<![CDATA[Echo Snippet Erreur32: Snippets: secu]]>https://snippet.echosystem.fr <![CDATA[[BASH] Script BAN iptables -ipset V.2]]> #!/bin/bash # Script name : Ban/Unban IP with Iptables # iptables -I INPUT 1 -m set --match-set portsentry src -j DROP ipsetmyips="/var/log/ipset_Myips_ip.txt" ipsetips="/var/log/ipset_all_ip.txt" badips="/var/log/banip.log" mybadips="/var/log/banip_perso.log" ipsetlm=`ipset list Myips | grep "$ZTARGET"` mylistip=`grep "$ZTARGET" $mybadips` ### color NC=$(tput sgr0) NOC=$(tput sgr0) reset=$(tput sgr0) GREEN=$(tput setaf 2) PINK=$(tput setaf 5) BLUE=$(tput setaf 6) RED=$(tput setaf 1) YELLOW=$(tput setaf 3) ORANGE=$(tput setaf 166) #GRIS="\e[38;5;8m" GRIS=$(tput setaf 246) CNoir=$(tput setaf 0) CRouge=$(tput setaf 1) CVert=$(tput setaf 2) Jaune=$(tput setaf 3) CBeu=$(tput setaf 4) CRose=$(tput setaf 5) CCyan=$(tput setaf 6) CBlanc=$(tput setaf 7) CGris=$(tput setaf 8) CFade=$(tput setaf 75) CGris1=$(tput setaf 235) On_Red=$(tput setab 124) On_Green=$(tput setab 28) # ou 40 CALERT="$(tput setaf 0)$(tput setab 124)" # Bold White on red background CAlert="${CBlanc}${On_Red}" Cokvb="${CBlanc}${On_Green}" Cokv="${CNoir}${On_Green}" Cokvo="${CBlanc}${On_Green} OK $(tput sgr0)" Cko="$(tput setaf 1)X$(tput sgr0)" Cok="$(tput setaf 2)✔$(tput sgr0)" txtred=$(tput setaf 1) txtyel=$(tput setaf 3) txtcya=$(tput setaf 6) txtrst=$(tput sgr0) ipset_Myips_check(){ IPSET_LIST_NAME="Myips" # create the ipset if needed (or abort if does not exists and FORCE=no) if ! ipset list -n|command grep -q "$IPSET_LIST_NAME"; then if [[ ${FORCE:-no} != yes ]]; then echo >&2 "Error: ipset does not exist yet, add it using:" echo >&2 "# ipset create $IPSET_LIST_NAME -exist hash:net family inet hashsize ${HASHSIZE:-16384} maxelem ${MAXELEM:-65536}" # exit 1 fi # if ! ipset create "$IPSET_LIST_NAME" -exist hash:net family inet hashsize "${HASHSIZE:-16384}" maxelem "${MAXELEM:-65536}"; then # echo >&2 "Error: while creating the initial ipset" # exit 1 # fi fi # create the iptables binding if needed (or abort if does not exists and FORCE=no) if ! iptables -nvL INPUT|command grep -q "match-set $IPSET_LIST_NAME"; then # we may also have assumed that INPUT rule n°1 is about packets statistics (traffic monitoring) if [[ ${FORCE:-no} != yes ]]; then echo >&2 "Error: iptables does not have the needed ipset INPUT rule, add it using:" echo >&2 "# iptables -I INPUT ${IPTABLES_IPSET_RULE_NUMBER:-1} -m set --match-set $IPSET_LIST_NAME src -j DROP" # exit 1 fi # if ! iptables -I INPUT "${IPTABLES_IPSET_RULE_NUMBER:-1}" -m set --match-set "$IPSET_LIST_NAME" src -j DROP; then # echo >&2 "Error: while adding the --match-set ipset rule to iptables" # exit 1 # fi fi echo -e "$Cok ipset ${CGris} $IPSET_LIST_NAME $(tput sgr0) checked" unset IPSET_LIST_NAME #echo "test IPSET_LIST_NAME $IPSET_LIST_NAME" } ipset_blockip_check(){ IPSET_LIST_NAME="blockip" # create the ipset if needed (or abort if does not exists