacklist for SSH
+------------------------------------------------------------
+
+### misc priority=0
+
+# xweb-ltd
+81.161.63.0/24
+# xweb-ltd
+185.202.1.0/24
+
+
+### China/Korea priority=1
+
+# China Telecom
+14.16.0.0/12
+# Shenzhen Tencent
+49.232.0.0/14
+# Baidu
+106.12.0.0/15
+# Korea Telecom
+175.192.0.0/11
+# Shenzhen Tencent
+106.52.0.0/14
+# China Mobile
+111.0.0.0/10
+# Shenzhen Tencent 
+111.229.0.0/16
+# Taizhou SHI TONG
+180.188.16.0/20
+# China Telecom
+218.22.0.0/15
+
+
+### CenturyLink priority=2
+
+63.152.0.0/13
+63.224.0.0/13
+65.40.0.0/15
+65.100.0.0/14
+65.128.0.0/11
+67.0.0.0/13
+67.40.0.0/15
+67.42.0.0/16
+67.232.0.0/13
+70.56.0.0/14
+71.0.0.0/14
+71.32.0.0/13
+71.48.0.0/13
+71.208.0.0/12
+72.160.0.0/15
+75.120.0.0/15
+75.160.0.0/12
+76.0.0.0/13
+97.112.0.0/12
+98.125.0.0/16
+99.194.0.0/15
+144.163.0.0/16
+162.104.0.0/16
+173.202.0.0/16
+174.16.0.0/12
+174.124.0.0/15
+184.0.0.0/13
+184.96.0.0/13
+184.156.0.0/14
+207.118.0.0/15
+216.160.0.0/15
+
+
+### DigitalOcean priority=3
+
+46.101.80.0/20
+104.248.0.0/16
+139.59.0.0/16
+142.93.0.0/16
+159.65.0.0/16
+161.35.0.0/16
+165.227.0.0/16
+167.99.0.0/16
+188.166.0.0/17
+206.189.0.0/16
+
diff --git a/block-ip/block-remove-smtp.sh b/block-ip/block-remove-smtp.sh
new file mode 100755 (executable)
index 0000000..df3f36e
--- /dev/null
+++ b/block-ip/block-remove-smtp.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+set -eu
+
+function print_usage() {
+    echo "Usage: $0 <netaddr> [<netaddr>...]"
+}
+
+if [ $# -lt 1 ]
+then
+    print_usage
+    exit 1
+fi
+
+while [ $# -gt 0 ]
+do
+    netaddr=$1
+    shift
+
+    echo "ban ${netaddr}"
+    sudo firewall-cmd --zone=drop --remove-source=${netaddr}
+    sudo firewall-cmd --permanent --zone=drop --remove-source=${netaddr}
+done
diff --git a/block-ip/block-remove-ssh.sh b/block-ip/block-remove-ssh.sh
new file mode 100755 (executable)
index 0000000..9872aa7
--- /dev/null
+++ b/block-ip/block-remove-ssh.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+set -e
+
+priorities=(
+misc
+ck
+CenturyLink
+DigitalOcean
+)
+
+function print_usage() {
+    local priorange=$(
+    for key in "${!priorities[@]}"
+    do
+        echo -n "${key}:${priorities[${key}]} "
+    done
+    )
+    echo "Usage: $0 <prio> <netaddr> [<netaddr>...]"
