From: Hisataka Kasuga Date: Tue, 12 Jan 2021 20:26:20 +0000 (+0900) Subject: Added block-ip scripts. X-Git-Url: https://git.nabium.net/?a=commitdiff_plain;h=b5a2c5d390e99587cf2eea3918d1de23d91ce742;p=admin-script.git Added block-ip scripts. --- b5a2c5d390e99587cf2eea3918d1de23d91ce742 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/block-ip/block-add-smtp.sh b/block-ip/block-add-smtp.sh new file mode 100755 index 0000000..c50a8e9 --- /dev/null +++ b/block-ip/block-add-smtp.sh @@ -0,0 +1,22 @@ +#!/bin/bash +set -eu + +function print_usage() { + echo "Usage: $0 [...]" +} + +if [ $# -lt 1 ] +then + print_usage + exit 1 +fi + +while [ $# -gt 0 ] +do + netaddr=$1 + shift + + echo "ban ${netaddr}" + sudo firewall-cmd --zone=drop --add-source=${netaddr} + sudo firewall-cmd --permanent --zone=drop --add-source=${netaddr} +done diff --git a/block-ip/block-add-ssh.sh b/block-ip/block-add-ssh.sh new file mode 100755 index 0000000..992427b --- /dev/null +++ b/block-ip/block-add-ssh.sh @@ -0,0 +1,46 @@ +#!/bin/bash +set -e + +priorities=( +misc +ck +CenturyLink +DigitalOcean +) + +function print_usage() { + local priorange=$( + for key in "${!priorities[@]}" + do + echo -n "${key}:${priorities[${key}]} " + done + ) + echo "Usage: $0 [...]" + echo " prio=${priorange}" +} + +if [ $# -lt 2 ] +then + print_usage + exit 1 +fi + +prio=$1 +shift +if [ -z "${priorities[${prio}]}" ] +then + echo "Error: invalid priority" + print_usage + exit 2 +fi + +while [ $# -gt 0 ] +do + netaddr=$1 + shift + + echo "ban ${netaddr}" + sudo firewall-cmd --direct --add-rule ipv4 filter nabium-ssh ${prio} -s ${netaddr} + sudo firewall-cmd --permanent --direct --add-rule ipv4 filter nabium-ssh ${prio} -s ${netaddr} +done + diff --git a/block-ip/block-ip.md b/block-ip/block-ip.md new file mode 100644 index 0000000..df8c718 --- /dev/null +++ b/block-ip/block-ip.md @@ -0,0 +1,182 @@ +Banning IPs +============================================================ + +ban incl. SNMP +------------------------------------------------------------ + + sudo firewall-cmd --zone=drop --add-source=81.161.63.0/24 + sudo firewall-cmd --zone=drop --add-source=81.161.63.0/24 --permanent + + +unban +------------------------------------------------------------ + + sudo firewall-cmd --zone=drop --remove-source=81.161.63.0/24 + sudo firewall-cmd --zone=drop --remove-source=81.161.63.0/24 --permanent + +ban access to SSH, for big ISPs +------------------------------------------------------------ + +### init + + sudo firewall-cmd --direct --add-chain ipv4 filter nabium-ssh + sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 1 ---protocol tcp --dport 22 j nabium-ssh + + sudo firewall-cmd --permanent --direct --add-chain ipv4 filter nabium-ssh + sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 1 ---protocol tcp --dport 22 j nabium-ssh + + +### ban per network + + sudo firewall-cmd --direct --add-rule ipv4 filter nabium-ssh 1 -s 63.224.0.0/13 + sudo firewall-cmd --permanent --direct --add-rule ipv4 filter nabium-ssh 1 -s 63.224.0.0/13 + + +### unban per network + + sudo firewall-cmd --direct --remove-rule ipv4 filter nabium-ssh 1 -s 63.224.0.0/13 + sudo firewall-cmd --permanent --direct --remove-rule ipv4 filter nabium-ssh 1 -s 63.224.0.0/13 + + +list banned +------------------------------------------------------------ + + sudo firewall-cmd --direct --get-all-chains + sudo firewall-cmd --direct --get-all-rules + sudo firewall-cmd --direct --get-all-rules --permanent + sudo firewall-cmd --list-rich-rules + sudo firewall-cmd --list-rich-rules --permanent + + +### banned by fail2ban JAIL + + sudo firewall-cmd --list-rich-rules --zone=public + +### banned by fail2ban recidive + + sudo firewall-cmd --direct --get-rules ipv4 filter INPUT_direct + sudo firewall-cmd --direct --get-rules ipv4 filter f2b-recidive + +### banned IP incl. SMTP + + sudo firewall-cmd --get-active-zones + sudo firewall-cmd --zone=drop --list-sources + sudo firewall-cmd --zone=drop --list-sources --permanent + +### banned access to SSH + + sudo firewall-cmd --direct --get-rules ipv4 filter nabium-ssh + + +show counters +------------------------------------------------------------ + + sudo iptables -nvL INPUT + sudo iptables -nvL INPUT_direct + sudo iptables -nvL IN_public_deny + sudo iptables -nvL f2b-recidive + sudo iptables -nvL INPUT_ZONES_SOURCE + sudo iptables -nvL nabium-ssh + + +clear counters +------------------------------------------------------------ + + sudo iptables -nvZL INPUT_ZONES_SOURCE + sudo iptables -nvZL nabium-ssh + + +blacklist for SMTP +------------------------------------------------------------ + +# Serverion BV +37.46.150.0/24 +# RACKWEB-NET +78.128.113.0/24 +# VietServer +103.207.38.234 +# Internet-Hosting +212.70.149.0/24 + + +blacklist for SSH +------------------------------------------------------------ + +### misc priority=0 + +# xweb-ltd +81.161.63.0/24 +# xweb-ltd +185.202.1.0/24 + + +### China/Korea priority=1 + +# China Telecom +14.16.0.0/12 +# Shenzhen Tencent +49.232.0.0/14 +# Baidu +106.12.0.0/15 +# Korea Telecom +175.192.0.0/11 +# Shenzhen Tencent +106.52.0.0/14 +# China Mobile +111.0.0.0/10 +# Shenzhen Tencent +111.229.0.0/16 +# Taizhou SHI TONG +180.188.16.0/20 +# China Telecom +218.22.0.0/15 + + +### CenturyLink priority=2 + +63.152.0.0/13 +63.224.0.0/13 +65.40.0.0/15 +65.100.0.0/14 +65.128.0.0/11 +67.0.0.0/13 +67.40.0.0/15 +67.42.0.0/16 +67.232.0.0/13 +70.56.0.0/14 +71.0.0.0/14 +71.32.0.0/13 +71.48.0.0/13 +71.208.0.0/12 +72.160.0.0/15 +75.120.0.0/15 +75.160.0.0/12 +76.0.0.0/13 +97.112.0.0/12 +98.125.0.0/16 +99.194.0.0/15 +144.163.0.0/16 +162.104.0.0/16 +173.202.0.0/16 +174.16.0.0/12 +174.124.0.0/15 +184.0.0.0/13 +184.96.0.0/13 +184.156.0.0/14 +207.118.0.0/15 +216.160.0.0/15 + + +### DigitalOcean priority=3 + +46.101.80.0/20 +104.248.0.0/16 +139.59.0.0/16 +142.93.0.0/16 +159.65.0.0/16 +161.35.0.0/16 +165.227.0.0/16 +167.99.0.0/16 +188.166.0.0/17 +206.189.0.0/16 + diff --git a/block-ip/block-remove-smtp.sh b/block-ip/block-remove-smtp.sh new file mode 100755 index 0000000..df3f36e --- /dev/null +++ b/block-ip/block-remove-smtp.sh @@ -0,0 +1,22 @@ +#!/bin/bash +set -eu + +function print_usage() { + echo "Usage: $0 [...]" +} + +if [ $# -lt 1 ] +then + print_usage + exit 1 +fi + +while [ $# -gt 0 ] +do + netaddr=$1 + shift + + echo "ban ${netaddr}" + sudo firewall-cmd --zone=drop --remove-source=${netaddr} + sudo firewall-cmd --permanent --zone=drop --remove-source=${netaddr} +done diff --git a/block-ip/block-remove-ssh.sh b/block-ip/block-remove-ssh.sh new file mode 100755 index 0000000..9872aa7 --- /dev/null +++ b/block-ip/block-remove-ssh.sh @@ -0,0 +1,46 @@ +#!