{"id":20768028,"url":"https://github.com/spithash/ipset-blacklist-script","last_synced_at":"2025-12-25T07:27:40.175Z","repository":{"id":234409774,"uuid":"788839686","full_name":"spithash/ipset-blacklist-script","owner":"spithash","description":"IP blacklisting script for Linux servers and OpenWRT routers via ipset","archived":false,"fork":false,"pushed_at":"2024-07-04T12:58:59.000Z","size":41,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-18T06:42:22.812Z","etag":null,"topics":["blacklist-ips","blacklist-script","firewall","ipset","ipset-lists","iptables","linux-scripts","openwrt"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/spithash.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-04-19T07:27:34.000Z","updated_at":"2024-07-04T12:59:04.000Z","dependencies_parsed_at":"2024-05-09T09:25:18.079Z","dependency_job_id":"b3fdfb11-db40-4908-a7bd-533ba67338e4","html_url":"https://github.com/spithash/ipset-blacklist-script","commit_stats":null,"previous_names":["spithash/ipset-blacklist-script"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spithash%2Fipset-blacklist-script","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spithash%2Fipset-blacklist-script/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spithash%2Fipset-blacklist-script/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spithash%2Fipset-blacklist-script/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/spithash","download_url":"https://codeload.github.com/spithash/ipset-blacklist-script/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243097881,"owners_count":20235917,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blacklist-ips","blacklist-script","firewall","ipset","ipset-lists","iptables","linux-scripts","openwrt"],"created_at":"2024-11-17T11:34:34.678Z","updated_at":"2025-12-25T07:27:35.143Z","avatar_url":"https://github.com/spithash.png","language":"Shell","readme":"ipset blacklist script\n=================\nThis is a collection of shell scripts that are intended to block Linux systems and OpenWRT routers from known sources of malicious traffic. These scripts use `iptables` with highly efficient `ipset` module to check incoming traffic against blacklists populated from publicly available sources.\n\n[Emerging Threats](http://rules.emergingthreats.net/fwrules/) provides similar rules that essentially run `iptables` for *each* blacklisted IP which is extremely inefficient in case of large blacklists. Using `ipset` means using just one `iptables` rule to perform a very efficient lookup in hash structure created by `ipset`.\n\n\n**Note:** This script is a quick hack suitable primarily for embedded devices (OpenWRT, LEDE) rather than a complete solution for server. For the latter, have a look at [FireHOL](http://firehol.org/) and its excellent [FireHOL IP Lists](http://iplists.firehol.org/) add-on. Have a look at the **FireHOL** section further down.\n\n_Special thanks to the Initial Author of this script \u003ca href=\"https://github.com/kravietz/\" target=\"_blank\" rel=\"nofollow\"\u003ePawel Krawczyk\u003c/a\u003e - That repo is now archived so I decided to clone it because I find it useful._\n\n## Available blacklists\nIf you decide to use this script, these are the blacklists available by default:\n\n* [Emerging Threats](http://rules.emergingthreats.net/fwrules/) - list of other known threats (botnet C\u0026C, compromised servers etc) compiled from various sources, including [Spamhaus DROP](http://www.spamhaus.org/drop/), [Shadoserver](https://www.shadowserver.org/wiki/) and [DShield Top Attackers](http://www.dshield.org/top10.html)\n* [www.blocklist.de](https://www.blocklist.de/en/index.html) - list of known password bruteforcers supplied by a network of [fail2ban](http://www.fail2ban.org/wiki/index.php/Main_Page) users\n* [iBlocklist](https://www.iblocklist.com/lists.php) - various free and subscription based lists\n* [Bogons](http://www.team-cymru.org/Services/Bogons/) - IP subnets that should never appear on public Internet; this includes [RFC 1918](http://tools.ietf.org/html/rfc1918) networks so running this on a machine in a private network will effectively **shut its networking down**\n\nBy default the script will only load Emerging Threats and Blocklist.de collections. Others may be added by simply appending to the `URLS` variable in the beginning of the script:\n\n    URLS=\"http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt\"\n    URLS=\"$URLS https://www.blocklist.de/downloads/export-ips_all.txt\"\n\nThe script ignores empty lines or comments and will only extract anything that looks like an IP address (`a.b.c.d`) or CIDR subnet (`a.b.c.d/nn`). Each blacklist is loaded into a separate `ipset` collection so that logging unambigously identifies which blacklist blocked a packet.\n\nThe script also creates an empty `manual-blacklist` set that can be used by the administrator for manual blacklisting. For example:\n\n    ipset add manual-blacklist 217.146.93.122\n\nRemoval:\n\n    ipset delete manual-blacklist 217.146.93.122\n\n## OpenWRT\nThe script automatically detects OpenWRT environment (looking for `uci`) and will try to obtain the WAN interface name. The filtering will be then **limited to WAN interface only.