#!/bin/bash
# Script name : Ban/Unban IP with Iptables
# iptables -I INPUT 1 -m set --match-set portsentry src -j DROP
ipsetmyips="/var/log/ipset_Myips_ip.txt"
ipsetips="/var/log/ipset_all_ip.txt"
badips="/var/log/banip.log"
mybadips="/var/log/banip_perso.log"
ipsetlm=`ipset list Myips | grep "$ZTARGET"`
mylistip=`grep "$ZTARGET" $mybadips`
### color
NC=$(tput sgr0)
NOC=$(tput sgr0)
reset=$(tput sgr0)
GREEN=$(tput setaf 2)
PINK=$(tput setaf 5)
BLUE=$(tput setaf 6)
RED=$(tput setaf 1)
YELLOW=$(tput setaf 3)
ORANGE=$(tput setaf 166)
#GRIS="\e[38;5;8m"
GRIS=$(tput setaf 246)
CNoir=$(tput setaf 0)
CRouge=$(tput setaf 1)
CVert=$(tput setaf 2)
Jaune=$(tput setaf 3)
CBeu=$(tput setaf 4)
CRose=$(tput setaf 5)
CCyan=$(tput setaf 6)
CBlanc=$(tput setaf 7)
CGris=$(tput setaf 8)
CFade=$(tput setaf 75)
CGris1=$(tput setaf 235)
On_Red=$(tput setab 124)
On_Green=$(tput setab 28) # ou 40
CALERT="$(tput setaf 0)$(tput setab 124)" # Bold White on red background
CAlert="${CBlanc}${On_Red}"
Cokvb="${CBlanc}${On_Green}"
Cokv="${CNoir}${On_Green}"
Cokvo="${CBlanc}${On_Green} OK $(tput sgr0)"
Cko="$(tput setaf 1)X$(tput sgr0)"
Cok="$(tput setaf 2)✔$(tput sgr0)"
txtred=$(tput setaf 1)
txtyel=$(tput setaf 3)
txtcya=$(tput setaf 6)
txtrst=$(tput sgr0)
ipset_Myips_check(){
IPSET_LIST_NAME="Myips"
# create the ipset if needed (or abort if does not exists and FORCE=no)
if ! ipset list -n|command grep -q "$IPSET_LIST_NAME"; then
if [[ ${FORCE:-no} != yes ]]; then
echo >&2 "Error: ipset does not exist yet, add it using:"
echo >&2 "# ipset create $IPSET_LIST_NAME -exist hash:net family inet hashsize ${HASHSIZE:-16384} maxelem ${MAXELEM:-65536}"
# exit 1
fi
# if ! ipset create "$IPSET_LIST_NAME" -exist hash:net family inet hashsize "${HASHSIZE:-16384}" maxelem "${MAXELEM:-65536}"; then
# echo >&2 "Error: while creating the initial ipset"
# exit 1
# fi
fi
# create the iptables binding if needed (or abort if does not exists and FORCE=no)
if ! iptables -nvL INPUT|command grep -q "match-set $IPSET_LIST_NAME"; then
# we may also have assumed that INPUT rule n°1 is about packets statistics (traffic monitoring)
if [[ ${FORCE:-no} != yes ]]; then
echo >&2 "Error: iptables does not have the needed ipset INPUT rule, add it using:"
echo >&2 "# iptables -I INPUT ${IPTABLES_IPSET_RULE_NUMBER:-1} -m set --match-set $IPSET_LIST_NAME src -j DROP"
# exit 1
fi
# if ! iptables -I INPUT "${IPTABLES_IPSET_RULE_NUMBER:-1}" -m set --match-set "$IPSET_LIST_NAME" src -j DROP; then
# echo >&2 "Error: while adding the --match-set ipset rule to iptables"
# exit 1
# fi
fi
echo -e "$Cok ipset ${CGris} $IPSET_LIST_NAME $(tput sgr0) checked"
unset IPSET_LIST_NAME
#echo "test IPSET_LIST_NAME $IPSET_LIST_NAME"
}
ipset_blockip_check(){
IPSET_LIST_NAME="blockip"