and FORCE=no) if ! ipset list -n|command grep -q "$IPSET_LIST_NAME"; then if [[ ${FORCE:-no} != yes ]]; then echo >&2 "Error: ipset does not exist yet, add it using:" echo >&2 "# ipset create $IPSET_LIST_NAME -exist hash:net family inet hashsize ${HASHSIZE:-16384} maxelem ${MAXELEM:-65536}" # exit 1 fi # if ! ipset create "$IPSET_LIST_NAME" -exist hash:net family inet hashsize "${HASHSIZE:-16384}" maxelem "${MAXELEM:-65536}"; then # echo >&2 "Error: while creating the initial ipset" # exit 1 # fi fi # create the iptables binding if needed (or abort if does not exists and FORCE=no) if ! iptables -nvL INPUT|command grep -q "match-set $IPSET_LIST_NAME"; then # we may also have assumed that INPUT rule n°1 is about packets statistics (traffic monitoring) if [[ ${FORCE:-no} != yes ]]; then echo >&2 "Error: iptables does not have the needed ipset INPUT rule, I will add it:" echo >&2 " iptables -I INPUT ${IPTABLES_IPSET_RULE_NUMBER:-1} -m set --match-set $IPSET_LIST_NAME src -j DROP" iptables -I INPUT ${IPTABLES_IPSET_RULE_NUMBER:-1} -m set --match-set $IPSET_LIST_NAME src -j DROP # exit 1 fi # if ! iptables -I INPUT "${IPTABLES_IPSET_RULE_NUMBER:-1}" -m set --match-set "$IPSET_LIST_NAME" src -j DROP; then # echo >&2 "Error: while adding the --match-set ipset rule to iptables" # exit 1 # fi fi echo -e "$Cok ipset ${CGris} $IPSET_LIST_NAME $(tput sgr0) checked" unset IPSET_LIST_NAME #echo "test $IPSET_LIST_NAME" } ipset_portsentry_check(){ IPSET_LIST_NAME="portsentry" # create the ipset if needed (or abort if does not exists and FORCE=no) if ! ipset list -n|command grep -q "$IPSET_LIST_NAME"; then if [[ ${FORCE:-no} != yes ]]; then echo >&2 "Error: ipset does not exist yet, add it using:" echo >&2 "# ipset create $IPSET_LIST_NAME -exist hash:net family inet hashsize ${HASHSIZE:-16384} maxelem ${MAXELEM:-65536}" # exit 1 fi # if ! ipset create "$IPSET_LIST_NAME" -exist hash:net family inet hashsize "${HASHSIZE:-16384}" maxelem "${MAXELEM:-65536}"; then # echo >&2 "Error: while creating the initial ipset" # exit 1 # fi fi # create the iptables binding if needed (or abort if does not exists and FORCE=no) if ! iptables -nvL INPUT|command grep -q "match-set $IPSET_LIST_NAME"; then # we may also have assumed that INPUT rule n°1 is about packets statistics (traffic monitoring) if [[ ${FORCE:-no} != yes ]]; then echo >&2 "Error: iptables does not have the needed ipset INPUT rule, add it using:" echo >&2 "# iptables -I INPUT ${IPTABLES_IPSET_RULE_NUMBER:-1} -m set --match-set $IPSET_LIST_NAME src -j DROP" # exit 1 fi # if ! iptables -I INPUT "${IPTABLES_IPSET_RULE_NUMBER:-1}" -m set --match-set "$IPSET_LIST_NAME" src -j DROP; then # echo >&2 "Error: while adding the --match-set ipset rule to iptables" # exit 1 # fi fi echo -e "$Cok ipset ${CGris} $IPSET_LIST_NAME $(tput sgr0) checked" unset IPSET_LIST_NAME #echo "test IPSET_LIST_NAME $IPSET_LIST_NAME" } ipset_check_(){ ipset_Myips_check ipset_blockip_check #ipset_portsentry_check } save_myips() { # iptables -I INPUT -m set --match-set Myips src -j DROP # [ -s `iptables -nL | grep "match-set Myips"` ] iptables -I INPUT -m set --match-set Myips src -j DROP || echo "Check iptables:"; iptables -nL | grep "match-set Myips" echo -e "iptables rules for Myips: $Cok" ipset save Myips | tail -n +2 > $ipsetmyips echo -e " ipset save Myips > $ipsetmyips\n" ipset save | tail -n +2 > $ipsetips echo -e " ipset save > $ipsetips\n" # Backup HOME / ipset perso # /sbin/ipset -exist create Myips hash:ip hashsize 4096 /sbin/ipset save > /home/backup/ipset_save_all_$HOSTNAME_$(date "+%d.%m.%Y").txt /sbin/ipset save Myips > /home/backup/ipset_Myips_save_$HOSTNAME_$(date "+%d.%m.%Y").txt /sbin/ipset -exist create portsentry hash:ip hashsize 4096 /sbin/ipset save portsentry > /home/backup/ipset_portsentry_save_$HOSTNAME_$(date "+%d.%m.%Y").txt /sbin/iptables-save > /home/backup/iptables-save.$HOSTNAME-$(date "+%d.%m.%Y") # Backup iptables-persistant reboot /sbin/iptables-save > /etc/iptables/rules.v4 /sbin/ip6tables-save > /etc/iptables/rules.v6 ; /usr/sbin/ip6tables-legacy-save > /etc/iptables/rules_legacy.v6 /sbin/ipset save > /etc/iptables/ipsets /usr/sbin/netfilter-persistent save # /sbin/ipset -exist create blacklist hash:ip hashsize 4096 } function help { echo -e "\nSyntax: $0 -[L][u] target(s)" echo -e " ${CGris} Parameters come first. Target is expressed as an IP address.$(tput sgr0)" echo -e " ${CGris} No specified parameter will ban the IP.$(tput sgr0)" echo -e " ${txtyel} -L $(tput sgr0)to list currently banned IPs. $(tput sgr0)" echo -e " ${txtyel} -D $(tput sgr0)to De/unban IP(s). $(tput sgr0)" echo -e " ${txtyel} -C $(tput sgr0)Check if ip is already ban. $(tput sgr0)" echo -e " ${txtyel} -U $(tput sgr0)Check Rules & Update ip files & blacklist.$(tput sgr0)" echo -e " ${txtyel} -S $(tput sgr0)Save all IPs.$(tput sgr0)" echo -e " ${txtyel} -B $(tput sgr0)Ban list $(tput sgr0)\n" exit 1 } #/home/tools/SH/banip.sh $(/home/tools/SH/secu-apache-ban-grep.sh -i) # If no arguments are passed, call the "help" function. if [ -z "$1" ]; then help fi # Define some variables ACTION="-A" while getopts "hCDLUSBI" OPTION do case $OPTION in h) help ;; D) ACTION="-D" shift $(($OPTIND - 1)) ;; L) ACTION="-L" shift $(($OPTIND - 1)) ;; I) ACTION="-I" shift $(($OPTIND - 1)) ;; C) ACTION="-C" shift $(($OPTIND - 1)) ;; U) ACTION="-U" shift $(($OPTIND - 1)) ;; S) ACTION="-S" shift $(($OPTIND - 1)) ;; B) ACTION="-B" shift $(($OPTIND - 1)) ;; \?) help ;; esac done ############################## # Deban ip if [ $ACTION == "-D" ]; then for ZTARGET in "$@" do ipsetlm=`ipset list Myips | grep "$ZTARGET"` mylistip=`grep "$ZTARGET" $mybadips` if [ "$ZTARGET" = "$ipsetlm" ] then echo -e " IPSET ${CGris}Myips $(tput sgr0)" echo -e " $CRouge IP found ($ZTARGET) $txtrst" ipset del Myips "$ZTARGET"; echo -e " ${Cokvb} REMOVED! ($ZTARGET) $(tput sgr0)" else echo -e "\n IPSET : ${CGris}(Myips)\n $Cokvb No ban IP found or already removed! $(tput sgr0)" fi echo -en " Myfile: ${CGris}($mybadips)\n"; [ -z "$mylistip" ] && echo -e " $Cokvb ($ZTARGET) NOT found $(tput sgr0)\n" || echo -e " $CRouge IP found ($ZTARGET) $(tput sgr0)\n ${Cokvb} REMOVED! ($ZTARGET) $(tput sgr0)" ; sed -i "/$ZTARGET/d" "$mybadips" done exit 1 fi ############################## # Ban list with /home/tools/SH/secu-apache-ban-grep.sh if [ $ACTION == "-B" ]; then # mylistip=$(/home/tools/SH/secu-apache-ban-grep.sh -i) mylistip=$(/home/tools/SH/secu-apache-grep-log.sh -i) echo $mylistip #iptables -I INPUT 1 -m set --match-set Myips src -j DROP exit fi ############################## # Save all ip ipset if [ $ACTION == "-S" ]; then /home/tools/SH/iptables-save_all.sh exit fi ############################### # Check if ip is already ban. if [ $ACTION == "-C" ]; then #ipset_Myips_check for ZTARGET in "$@" do #check_ipset_ip $1 mylistip=`grep "$ZTARGET" $mybadips | uniq` # [ -z "$mylistip" ] && echo -e " $CAlert no IP to check, exit!$(tput sgr0)" ; exit 1 || echo -e " $CAlert IP found $(tput sgr0)" ipsetlm=`ipset list Myips | grep "$ZTARGET"` if [ "$ZTARGET" = "$ipsetlm" ] then echo -e " ${Cok} ${Cokvb} IP ALREADY BAN $txtrst " echo -e " ${Cok} ${Cokvb} IP FOUND $(tput sgr0) ${CAlert} `ipset list Myips| grep "$ZTARGET"` $(tput sgr0) on ${Jaune} Myips $txtrst " # ipset list Myips| grep "$ZTARGET" else echo -e " ${Cok} ${Cokvb} NO IP found $(tput sgr0) ipset ${CGris}Myips$(tput sgr0)" fi [ -z "$mylistip" ] && echo -e " ${Cok} ${Cokvb} NO IP found $(tput sgr0) ${Cok} (${CGris}$mybadips$(tput sgr0))" || echo -e " ${Cok} ${Cokvb} IP FOUND $(tput sgr0) ${CAlert} `grep ${ZTARGET} $mybadips | uniq | wc -L` $(tput sgr0) on ${Jaune} $(echo $mybadips) $(tput sgr0)" # sed '/^ $ZTARGET/d' $mybadips done [ -z `ipset list | grep $ZTARGET | wc -L` ] && echo -e " ${Cok} ${Cokvb} NO IP found on ipset list $(tput sgr0)" || echo -e " ${Cok} ${Cokvb} IP FOUND $(tput sgr0) ${CAlert} `ipset list | grep ${ZTARGET} | wc -L` $(tput sgr0) on ALL ipset list $(tput sgr0)" #if [ "$ZTARGET" = `ipset list | grep "$ZTARGET"` ] # then # echo " Check all list" # ipset list | grep $ZTARGET exit 1 fi if [ $ACTION == "-I" ]; then echo echo "$(tput setaf 166)" date echo " $(tput sgr0)" echo echo -e "$CGris\n##################$(tput sgr0)" echo -e "$Cokv ipset list Myips $(tput sgr0)\n" ipset list Myips echo -e "$CGris\n############################$(tput sgr0)" fi ############################### if [ $ACTION == "-L" ]; then echo echo "$(tput setaf 166)" date echo " $(tput sgr0)" echo awk '{print $1}' $mybadips | sort | uniq > $badips ipset_check_ echo -e "$CGris\n################$(tput sgr0)" echo -e "$Cokv Rules iptables $(tput sgr0)" echo -e "$CCyan" # iptables -L INPUT -v -n | grep DROP | uniq -c | sort iptables -L INPUT -v -n | grep multiport iptables -L INPUT -v -n | grep match-set iptables -L INPUT -v -n | grep "f2b-" echo -e "$CGris\n################$(tput sgr0)" echo -e "$Cokv ipset list all $(tput sgr0)\n" echo -en $txtrst; ipset list | grep "Name:" | head -n1 && echo -en $txtred; ipset list | grep "entries:" | head -n1 echo -en $txtrst; ipset list | grep "Name:" | head -n2 | tail -n1 && echo -en $txtred; ipset list | grep "entries:" | head -n2 | tail -n1 echo -en $txtrst; ipset list | grep "Name:" | head -n3 | tail -n1 && echo -en $txtred; ipset list | grep "entries:" | head -n3 | tail -n1 echo -en $txtrst; ipset list | grep "Name:" | head -n4 | tail -n1 && echo -en $txtred; ipset list | grep "entries:" | head -n4 | tail -n1 # echo -en $txtrst; ipset list | grep "Name:" | head -n5 | tail -n1 && echo -en $txtred; ipset list | grep "entries:" | head -n5 | tail -n1 # echo -e "$Cokv List of MY Personal ip ban $(tput sgr0) $badips ( ${CAlert}`awk '{print $1}' $mybadips | sort | uniq | wc -l` $(tput sgr0) )\n" # remove first line # echo -e "$Cokv List of MY Personal ip ban $(tput sgr0) $badips (${CAlert}`awk '{print $1}' $mybadips | sort | uniq | tail -n +2 | wc -l`$(tput sgr0))\n" # awk '{print $1}' $mybadips | sort | uniq > $badips # cat $badips else # ban work loop for ZTARGET in "$@" do # Check Myips rules in iptables. # ipset_check_ # ADD entry to Myips echo -e "$ZTARGET" >> $mybadips # ipset -exist create Myips hash:ip hashsize 4096 -! # not verbode with -! # ipset add Myips "$ZTARGET" -! ipsetlm=`ipset list Myips | grep "$ZTARGET"` if [ "$ZTARGET" = "$ipsetlm" ] then echo -e "$Cok IP ${Cokvb} Already Banned! $(tput sgr0) --> $ZTARGET $(tput sgr0)" else ipset add Myips "$ZTARGET" -! && echo -en "$Cok IP Banned: `ipset list Myips | grep "$ZTARGET"`$(tput sgr0)\n" fi # iptables -I INPUT -m set --match-set Myips src -j DROP # let's go to ban (iptables) # Uncomment this if you want to use iptables! # echo $txtcya"Applying action $txtred$ACTION$txtcya to $txtyel$ZTARGET"$txtrst # iptables $ACTION INPUT -s $ZTARGET -j DROP done fi ############################## if [ $ACTION == "-U" ]; then echo -e "\n" ipset_check_ echo -e "\n${CGris}Make clean log (remove blank line) on$(tput sgr0) $mybadips" echo -e " Before (`cat $mybadips | wc -l`) lines." sed -i '/^$/d' $mybadips echo -e "$Cok After (`cat $mybadips | wc -l`) lines.\n" echo -e "\n$txtcya Populate Blacklist $txtrst" echo -e "$(tput sgr0)\n" fi ##################################################### #iptables -I INPUT -m set --match-set Myips src -j DROP #iptables -I INPUT -m set --match-set blockip src -j DROP #iptables -I INPUT -m set --match-set portsentry src -j DROP ###################################################### updateblacklist() { echo -e "\n$txtcya Populate Date$txtrst" /etc/ipset-blacklist/update-blacklist.sh /etc/ipset-blacklist/ipset-blacklist.conf echo -e "...$(tput sgr0)" # echo $txtcya"Applying action $txtred$ACTION$txtcya to $txtyel$ZTARGET"$txtrst # iptables $ACTION INPUT -s $ZTARGET -j DROP } ]]> Tue, 09 Nov 2021 18:30:05 +0100