I wrote a script I call ip2route, please feel free to comment but
obviously needs that ipwho python bikt
#!/bin/bash
[ $1 ] ||(echo " Usage: `basename $_` hostname|ip ipset";exit)
IP=$1
IPSET=$2
[ $IPSET ]||IPSET='chain_DENY'
[[ $IP =~ ^[0-9\.].* ]]||IP=$(getent ahosts $IP|grep STREAM|head -1|cut -d
' ' -f1)
ipset create -exist $IPSET hash:net comment 2>/dev/null
ipset test $IPSET $IP 2>/dev/null&&exit
JSON=$(ipwhois_cli.py --addr $IP --json --disallow_permutations
2>/dev/null)
ENTITY=$(echo $JSON|jq '.entities[0]')
NAME=$(echo $JSON|jq ".objects.$ENTITY.contact.name"|sed 's/"//g')
CIDR=$(echo $JSON|jq ".network.cidr"|sed 's/"//g')
CCODE=$(echo $JSON|jq ".asn_country_code"|sed 's/"//g')
NETNAME=$(echo $JSON|jq ".network.name"|sed 's/"//g')
REGISTRY=$(echo $JSON|jq ".asn_registry"|sed 's/"//g')
# for csf
echo "$CIDR # $CCODE $REGISTRY $NAME $NETNAME" >> /etc/csf/csf.deny
#for whatever
echo "ipset -exist add $IPSET $CIDR comment \"$CCODE $REGISTRY $NETNAME
$NAME\""
On Mon, Apr 17, 2017 at 4:41 PM, Anthony Giggins <se...@seven.dorksville.net
> wrote:
> I wrote a Shell script to permanently ban entire cidr's if they have been
> blocked more then twice in a 5 week period
>
> #!/bin/bash
> echo "begin
> prefix
> noheader
> noasname" > ipban.txt
> echo "" > routeban.txt
> grep Ban /var/log/messages* | cut -d ' ' -f 9 | sort >> ipban.txt
> grep Ban /var/log/messages* | cut -d ' ' -f 10 | sort >> ipban.txt
> echo "end" >> ipban.txt
> cat ipban.txt | grep -v -e '^$' > ipban2.txt
> cat ipban2.txt | grep -v 'Ban' > ipban.txt
> nc whois.cymru.com 43 < ipban.txt | cut -d'|' -f3 | tr -d " " | grep -v
> "Bulkmode" | sort -n > routeban.txt
>
> echo "Duplicates"
> uniq -d routeban.txt > duplicates.txt
>
> cp -fp /etc/sysconfig/iptables /etc/sysconfig/iptables.new
> while read repeat
> do
> DUPCHK=`grep -c "${repeat}" /etc/sysconfig/iptables.new`
> #echo ${DUPCHK}
> if [ "${DUPCHK}" == "0" ] ; then
> awk -v ip=$repeat '/# -A INPUT -s -j DROP/{print "-A INPUT -s "ip"
> -j DROP"}1' /etc/sysconfig/iptables.new > /etc/sysconfig/iptables.tmp && mv
> /etc/sysconfig/iptables.tmp /etc/sysconfig/iptables.new
> echo "${repeat} - Route banned"
> else
> echo "${repeat} - Route already banned"
> fi
> done < duplicates.txt
> datetime=`date +"%m-%d-%Y-%H-%M"`
> mv /etc/sysconfig/iptables /etc/sysconfig/iptables.bak${datetime}
> mv /etc/sysconfig/iptables.new /etc/sysconfig/iptables
> /sbin/service iptables restart
>
> feel free to utilise, I run this in a cron every 5 minutes
>
> Cheers,
>
> Anthony
>
> On 15 April 2017 at 11:25, Dick Ollett <d...@ollett.com> wrote:
>
>> The python code will return the underlying cidr of the ip (a la whois but
>> consolidates all the authorities including lacnic ), ipset is lightning
>> fast, be careful though you maybe don't want to ban the whole of comcast
>> becayse of pne rogue .
>>
>> On Apr 14, 2017 6:17 PM, "HTDNET" <htd...@htd.net> wrote:
>>
>>> One of the issues I see is the block list gets way too large, creating a
>>> delay in scanning the list, thus we see lots of already ban actions.
>>> Consolidating the list may allow it to run faster? Is this the problem you
>>> are trying to resolve?
>>>
>>>
>>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