# create the ipset if needed (or abort if does not exists and FORCE=no)
if ! ipset list -n|command grep -q "$IPSET_LIST_NAME"; then
if [[ ${FORCE:-no} != yes ]]; then
echo >&2 "Error: ipset does not exist yet, add it using:"
echo >&2 "# ipset create $IPSET_LIST_NAME -exist hash:net family inet hashsize ${HASHSIZE:-16384} maxelem ${MAXELEM:-65536}"
# exit 1
fi
# if ! ipset create "$IPSET_LIST_NAME" -exist hash:net family inet hashsize "${HASHSIZE:-16384}" maxelem "${MAXELEM:-65536}"; then
# echo >&2 "Error: while creating the initial ipset"
# exit 1
# fi
fi
# create the iptables binding if needed (or abort if does not exists and FORCE=no)
if ! iptables -nvL INPUT|command grep -q "match-set $IPSET_LIST_NAME"; then
# we may also have assumed that INPUT rule n°1 is about packets statistics (traffic monitoring)
if [[ ${FORCE:-no} != yes ]]; then
echo >&2 "Error: iptables does not have the needed ipset INPUT rule, I will add it:"
echo >&2 " iptables -I INPUT ${IPTABLES_IPSET_RULE_NUMBER:-1} -m set --match-set $IPSET_LIST_NAME src -j DROP"
iptables -I INPUT ${IPTABLES_IPSET_RULE_NUMBER:-1} -m set --match-set $IPSET_LIST_NAME src -j DROP
# exit 1
fi
# if ! iptables -I INPUT "${IPTABLES_IPSET_RULE_NUMBER:-1}" -m set --match-set "$IPSET_LIST_NAME" src -j DROP; then
# echo >&2 "Error: while adding the --match-set ipset rule to iptables"
# exit 1
# fi
fi
echo -e "$Cok ipset ${CGris} $IPSET_LIST_NAME $(tput sgr0) checked"
unset IPSET_LIST_NAME
#echo "test $IPSET_LIST_NAME"
}
ipset_portsentry_check(){
IPSET_LIST_NAME="portsentry"
# create the ipset if needed (or abort if does not exists and FORCE=no)
if ! ipset list -n|command grep -q "$IPSET_LIST_NAME"; then
if [[ ${FORCE:-no} != yes ]]; then
echo >&2 "Error: ipset does not exist yet, add it using:"
echo >&2 "# ipset create $IPSET_LIST_NAME -exist hash:net family inet hashsize ${HASHSIZE:-16384} maxelem ${MAXELEM:-65536}"
# exit 1
fi
# if ! ipset create "$IPSET_LIST_NAME" -exist hash:net family inet hashsize "${HASHSIZE:-16384}" maxelem "${MAXELEM:-65536}"; then
# echo >&2 "Error: while creating the initial ipset"
# exit 1
# fi
fi
# create the iptables binding if needed (or abort if does not exists and FORCE=no)
if ! iptables -nvL INPUT|command grep -q "match-set $IPSET_LIST_NAME"; then
# we may also have assumed that INPUT rule n°1 is about packets statistics (traffic monitoring)
if [[ ${FORCE:-no} != yes ]]; then
echo >&2 "Error: iptables does not have the needed ipset INPUT rule, add it using:"
echo >&2 "# iptables -I INPUT ${IPTABLES_IPSET_RULE_NUMBER:-1} -m set --match-set $IPSET_LIST_NAME src -j DROP"
# exit 1
fi
# if ! iptables -I INPUT "${IPTABLES_IPSET_RULE_NUMBER:-1}" -m set --match-set "$IPSET_LIST_NAME" src -j DROP; then
# echo >&2 "Error: while adding the --match-set ipset rule to iptables"
# exit 1
# fi
fi
