14 April 2015

The "Daily Stormcast podcast" of the Internet Storm Center by Johannes Ullrich mentioned at some point that you could use the DShield 'bad' networks list to proactively block traffic. This is what I did - using shorewall as the blocking backend. Enjoy!

Download dshield.sh

#!/bin/bash

# 25 Feb 2015
# Download dshield list and create a shorewall blocklist


# http://feeds.dshield.org/block.txt
# sample entry
# 61.240.144.0    61.240.144.255    24    9915    China United
# Telecommunications Corporation    CN    ip_address@cnuninet.com

BLOCK="/var/tmp/block.txt"

function action() {
  while read line ; do
    # do command
    echo $line | egrep "^[0-9]" >/dev/null
    EC=$?
    # when line starts with a number
    if [ "$EC" -eq 0 ] ; then
      STARTIP=$(echo $line | awk '{print $1}')
      ENDIP=$(echo $line | awk '{print $2}')
      
      # validate IPs
      ipcalc $STARTIP - $ENDIP >/dev/null
      EC=$?
      if [ "$EC" -ne 0 ] ; then
        logger -t dshield Something is wrong with the IPs: $STARTIP $ENDIP
      else
        RANGE=$(ipcalc $STARTIP - $ENDIP | tail -1)
        /sbin/shorewall $1 $RANGE
        EC=$?
        if [ "$EC" -ne 0 ] ; then
          logger -t dshield shorewall $1 $RANGE failed
        fi
      fi
    fi
  done <$BLOCK
}

# list has been downloaded already, so we need to unblock it first before we
# overwrite it
if [ -e $BLOCK ] ; then
  action allow >/dev/null
fi

wget -q -O $BLOCK http://feeds.dshield.org/block.txt
EC=$?
if [ "$EC" -ne 0 ] ; then
  logger -t dshield Error downloading
  exit 1
fi

action drop >/dev/null


blog comments powered by Disqus