Here is mine #! /usr/bin/python3
from pathlib import Path from jinja2 import Template import xml.etree.ElementTree as ET import sqlite3 masters = set() cidrs = Path('./roles').rglob('cidr*.txt') drop_xml = Path('./roles').rglob('drop.xml') cidr_master = (Path('./roles').rglob('cidr-master.txt')) fail2ban_sqlite3 = Path('./roles').rglob('fail2ban.sqlite3') # Get the bans from fail2ban all the fail2ban databases and add them to the masters in memory. for each_sqlite3 in fail2ban_sqlite3: if 'house' not in str(each_sqlite3): con = sqlite3.connect(each_sqlite3) cursorObj = con.cursor() cursorObj.execute('select ip from bans') fail2ban_ips = cursorObj.fetchall() con.close() for each in fail2ban_ips: masters.add(each[0]) # Consolidate the individual files from https://www.ip2location.com/free/visitor-blocker into the in memory master. for each_cidr in cidrs: with open (each_cidr, 'r') as by_cidr: for lines in by_cidr: if lines.startswith('#'): continue masters.add(lines.strip()) # Parse the contents of the in memory xml tree to get the active bans and add them to masters. for each_drop in drop_xml: if 'house' not in str(each_drop): each_drop_xml = ET.parse(each_drop) zone = each_drop_xml.getroot() sources = zone.findall('source') for source in sources: masters.add(source.attrib['address']) # Build the new drop.xml file t = Template(' <source address="{{ ip_ban }}" />') drop_out = Path('./roles').rglob('drop.xml') for each_drop_out in drop_out: if 'house' in str(each_drop_out): with open (each_drop_out, 'w') as drop_xml_out: print('<?xml version="1.0" encoding="utf-8"?>\n<zone target="DROP">\n <short>Drop</short>\n <description>Unsolicited incoming network packets are dropped. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>', file=drop_xml_out) for ip_masters in masters: print(t.render(ip_ban=ip_masters), file=drop_xml_out) print('</zone>', file=drop_xml_out) # Get everyting from the master_set and store it in the cidr-master.txt file. for cidr_master_out in cidr_master: with open (cidr_master_out, 'a') as cidr_master_txt: for each_master in masters: print(each_master, file=cidr_master_txt) On Thu, 2020-04-02 at 08:31 +0100, Nick Howitt wrote: > On 02/04/2020 02:01, Kenneth Porter wrote: > > On 4/1/2020 5:44 PM, Harrison Johnson wrote: > > > This keeps me slightly ahead of the asshats. > > > > > > https://www.ip2location.com/free/visitor-blocker > > > > That's quite cool. With a little work the CIDR format could be > > converted to an ipsets file for firewalld or fed directly to its > > command line. > > > I use https://ip.ludost.net and load it into ipset with: > > ISO="at be ch cy cz de dk es fr gb gr ie it lu mt nl pt eu va sm > mc > je gg im" > curl -s -d country=1 --data-urlencode "country_list=$ISO" -d > format_template=prefix https://ip.ludost.net/cgi/process | grep > -v > ^# | while read -r line > do > ipset -A -exist country-list-temp $line > done > > The list downloaded is already in CIDR format and has been > consolidated > to the minimum number of subnets. > > The fuller script reads: > > #!/bin/bash > > # A list of the ISO country codes can be found at > http://en.wikipedia.org/wiki/ISO_3166-1 > # Countries are case insensitive for this script > > ISO="at be ch cy cz de dk es fr gb gr ie it lu mt nl pt eu va sm > mc > je gg im" > MAXELEM=131072 > > if [ "`lsmod | grep ip_set`" = "" ]; then > modprobe ip_set > fi > > # Destroy country-list-temp in case it exists and is populated > ipset destroy -q country-list-temp > > # Make sure the new lists exist > ipset create country-list nethash maxelem $MAXELEM -exist > ipset create country-list-temp nethash maxelem $MAXELEM -exist > > # Load the country list > curl -s -d country=1 --data-urlencode "country_list=$ISO" -d > format_template=prefix https://ip.ludost.net/cgi/process | grep > -v > ^# | while read -r line > do > ipset -A -exist country-list-temp $line > done > > if [ $(ipset list country-list-temp | wc -l) -le 7 ]; then > logger -t country-list "Update failed" > echo 'Country List Update failed' | mail -s 'Country List > Update failed' m...@example.co.uk > ipset destroy -q country-list-temp > exit > fi > > # Make the temp list current > ipset swap country-list country-list-temp > > # Destroy the (now old) temp list > ipset destroy -q country-list-temp > > > If you have a big list, possibly increase MAXELEM to 524288 > > > > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users