+    echo "  prio=${priorange}"
+}
+
+if [ $# -lt 2 ]
+then
+    print_usage
+    exit 1
+fi
+
+prio=$1
+shift
+if [ -z "${priorities[${prio}]}" ]
+then
+    echo "Error: invalid priority"
+    print_usage
+    exit 2
+fi
+
+while [ $# -gt 0 ]
+do
+    netaddr=$1
+    shift
+
+    echo "ban ${netaddr}"
+    sudo firewall-cmd --direct --remove-rule ipv4 filter nabium-ssh ${prio} -s ${netaddr}
+    sudo firewall-cmd --permanent --direct --remove-rule ipv4 filter nabium-ssh ${prio} -s ${netaddr}
+done
+
diff --git a/block-ip/block-show-all.sh b/block-ip/block-show-all.sh
new file mode 100755 (executable)
index 0000000..289f9d1
--- /dev/null
+++ b/block-ip/block-show-all.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+echo @@@ firewall-cmd --list-rich-rules
+sudo firewall-cmd --list-rich-rules
+echo
+
+echo @@@ firewall-cmd --list-rich-rules --permanent
+sudo firewall-cmd --list-rich-rules --permanent
+echo
+
+echo @@@ firewall-cmd --get-active-zones
+sudo firewall-cmd --get-active-zones
+echo
+
+echo @@@ firewall-cmd --direct --get-all-chains
+sudo firewall-cmd --direct --get-all-chains
+echo
+
+echo @@@ firewall-cmd --direct --get-all-rules
+sudo firewall-cmd --direct --get-all-rules
+echo
+
+echo @@@ firewall-cmd --direct --get-all-rules --permanent
+sudo firewall-cmd --direct --get-all-rules --permanent
+
diff --git a/block-ip/block-show-smtp.sh b/block-ip/block-show-smtp.sh
new file mode 100755 (executable)
index 0000000..d97aeff
--- /dev/null
+++ b/block-ip/block-show-smtp.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+echo @@@ firewall-cmd --zone=drop --list-sources
+sudo firewall-cmd --zone=drop --list-sources
diff --git a/block-ip/block-show-ssh.sh b/block-ip/block-show-ssh.sh
new file mode 100755 (executable)
index 0000000..0f21678
--- /dev/null
+++ b/block-ip/block-show-ssh.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+echo @@@ firewall-cmd --direct --get-rules ipv4 filter nabium-ssh
+sudo firewall-cmd --direct --get-rules ipv4 filter nabium-ssh
diff --git a/block-ip/block-stat-all.sh b/block-ip/block-stat-all.sh
new file mode 100755 (executable)
index 0000000..d1c9791
--- /dev/null
+++ b/block-ip/block-stat-all.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+sudo iptables -nvL INPUT
+echo
+
+sudo iptables -nvL INPUT_direct
+echo
+
+sudo iptables -nvL IN_public_deny
+echo
+
+sudo iptables -nvL f2b-recidive
+echo
+
+sudo iptables -nvL INPUT_ZONES_SOURCE
+echo
+
+sudo iptables -nvL nabium-ssh
+
diff --git a/block-ip/block-stat-smtp.sh b/block-ip/block-stat-smtp.sh
new file mode 100755 (executable)
index 0000000..b4e7473
--- /dev/null
+++ b/block-ip/block-stat-smtp.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+sudo iptables -nvL INPUT_ZONES_SOURCE
diff --git a/block-ip/block-stat-ssh.sh b/block-ip/block-stat-ssh.sh
new file mode 100755 (executable)
index 0000000..82afb8a
--- /dev/null
+++ b/block-ip/block-stat-ssh.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+sudo iptables -nvL nabium-ssh
diff --git a/install.sh b/install.sh
new file mode 100755 (executable)
index 0000000..732e043
--- /dev/null
+++ b/install.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+set -euo pipefail
+
+function link_file() {
+    local source="$1"
+    local todir="$(cd "$2" && pwd)"
+    local target="${todir}/$(basename "${source}")"
+
+    if [ -e "${target}" ]
+    then
+        if [ "${target}" -ef "$source" ]
+        then
+            # nop
+            :
+        else
+            # delete and link if forced else error
+            echo "Error: $target exists"
+            exit 10
+        fi
+    else
+        ln -s "${source}" "${target}"
+    fi
+}
+
+bindir="$(cd "$(dirname "$0")" && pwd)"
+
+mkdir -p ~/bin
+
+link_file "${bindir}/block-ip/block-ip.md" ~
+ls -1 "${bindir}"/block-ip/*.sh | while read script
+do
+    link_file "$script" ~/bin
+done
Scripts for server administration.