Many of you already use online blacklists to fight spam. Recently I’ve dicovered http://www.openbl.org/ and started using their lists on my firewall to prevent attacks from hosts that are known to be preforming attacks. It works in a very similar way to all the spam blacklists out there, and this is how I’ve implemented them on my Firewall.
First of all you’ll need to have some packages installed:
sudo apt-get install iptables ipset wget
now create an ipset to store all the abusing IP addresses and use iptables to block them:
#!/bin/bash
BLOCKDB=”block.txt”
WORKDIR=”/tmp”
pwd=$(pwd)
cd $WORKDIR
#List of ips to block
ipset –create blackips iphash
## Obtain List of badguys from openbl.org
wget -q -c –output-document=$BLOCKDB http://www.openbl.org/lists/base.txt
if [ -f $BLOCKDB ]; then
IPList=$(grep -Ev “^#” $BLOCKDB | sort -u)
for i in $IPList
do
ipset –add blackips $i
done
fi
rm $BLOCKDB
## Obtain List of badguys from ciarmy.com
wget -q -c –output-document=$BLOCKDB http://www.ciarmy.com/list/ci-badguys.txt
if [ -f $BLOCKDB ]; then
IPList=$(grep -Ev “^#” $BLOCKDB | sort -u)
for i in $IPList
do
ipset –add blackips $i
done
fi
rm $BLOCKDB
## Obtain List of badguys from dshield.org
wget -q -c –output-document=$BLOCKDB http://feeds.dshield.org/top10-2.txt
if [ -f $BLOCKDB ]; then
IPList=$(grep -E “^[1-9]” $BLOCKDB | cut -f1 | sort -u)
for i in $IPList
do
ipset –add blackips $i
done
fi
rm $BLOCKDB
#List of networks to block
ipset –create blacknets nethash
## Obtain List of badguys from dshield.org
wget -q -c –output-document=$BLOCKDB http://feeds.dshield.org/block.txt
if [ -f $BLOCKDB ]; then
IPList=$(grep -E “^[1-9]” $BLOCKDB | cut -f1,3 | sed “s/\t/\//g” | sort -u)
for i in $IPList
do
ipset –add blacknets $i
done
fi
rm $BLOCKDB
## Obtain List of badguys from spamhaus.org
wget -q -c –output-document=$BLOCKDB http://www.spamhaus.org/drop/drop.lasso
if [ -f $BLOCKDB ]; then
IPList=$(grep -E “^[1-9]” $BLOCKDB | cut -d” ” -f1 | sort -u)
for i in $IPList
do
ipset –add blacknets $i
done
fi
rm $BLOCKDB
#Drop blacklisted ips
iptables -A FORWARD -m set –match-set blackips src -j DROP
iptables -A FORWARD -m set –match-set blacknets src -j DROP
cd $pwd
Are you using the blacklists for a router? Because I can see in the last three lines, the rules are added to the FORWARD chain. So if I want to use this technique for a standalone server, the chain should be INPUT, isn’t it?