Here is mine #! /usr/bin/python3
from pathlib import Path
from jinja2 import Template
import xml.etree.ElementTree as ET
import sqlite3
masters = set()
cidrs = Path('./roles').rglob('cidr*.txt')
drop_xml = Path('./roles').rglob('drop.xml')
cidr_master = (Path('./roles').rglob('cidr-master.txt'))
fail2ban_sqlite3 = Path('./roles').rglob('fail2ban.sqlite3')
# Get the bans from fail2ban all the fail2ban databases and add them to
the masters in memory.
for each_sqlite3 in fail2ban_sqlite3:
if 'house' not in str(each_sqlite3):
con = sqlite3.connect(each_sqlite3)
cursorObj = con.cursor()
cursorObj.execute('select ip from bans')
fail2ban_ips = cursorObj.fetchall()
con.close()
for each in fail2ban_ips:
masters.add(each[0])
# Consolidate the individual files from
https://www.ip2location.com/free/visitor-blocker into the in memory
master.
for each_cidr in cidrs:
with open (each_cidr, 'r') as by_cidr:
for lines in by_cidr:
if lines.startswith('#'):
continue
masters.add(lines.strip())
# Parse the contents of the in memory xml tree to get the active bans
and add them to masters.
for each_drop in drop_xml:
if 'house' not in str(each_drop):
each_drop_xml = ET.parse(each_drop)
zone = each_drop_xml.getroot()
sources = zone.findall('source')
for source in sources:
masters.add(source.attrib['address'])
# Build the new drop.xml file
t = Template(' <source address="{{ ip_ban }}" />')
drop_out = Path('./roles').rglob('drop.xml')
for each_drop_out in drop_out:
if 'house' in str(each_drop_out):
with open (each_drop_out, 'w') as drop_xml_out:
print('<?xml version="1.0" encoding="utf-8"?>\n<zone
target="DROP">\n <short>Drop</short>\n <description>Unsolicited
incoming network packets are dropped. Incoming packets that are related
to outgoing network connections are accepted. Outgoing network
connections are allowed.</description>', file=drop_xml_out)
for ip_masters in masters:
print(t.render(ip_ban=ip_masters), file=drop_xml_out)
print('</zone>', file=drop_xml_out)
# Get everyting from the master_set and store it in the cidr-master.txt
file.
for cidr_master_out in cidr_master:
with open (cidr_master_out, 'a') as cidr_master_txt:
for each_master in masters:
print(each_master, file=cidr_master_txt)
On Thu, 2020-04-02 at 08:31 +0100, Nick Howitt wrote:
> On 02/04/2020 02:01, Kenneth Porter wrote:
> > On 4/1/2020 5:44 PM, Harrison Johnson wrote:
> > > This keeps me slightly ahead of the asshats.
> > >
> > > https://www.ip2location.com/free/visitor-blocker
> >
> > That's quite cool. With a little work the CIDR format could be
> > converted to an ipsets file for firewalld or fed directly to its
> > command line.
> >
> I use https://ip.ludost.net and load it into ipset with:
>
> ISO="at be ch cy cz de dk es fr gb gr ie it lu mt nl pt eu va sm
> mc
> je gg im"
> curl -s -d country=1 --data-urlencode "country_list=$ISO" -d
> format_template=prefix https://ip.ludost.net/cgi/process | grep
> -v
> ^# | while read -r line
> do
> ipset -A -exist country-list-temp $line
> done
>
> The list downloaded is already in CIDR format and has been
> consolidated
> to the minimum number of subnets.
>
> The fuller script reads:
>
> #!/bin/bash
>
> # A list of the ISO country codes can be found at
> http://en.wikipedia.org/wiki/ISO_3166-1
> # Countries are case insensitive for this script
>
> ISO="at be ch cy cz de dk es fr gb gr ie it lu mt nl pt eu va sm
> mc
> je gg im"
> MAXELEM=131072
>
> if [ "`lsmod | grep ip_set`" = "" ]; then
> modprobe ip_set
> fi
>
> # Destroy country-list-temp in case it exists and is populated
> ipset destroy -q country-list-temp
>
> # Make sure the new lists exist
> ipset create country-list nethash maxelem $MAXELEM -exist
> ipset create country-list-temp nethash maxelem $MAXELEM -exist
>
> # Load the country list
> curl -s -d country=1 --data-urlencode "country_list=$ISO" -d
> format_template=prefix https://ip.ludost.net/cgi/process | grep
> -v
> ^# | while read -r line
> do
> ipset -A -exist country-list-temp $line
> done
>
> if [ $(ipset list country-list-temp | wc -l) -le 7 ]; then
> logger -t country-list "Update failed"
> echo 'Country List Update failed' | mail -s 'Country List
> Update failed' m...@example.co.uk
> ipset destroy -q country-list-temp
> exit
> fi
>
> # Make the temp list current
> ipset swap country-list country-list-temp
>
> # Destroy the (now old) temp list
> ipset destroy -q country-list-temp
>
>
> If you have a big list, possibly increase MAXELEM to 524288
>
>
>
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