echo -e "$Cok ipset ${CGris} $IPSET_LIST_NAME $(tput sgr0) checked"
unset IPSET_LIST_NAME
#echo "test IPSET_LIST_NAME $IPSET_LIST_NAME"
}
ipset_check_(){
ipset_Myips_check
ipset_blockip_check
#ipset_portsentry_check
}
save_myips() {
# iptables -I INPUT -m set --match-set Myips src -j DROP
# [ -s `iptables -nL | grep "match-set Myips"` ] iptables -I INPUT -m set --match-set Myips src -j DROP || echo "Check iptables:"; iptables -nL | grep "match-set Myips"
echo -e "iptables rules for Myips: $Cok"
ipset save Myips | tail -n +2 > $ipsetmyips
echo -e " ipset save Myips > $ipsetmyips\n"
ipset save | tail -n +2 > $ipsetips
echo -e " ipset save > $ipsetips\n"
# Backup HOME / ipset perso
# /sbin/ipset -exist create Myips hash:ip hashsize 4096
/sbin/ipset save > /home/backup/ipset_save_all_$HOSTNAME_$(date "+%d.%m.%Y").txt
/sbin/ipset save Myips > /home/backup/ipset_Myips_save_$HOSTNAME_$(date "+%d.%m.%Y").txt
/sbin/ipset -exist create portsentry hash:ip hashsize 4096
/sbin/ipset save portsentry > /home/backup/ipset_portsentry_save_$HOSTNAME_$(date "+%d.%m.%Y").txt
/sbin/iptables-save > /home/backup/iptables-save.$HOSTNAME-$(date "+%d.%m.%Y")
# Backup iptables-persistant reboot
/sbin/iptables-save > /etc/iptables/rules.v4
/sbin/ip6tables-save > /etc/iptables/rules.v6 ; /usr/sbin/ip6tables-legacy-save > /etc/iptables/rules_legacy.v6
/sbin/ipset save > /etc/iptables/ipsets
/usr/sbin/netfilter-persistent save
# /sbin/ipset -exist create blacklist hash:ip hashsize 4096
}
function help {
echo -e "\nSyntax: $0 -[L][u] target(s)"
echo -e " ${CGris} Parameters come first. Target is expressed as an IP address.$(tput sgr0)"
echo -e " ${CGris} No specified parameter will ban the IP.$(tput sgr0)"
echo -e " ${txtyel} -L $(tput sgr0)to list currently banned IPs. $(tput sgr0)"
echo -e " ${txtyel} -D $(tput sgr0)to De/unban IP(s). $(tput sgr0)"
echo -e " ${txtyel} -C $(tput sgr0)Check if ip is already ban. $(tput sgr0)"
echo -e " ${txtyel} -U $(tput sgr0)Check Rules & Update ip files & blacklist.$(tput sgr0)"
echo -e " ${txtyel} -S $(tput sgr0)Save all IPs.$(tput sgr0)"
echo -e " ${txtyel} -B $(tput sgr0)Ban list $(tput sgr0)\n"
exit 1
}
#/home/tools/SH/banip.sh $(/home/tools/SH/secu-apache-ban-grep.sh -i)
# If no arguments are passed, call the "help" function.
if [ -z "$1" ]; then
help
fi
# Define some variables
ACTION="-A"
while getopts "hCDLUSBI" OPTION
do
case $OPTION in
h)
help
;;
D)
ACTION="-D"
shift $(($OPTIND - 1))
;;
L)
ACTION="-L"
shift $(($OPTIND - 1))
;;
I)
ACTION="-I"
shift $(($OPTIND - 1))
;;
C)
ACTION="-C"
shift $(($OPTIND - 1))
;;
U)
ACTION="-U"
shift $(($OPTIND - 1))
;;
S)
ACTION="-S"
shift $(($OPTIND - 1))
;;
B)
ACTION="-B"
shift $(($OPTIND - 1))
;;
\?)