/bin/bash +set -e + +priorities=( +misc +ck +CenturyLink +DigitalOcean +) + +function print_usage() { + local priorange=$( + for key in "${!priorities[@]}" + do + echo -n "${key}:${priorities[${key}]} " + done + ) + echo "Usage: $0 [...]" + echo " prio=${priorange}" +} + +if [ $# -lt 2 ] +then + print_usage + exit 1 +fi + +prio=$1 +shift +if [ -z "${priorities[${prio}]}" ] +then + echo "Error: invalid priority" + print_usage + exit 2 +fi + +while [ $# -gt 0 ] +do + netaddr=$1 + shift + + echo "ban ${netaddr}" + sudo firewall-cmd --direct --remove-rule ipv4 filter nabium-ssh ${prio} -s ${netaddr} + sudo firewall-cmd --permanent --direct --remove-rule ipv4 filter nabium-ssh ${prio} -s ${netaddr} +done + diff --git a/block-ip/block-show-all.sh b/block-ip/block-show-all.sh new file mode 100755 index 0000000..289f9d1 --- /dev/null +++ b/block-ip/block-show-all.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +echo @@@ firewall-cmd --list-rich-rules +sudo firewall-cmd --list-rich-rules +echo + +echo @@@ firewall-cmd --list-rich-rules --permanent +sudo firewall-cmd --list-rich-rules --permanent +echo + +echo @@@ firewall-cmd --get-active-zones +sudo firewall-cmd --get-active-zones +echo + +echo @@@ firewall-cmd --direct --get-all-chains +sudo firewall-cmd --direct --get-all-chains +echo + +echo @@@ firewall-cmd --direct --get-all-rules +sudo firewall-cmd --direct --get-all-rules +echo + +echo @@@ firewall-cmd --direct --get-all-rules --permanent +sudo firewall-cmd --direct --get-all-rules --permanent + diff --git a/block-ip/block-show-smtp.sh b/block-ip/block-show-smtp.sh new file mode 100755 index 0000000..d97aeff --- /dev/null +++ b/block-ip/block-show-smtp.sh @@ -0,0 +1,4 @@ +#!/bin/sh + +echo @@@ firewall-cmd --zone=drop --list-sources +sudo firewall-cmd --zone=drop --list-sources diff --git a/block-ip/block-show-ssh.sh b/block-ip/block-show-ssh.sh new file mode 100755 index 0000000..0f21678 --- /dev/null +++ b/block-ip/block-show-ssh.sh @@ -0,0 +1,4 @@ +#!/bin/sh + +echo @@@ firewall-cmd --direct --get-rules ipv4 filter nabium-ssh +sudo firewall-cmd --direct --get-rules ipv4 filter nabium-ssh diff --git a/block-ip/block-stat-all.sh b/block-ip/block-stat-all.sh new file mode 100755 index 0000000..d1c9791 --- /dev/null +++ b/block-ip/block-stat-all.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +sudo iptables -nvL INPUT +echo + +sudo iptables -nvL INPUT_direct +echo + +sudo iptables -nvL IN_public_deny +echo + +sudo iptables -nvL f2b-recidive +echo + +sudo iptables -nvL INPUT_ZONES_SOURCE +echo + +sudo iptables -nvL nabium-ssh + diff --git a/block-ip/block-stat-smtp.sh b/block-ip/block-stat-smtp.sh new file mode 100755 index 0000000..b4e7473 --- /dev/null +++ b/block-ip/block-stat-smtp.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +sudo iptables -nvL INPUT_ZONES_SOURCE diff --git a/block-ip/block-stat-ssh.sh b/block-ip/block-stat-ssh.sh new file mode 100755 index 0000000..82afb8a --- /dev/null +++ b/block-ip/block-stat-ssh.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +sudo iptables -nvL nabium-ssh diff --git a/install.sh b/install.sh new file mode 100755 index 0000000..732e043 --- /dev/null +++ b/install.sh @@ -0,0 +1,34 @@ +#!/bin/sh + +set -euo pipefail + +function link_file() { + local source="$1" + local todir="$(cd "$2" && pwd)" + local target="${todir}/$(basename "${source}")" + + if [ -e "${target}" ] + then + if [ "${target}" -ef "$source" ] + then + # nop + : + else + # delete and link if forced else error + echo "Error: $target exists" + exit 10 + fi + else + ln -s "${source}" "${target}" + fi +} + +bindir="$(cd "$(dirname "$0")" && pwd)" + +mkdir -p ~/bin + +link_file "${bindir}/block-ip/block-ip.md" ~ +ls -1 "${bindir}"/block-ip/*.sh | while read script +do + link_file "$script" ~/bin +done