Want to subscribe to topics you're interested in?
Become a Member

Add IP blocklists

Discussion in 'Centmin Mod User Tutorials & Guides' started by enderst, Jun 28, 2018.

  1. enderst

    enderst Member

    38
    7
    8
    Dec 12, 2017
    Ratings:
    +10
    Local Time:
    4:14 PM
    These are my notes I use, maybe other will find it useful.

    The source for the script and config file:
    trick77/ipset-blacklist


    1. Pulldown the script
    Code:
    wget -O /usr/local/sbin/update-blacklist.sh https://raw.githubusercontent.com/trick77/ipset-blacklist/master/update-blacklist.sh
    2. Make the script executible
    Code:
    chmod +x /usr/local/sbin/update-blacklist.sh
    3. Create the directory for the config file and IP lists
    Code:
    mkdir -p /etc/ipset-blacklist ; wget -O /etc/ipset-blacklist/ipset-blacklist.conf https://raw.githubusercontent.com/trick77/ipset-blacklist/master/ipset-blacklist.conf
    4. Add or comment out lists
    Code:
    vi /etc/ipset-blacklist/ipset-blacklist.conf
    6. Run the script and start blocking the known bad guys. This will also create the IP set and insert the iptables rule.
    Code:
    /usr/local/sbin/update-blacklist.sh /etc/ipset-blacklist/ipset-blacklist.conf


    Create the CSF post script to ensure this survives reboot.
    Code:
    vi /etc/csf/csfpost.sh
    Paste:
    Code:
    #!/bin/bash
    ipset restore < /etc/ipset-blacklist/ip-blacklist.restore
    iptables -I INPUT 1 -m set --match-set blacklist src -j DROP
    Then:
    Code:
    chmod +x /etc/csf/csfpost.sh
    Restart CSF
    Code:
    csf -r
    When finished you can watch to make sure it's working.
    Code:
    watch iptables -L -nv
    Add cron
    Code:
    vi /etc/cron.d/update-blacklist
    Paste:
    Code:
    PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
    MAILTO=root
    33 08 * * * /usr/local/sbin/update-blacklist.sh /etc/ipset-blacklist/ipset-blacklist.conf
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,052
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    9:14 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Thanks for sharing. FYI, Centmin Mod installed CSF Firewall already has support for such block lists natively via /etc/csf/csf.blocklists and also via advanced tools/csf-advancetweaks.sh at Beta Branch - revise inc/csftweaks.inc and automatically ensures IPSET is only enabled on servers where Linux Kernel supports IPSET i.e. non-OpenVZ systems as OpenVZ VPS do not support IPSET.