help
;;
esac
done
##############################
# Deban ip
if [ $ACTION == "-D" ]; then
for ZTARGET in "$@"
do
ipsetlm=`ipset list Myips | grep "$ZTARGET"`
mylistip=`grep "$ZTARGET" $mybadips`
if [ "$ZTARGET" = "$ipsetlm" ]
then
echo -e " IPSET ${CGris}Myips $(tput sgr0)"
echo -e " $CRouge IP found ($ZTARGET) $txtrst"
ipset del Myips "$ZTARGET"; echo -e " ${Cokvb} REMOVED! ($ZTARGET) $(tput sgr0)"
else
echo -e "\n IPSET : ${CGris}(Myips)\n $Cokvb No ban IP found or already removed! $(tput sgr0)"
fi
echo -en " Myfile: ${CGris}($mybadips)\n"; [ -z "$mylistip" ] && echo -e " $Cokvb ($ZTARGET) NOT found $(tput sgr0)\n" || echo -e " $CRouge IP found ($ZTARGET) $(tput sgr0)\n ${Cokvb} REMOVED! ($ZTARGET) $(tput sgr0)" ; sed -i "/$ZTARGET/d" "$mybadips"
done
exit 1
fi
##############################
# Ban list with /home/tools/SH/secu-apache-ban-grep.sh
if [ $ACTION == "-B" ]; then
# mylistip=$(/home/tools/SH/secu-apache-ban-grep.sh -i)
mylistip=$(/home/tools/SH/secu-apache-grep-log.sh -i)
echo $mylistip
#iptables -I INPUT 1 -m set --match-set Myips src -j DROP
exit
fi
##############################
# Save all ip ipset
if [ $ACTION == "-S" ]; then
/home/tools/SH/iptables-save_all.sh
exit
fi
###############################
# Check if ip is already ban.
if [ $ACTION == "-C" ]; then
#ipset_Myips_check
for ZTARGET in "$@"
do
#check_ipset_ip $1
mylistip=`grep "$ZTARGET" $mybadips | uniq`
# [ -z "$mylistip" ] && echo -e " $CAlert no IP to check, exit!$(tput sgr0)" ; exit 1 || echo -e " $CAlert IP found $(tput sgr0)"
ipsetlm=`ipset list Myips | grep "$ZTARGET"`
if [ "$ZTARGET" = "$ipsetlm" ]
then
echo -e " ${Cok} ${Cokvb} IP ALREADY BAN $txtrst "
echo -e " ${Cok} ${Cokvb} IP FOUND $(tput sgr0) ${CAlert} `ipset list Myips| grep "$ZTARGET"` $(tput sgr0) on ${Jaune} Myips $txtrst "
# ipset list Myips| grep "$ZTARGET"
else
echo -e " ${Cok} ${Cokvb} NO IP found $(tput sgr0) ipset ${CGris}Myips$(tput sgr0)"
fi
[ -z "$mylistip" ] && echo -e " ${Cok} ${Cokvb} NO IP found $(tput sgr0) ${Cok} (${CGris}$mybadips$(tput sgr0))" || echo -e " ${Cok} ${Cokvb} IP FOUND $(tput sgr0) ${CAlert} `grep ${ZTARGET} $mybadips | uniq | wc -L` $(tput sgr0) on ${Jaune} $(echo $mybadips) $(tput sgr0)"
# sed '/^ $ZTARGET/d' $mybadips
done
[ -z `ipset list | grep $ZTARGET | wc -L` ] && echo -e " ${Cok} ${Cokvb} NO IP found on ipset list $(tput sgr0)" || echo -e " ${Cok} ${Cokvb} IP FOUND $(tput sgr0) ${CAlert} `ipset list | grep ${ZTARGET} | wc -L` $(tput sgr0) on ALL ipset list $(tput sgr0)"
#if [ "$ZTARGET" = `ipset list | grep "$ZTARGET"` ]
# then
# echo " Check all list"
# ipset list | grep $ZTARGET
exit 1
fi
if [ $ACTION == "-I" ]; then
echo
echo "$(tput setaf 166)"
date
echo " $(tput sgr0)"
echo
echo -e "$CGris\n##################$(tput sgr0)"
echo -e "$Cokv ipset list Myips $(tput sgr0)\n"
ipset list Myips
echo -e "$CGris\n############################$(tput sgr0)"
fi
###############################
if [ $ACTION == "-L" ]; then
echo
echo "$(tput setaf 166)"
date
echo " $(tput sgr0)"
echo
awk '{print $1}' $mybadips | sort | uniq > $badips
ipset_check_
echo -e "$CGris\n################$(tput sgr0)"
echo -e "$Cokv Rules iptables $(tput sgr0)"
echo -e "$CCyan"
# iptables -L INPUT -v -n | grep DROP | uniq -c | sort
iptables -L INPUT -v -n | grep multiport
