-
Notifications
You must be signed in to change notification settings - Fork 16
/
ufw-blocklist-ipsum
111 lines (89 loc) · 3.11 KB
/
ufw-blocklist-ipsum
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
#!/bin/bash
#
# This script will download the latest ipsum IP address list and add the
# addresses to the ufw-blocklist ipset
# Use memory instead of file system to reduce writes to sd card
# todo: better validation of new list, eg is valid IP address
# whitelist to exclude from adding to the set
# install this file into /etc/cron.daily/ufw-blocklist-ipsum
## URL must return a text file with one IP address per line
ipsumurl='https://raw.githubusercontent.com/stamparm/ipsum/master/levels/3.txt'
# reject the new list if there are fewer than minlen number of ip addresses
minlen=1000
ipsetname=ufw-blocklist-ipsum
ipset_exe=/usr/sbin/ipset
logger="/usr/bin/logger -t ${ipsetname}"
## Check if ipsetname exists. exit if not - ie no set to update
ipsetstatus=$("${ipset_exe}" -t list "${ipsetname}" 2>/dev/null )
RET=$?
if [ $RET -ne 0 ]; then
$logger -s "ipset named $ipsetname does not exist. is UFW started? exiting"
exit 1
fi
ipsetcount=$(echo "$ipsetstatus" | grep '^Number of entries:' | cut -d' ' -f4)
$logger "starting update of ${ipsetname} with ${ipsetcount} entries from ${ipsumurl}"
## Download the latest list
rawlist=$(curl -sS -f --compressed "$ipsumurl" 2>/dev/null)
RET=$?
if [ $RET -ne 0 ]; then
$logger -s "curl error code $RET for $ipsumurl"
exit 1
fi
## Read the list into an array
declare -a scrublist
readarray -t scrublist < <(echo "$rawlist")
## Validate the list length
scrublistlen="${#scrublist[@]}"
#echo "length of scrublist array: $scrublistlen"
if [ $scrublistlen -lt $minlen ]; then
$logger -s "$scrublistlen less than $minlen IPs. something must be wrong with $ipsumurl"
exit 1
fi
## define a function to validate ip addresses
isvalidip () {
# True=valid IP, false=not valid IP
# use BASH regex matching to reduce forking IO
#echo -n "$i "
# if [[ ! "$i" =~ ^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$ ]]; then
#if [[ "$i" =~ ^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$ ]]; then
# echo 'invalid ip address'
return
}
## create a temporary ipset
tmpsetname="$(mktemp -u | cut -f2 -d'.')-tmp"
$ipset_exe -q create "$tmpsetname" hash:net
RET=$?
if [ $RET -ne 0 ]; then
$logger -s "error code $RET creating temporary ipset $tmpsetname"
$ipset_exe -q destroy "$tmpsetname"
exit 1
fi
## loop through each IP address in the scrublist array and add it to the temporary ipset
cnt=0
for i in "${scrublist[@]}"
do
## Validate IP address is correct format
# if not valid ip
# log, cleanup and exit
# fi
# Add that IP to the ipset blocklist
#echo -e "Adding $i to ipset blocklist...\n"
$ipset_exe add "$tmpsetname" $i
cnt=$((cnt+1))
done
## ipset swap FROM-SETNAME TO-SETNAME
## Swap the content of two existing sets
$ipset_exe swap "$tmpsetname" "$ipsetname"
RET=$?
if [ $RET -ne 0 ]; then
$logger -s "error code $RET ipset swapping $tmpsetname to $ipsetname"
$ipset_exe -q destroy "$tmpsetname"
exit 1
fi
$ipset_exe -q destroy "$tmpsetname"
RET=$?
if [ $RET -ne 0 ]; then
$logger -s "error code $RET destroying ipset $tmpsetname"
exit 1
fi
$logger "finished updating $ipsetname. Old entry count: $ipsetcount New count: $cnt of $scrublistlen"