IPTables Blacklist Script

    In recent days, various SYN Flood, FTP or mail server bruteforce attacks have accumulated. 10 servers affected by this, which are regularly afflicted by a manageable amount of IP. Since these are managed servers and we did not always want to do the work on each server individually to perform the IP blocks, we have written a small "blacklist" script, which we provide free of charge to the Internet community.


    IPTables script on the server

    On the server you download the following script:

    wget http://mirror.ip-projects.de/ip-block.sh

    The script is structured as follows:

    #!/bin/bash
export PATH="/bin:/usr/bin:/sbin:/usr/sbin"
echo "Flushing iptables rules..."
sleep 1
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
wget http://mirror.ip-projects.de/ip-blacklist
cat ip-blacklist | xargs -n1 iptables -I INPUT -j DROP -s
rm ip-blacklist
rm ip-blacklist.*

     

    The first part of wget ensures that existing IPTables rules are deleted. So if you have already used and configured IPTables, you should adjust this part accordingly. Resetting the rules is important because IPTables is something stupid, because it does not recognize whether an IP is already in the list of blocked IP addresses and simply adds a possible existing IP address stupide again. The result would be that at some point the IPTables cache is full. Also, without resetting IPTable’s IP address you could not remove it from the blacklist globally.

     

    In the last section, only the downloaded blacklist files are removed. Since it can happen that the blacklists are not completely deleted when the server is overloaded, the . * rm command set.

    Run script regularly

    To update the list automatically, you should create a cronjob that executes the script at regular intervals. First adjust the write permissions and then install the cronjob.

     

    chmod 775 /root/ip-block.sh
    crontab -e

     

    There at the end of the file the lines
    @reboot /root/ip-block.sh
0,5,10,15,20,25,30,35,40,45,50,55 * * * * /root/ip-block.sh
    add. The first line causes the IP block to automatically occur when the server is restarted, the second line causes the block list to update every 5 minutes. Here the time of the update can be flexibly regulated.

    The setup is successfully completed.
    Tags
    iptables blacklist
    Published