iptables -L INPUT -v -n | grep match-set
iptables -L INPUT -v -n | grep "f2b-"
echo -e "$CGris\n################$(tput sgr0)"
echo -e "$Cokv ipset list all $(tput sgr0)\n"
echo -en $txtrst; ipset list | grep "Name:" | head -n1 && echo -en $txtred; ipset list | grep "entries:" | head -n1
echo -en $txtrst; ipset list | grep "Name:" | head -n2 | tail -n1 && echo -en $txtred; ipset list | grep "entries:" | head -n2 | tail -n1
echo -en $txtrst; ipset list | grep "Name:" | head -n3 | tail -n1 && echo -en $txtred; ipset list | grep "entries:" | head -n3 | tail -n1
echo -en $txtrst; ipset list | grep "Name:" | head -n4 | tail -n1 && echo -en $txtred; ipset list | grep "entries:" | head -n4 | tail -n1
# echo -en $txtrst; ipset list | grep "Name:" | head -n5 | tail -n1 && echo -en $txtred; ipset list | grep "entries:" | head -n5 | tail -n1
# echo -e "$Cokv List of MY Personal ip ban $(tput sgr0) $badips ( ${CAlert}`awk '{print $1}' $mybadips | sort | uniq | wc -l` $(tput sgr0) )\n"
# remove first line
# echo -e "$Cokv List of MY Personal ip ban $(tput sgr0) $badips (${CAlert}`awk '{print $1}' $mybadips | sort | uniq | tail -n +2 | wc -l`$(tput sgr0))\n"
# awk '{print $1}' $mybadips | sort | uniq > $badips
# cat $badips
else
# ban work loop
for ZTARGET in "$@"
do
# Check Myips rules in iptables.
# ipset_check_
# ADD entry to Myips
echo -e "$ZTARGET" >> $mybadips
# ipset -exist create Myips hash:ip hashsize 4096 -!
# not verbode with -!
# ipset add Myips "$ZTARGET" -!
ipsetlm=`ipset list Myips | grep "$ZTARGET"`
if [ "$ZTARGET" = "$ipsetlm" ]
then echo -e "$Cok IP ${Cokvb} Already Banned! $(tput sgr0) --> $ZTARGET $(tput sgr0)"
else ipset add Myips "$ZTARGET" -! && echo -en "$Cok IP Banned: `ipset list Myips | grep "$ZTARGET"`$(tput sgr0)\n"
fi
# iptables -I INPUT -m set --match-set Myips src -j DROP
# let's go to ban (iptables)
# Uncomment this if you want to use iptables!
# echo $txtcya"Applying action $txtred$ACTION$txtcya to $txtyel$ZTARGET"$txtrst
# iptables $ACTION INPUT -s $ZTARGET -j DROP
done
fi
##############################
if [ $ACTION == "-U" ]; then
echo -e "\n"
ipset_check_
echo -e "\n${CGris}Make clean log (remove blank line) on$(tput sgr0) $mybadips"
echo -e " Before (`cat $mybadips | wc -l`) lines."
sed -i '/^$/d' $mybadips
echo -e "$Cok After (`cat $mybadips | wc -l`) lines.\n"
echo -e "\n$txtcya Populate Blacklist $txtrst"
echo -e "$(tput sgr0)\n"
fi
#####################################################
#iptables -I INPUT -m set --match-set Myips src -j DROP
#iptables -I INPUT -m set --match-set blockip src -j DROP
#iptables -I INPUT -m set --match-set portsentry src -j DROP
######################################################
updateblacklist() {
echo -e "\n$txtcya Populate Date$txtrst"
/etc/ipset-blacklist/update-blacklist.sh /etc/ipset-blacklist/ipset-blacklist.conf
echo -e "...$(tput sgr0)"
# echo $txtcya"Applying action $txtred$ACTION$txtcya to $txtyel$ZTARGET"$txtrst
# iptables $ACTION INPUT -s $ZTARGET -j DROP
}
secu bash ip iptables
<iframe width="100%" height="8246" src="https://snippet.echosystem.fr?embed=618aaf8632175" type="text/html"></iframe>
Texte seul - Permalink - Snippet public posté le 09/11/2021