117 lines
3.4 KiB
Bash
117 lines
3.4 KiB
Bash
#!/bin/bash
|
|
|
|
#
|
|
# This script will download the latest ipsum IP address list and add the
|
|
# addresses to the ufw-blocklist ipset
|
|
# Use memory instead of file system to reduce writes to sd card
|
|
|
|
# todo: better validation of new list, eg is valid IP address
|
|
# whitelist to exclude from adding to the set
|
|
|
|
# install this file into /etc/cron.daily/ufw-blocklist-ipsum
|
|
|
|
## URL must return a text file with one IP address per line
|
|
ipsumurl='https://raw.githubusercontent.com/stamparm/ipsum/master/levels/3.txt'
|
|
# reject the new list if there are fewer than minlen number of ip addresses
|
|
minlen=1000
|
|
|
|
ipsetname=ufw-blocklist-ipsum
|
|
ipset_exe=/usr/sbin/ipset
|
|
logger="/usr/bin/logger -t ${ipsetname}"
|
|
|
|
## Check if ipsetname exists. exit if not - ie no set to update
|
|
ipsetstatus=$("${ipset_exe}" -t list "${ipsetname}" 2>/dev/null )
|
|
RET=$?
|
|
if [ $RET -ne 0 ]; then
|
|
$logger -s "ipset named $ipsetname does not exist. is UFW started? exiting"
|
|
exit 1
|
|
fi
|
|
|
|
ipsetcount=$(echo "$ipsetstatus" | grep '^Number of entries:' | cut -d' ' -f4)
|
|
$logger "starting update of ${ipsetname} with ${ipsetcount} entries from ${ipsumurl}"
|
|
|
|
## Download the latest list
|
|
rawlist=$(curl -sS -f --compressed "$ipsumurl" 2>/dev/null)
|
|
RET=$?
|
|
if [ $RET -ne 0 ]; then
|
|
$logger -s "curl error code $RET for $ipsumurl"
|
|
exit 1
|
|
fi
|
|
|
|
## Read the list into an array
|
|
declare -a scrublist
|
|
readarray -t scrublist < <(echo "$rawlist")
|
|
|
|
## Validate the list length
|
|
scrublistlen="${#scrublist[@]}"
|
|
|
|
#echo "length of scrublist array: $scrublistlen"
|
|
if [ "$scrublistlen" -lt $minlen ]; then
|
|
$logger -s "$scrublistlen less than $minlen IPs. something must be wrong with $ipsumurl"
|
|
exit 1
|
|
fi
|
|
|
|
## define a function to validate ip addresses
|
|
# isvalidip() {
|
|
# {
|
|
# ipaddr="";
|
|
# [[ ! $ipaddr =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]] && return 1;
|
|
# for quad in $(echo "${ipaddr//./ }"); do
|
|
# (( $quad >= 0 && $quad <= 255 )) && continue;
|
|
# return 1;
|
|
# done
|
|
# }
|
|
# }
|
|
|
|
# isvalidip() {
|
|
# {
|
|
# # return code + output version
|
|
# ipaddr="";
|
|
# local errmsg="ERROR: $ipaddr is not a valid IP address";
|
|
# [[ ! $ipaddr =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]] && echo "$errmsg" && return 1;
|
|
# for quad in $(echo "${ipaddr//./ }"); do
|
|
# (( $quad >= 0 && $quad <= 255 )) && continue;
|
|
# echo "$errmsg";
|
|
# return 1;
|
|
# done
|
|
# }
|
|
# }
|
|
|
|
## create a temporary ipset
|
|
tmpsetname="$(mktemp -u | cut -f2 -d'.')-tmp"
|
|
$ipset_exe -q create "$tmpsetname" hash:net
|
|
RET=$?
|
|
if [ $RET -ne 0 ]; then
|
|
$logger -s "error code $RET creating temporary ipset $tmpsetname"
|
|
$ipset_exe -q destroy "$tmpsetname"
|
|
exit 1
|
|
fi
|
|
|
|
## loop through each IP address in the scrublist array and add it to the temporary ipset
|
|
cnt=0
|
|
for i in "${scrublist[@]}"
|
|
do
|
|
# Add that IP to the ipset blocklist
|
|
$ipset_exe add "$tmpsetname" "$i"
|
|
cnt=$((cnt+1))
|
|
done
|
|
|
|
## ipset swap FROM-SETNAME TO-SETNAME
|
|
## Swap the content of two existing sets
|
|
$ipset_exe swap "$tmpsetname" "$ipsetname"
|
|
RET=$?
|
|
if [ $RET -ne 0 ]; then
|
|
$logger -s "error code $RET ipset swapping $tmpsetname to $ipsetname"
|
|
$ipset_exe -q destroy "$tmpsetname"
|
|
exit 1
|
|
fi
|
|
|
|
$ipset_exe -q destroy "$tmpsetname"
|
|
RET=$?
|
|
if [ $RET -ne 0 ]; then
|
|
$logger -s "error code $RET destroying ipset $tmpsetname"
|
|
exit 1
|
|
fi
|
|
|
|
$logger "finished updating $ipsetname. Old entry count: $ipsetcount New count: $cnt of $scrublistlen"
|