The "Daily Stormcast podcast" of the Internet Storm Center by Johannes Ullrich mentioned at some point that you could use the DShield 'bad' networks list to proactively block traffic. This is what I did - using shorewall as the blocking backend. Enjoy!
#!/bin/bash
# 25 Feb 2015
# Download dshield list and create a shorewall blocklist
# http://feeds.dshield.org/block.txt
# sample entry
# 61.240.144.0 61.240.144.255 24 9915 China United
# Telecommunications Corporation CN [email protected]
BLOCK="/var/tmp/block.txt"
function action() {
while read line ; do
# do command
echo $line | egrep "^[0-9]" >/dev/null
EC=$?
# when line starts with a number
if [ "$EC" -eq 0 ] ; then
STARTIP=$(echo $line | awk '{print $1}')
ENDIP=$(echo $line | awk '{print $2}')
# validate IPs
ipcalc $STARTIP - $ENDIP >/dev/null
EC=$?
if [ "$EC" -ne 0 ] ; then
logger -t dshield Something is wrong with the IPs: $STARTIP $ENDIP
else
RANGE=$(ipcalc $STARTIP - $ENDIP | tail -1)
/sbin/shorewall $1 $RANGE
EC=$?
if [ "$EC" -ne 0 ] ; then
logger -t dshield shorewall $1 $RANGE failed
fi
fi
fi
done <$BLOCK
}
# list has been downloaded already, so we need to unblock it first before we
# overwrite it
if [ -e $BLOCK ] ; then
action allow >/dev/null
fi
wget -q -O $BLOCK http://feeds.dshield.org/block.txt
EC=$?
if [ "$EC" -ne 0 ] ; then
logger -t dshield Error downloading
exit 1
fi
action drop >/dev/null