**\n\nRequirements:\n\n* `opkg install ipset curl`\n\nInstallation:\n\n    cp blacklist.sh /etc/firewall.user\n    echo \"01 01 * * * sh /etc/firewall.user\" \u003e\u003e/etc/crontabs/root\n\nThe blacklist will be updated on daily basis.\n\nManual run:\n\n    sh /etc/firewall.user\n    \n### LEDE\nOn LEDE the firewall comes up **before** network interfaces are configured so a service file is required to bring the blacklist when network is available. Create `/etc/init.d/blacklist` with the following contents and `chmod a+x /etc/init.d/blacklist`:\n````\n#!/bin/sh /etc/rc.common\nSTART=30\nCOMMAND=\"sh /etc/firewall.user\"\nboot() {\n   $COMMAND\n}\n````\n\n## Linux\nRequirements:\n\n* On Debian, Ubuntu and other `apt` systems: `apt-get install ipset curl`\n* On RedHat, Fedora, CentOS and other RPM systems: `yum install ipset curl`\n\nInstallation:\n\n    cp blacklist.sh /etc/cron.daily/blacklist\n\nThe blacklist will be updated on daily basis.\n\nManual run:\n\n    sh /etc/cron.daily/blacklist\n\n# Integration with OSSEC\n[OSSEC HIDS](http://www.ossec.net/) is a host-intrusion detection engine for Unix and Windows servers. Its [active response](http://ossec-docs.readthedocs.org/en/latest/manual/ar/index.html) feature allows running a script in response to configured events, for example blocking an IP address detected as attempting to continuously bruteforce a SSH password.\n\nThe `ipset-drop.sh` is active response script to add offending IP addresses to a `manual-blacklist` set also created by the `blacklist.sh` script.\n\nInstallation:\n\n    cp ipset-drop.sh /var/ossec/active-response/bin\n\nExample OSSEC configuration:\n\n    \u003ccommand\u003e\n      \u003cname\u003eipset-drop\u003c/name\u003e\n      \u003cexecutable\u003eipset-drop.sh\u003c/executable\u003e\n      \u003cexpect\u003esrcip\u003c/expect\u003e\n      \u003ctimeout_allowed\u003eyes\u003c/timeout_allowed\u003e\n    \u003c/command\u003e\n\n    \u003cactive-response\u003e\n      \u003ccommand\u003eipset-drop\u003c/command\u003e\n      \u003clocation\u003elocal\u003c/location\u003e\n      \u003crules_id\u003e5720\u003c/rules_id\u003e \u003c!-- Rule: 5720 fired (level 10) -\u003e Multiple SSHD authentication failures. --\u003e\n    \u003c/active-response\u003e\n\nAnother script `router-drop.sh` will perform the same action on a remote router over SSH. This is useful in case of embedded routers where OSSEC agent installation is unfeasibile. OpenWRT logs (over syslog) to a more powerful Linux box with OSSEC installed. On alerts the active response script installed that blocks uoffending IP addresses on the router:\n\n```\n  +---------+ ----- syslog -------\u003e +-------+\n--| OpenWRT |                       | Linux |\n  |         |                       | OSSEC |\n  +---------+ \u003c- active response -- +-------+\n\n```\n\nThe `router-drop.sh` script requires two configuration steps:\n\n* configure the `ROUTER` variable to a SSH string for root login to the router (e.g. *root@gw.example.com*)\n* install SSH keys to actually log in; the keys need to be installed on root account as this is where active response script are running\n\nExample configuration:\n\n     \u003ccommand\u003e\n       \u003cname\u003erouter-drop\u003c/name\u003e\n       \u003cexecutable\u003erouter-drop.sh\u003c/executable\u003e\n       \u003cexpect\u003esrcip\u003c/expect\u003e\n       \u003ctimeout_allowed\u003eno\u003c/timeout_allowed\u003e\n     \u003c/command\u003e\n   \n     \u003cactive-response\u003e\n       \u003ccommand\u003erouter-drop\u003c/command\u003e\n       \u003clocation\u003elocal\u003c/location\u003e\n       \u003crules_id\u003e51004\u003c/rules_id\u003e\n     \u003c/active-response\u003e\n\nEvent 51004 is defined in `/var/ossec/rules/dropbear_rules.xml` and triggered by a series of unsuccessful password logins. Don't forget to add your trusted networks to `\u003cwhite_list\u003e` entries to prevent locking yourself out!\n\n## Samples\n\nNumber of blacklisted IP addresses:\n\n    # ipset list | wc -l\n    26160\n\nTraffic (ICMP and TCP) from blacklisted IP addresses in router logs (OpenWRT):\n\n    # dmesg|grep BLOCK\n    [745433.590000] BLOCK emerging-Block-IPs.txt IN=eth0.2 OUT=br-lan MAC=64:70:12:c2:64:70:02:cc:24:73:9c:97:26:50:b9:10:08:00 SRC=217.146.93.122 DST=10.10.10.20 LEN=28 TOS=0x00 PREC=0x00 TTL=56 ID=54090 PROTO=ICMP TYPE=0 CODE=0 ID=48891 SEQ=0 MARK=0x10 \n    [745433.620000] BLOCK emerging-Block-IPs.txt IN=eth0.2 OUT=br-lan MAC=64:70:12:c2:64:70:02:cc:24:73:9c:97:26:50:b9:10:08:00 SRC=144.76.71.210 DST=10.10.10.20 LEN=28 TOS=0x00 PREC=0x40 TTL=51 ID=17805 PROTO=ICMP TYPE=0 CODE=0 ID=28814 SEQ=0 MARK=0x10 \n    [745484.510000] BLOCK emerging-Block-IPs.txt IN=eth0.2 OUT=br-lan MAC=64:70:12:c2:64:70:02:cc:24:73:9c:97:26:50:b9:10:08:00 SRC=69.194.235.103 DST=10.10.10.20 LEN=44 TOS=0x00 PREC=0x00 TTL=45 ID=0 DF PROTO=TCP SPT=443 DPT=58827 WINDOW=5840 RES=0x00 ACK SYN URGP=0 MARK=0x33\n\nTraffic (SSH bruteforce scanners) from blacklisted IP addresses in web server logs (CentOS):\n\n    BLOCK export-ips_all.txt IN=eth1 OUT= MAC=bc:16:2e:08:69:d4:3c:08:f6:d9:93:a5:08:00 SRC=122.225.97.79 DST=10.179.134.230 LEN=40 TOS=0x00 PREC=0x00 TTL=101 ID=256 PROTO=TCP SPT=6000 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0 \n    BLOCK export-ips_all.txt IN=eth1 OUT= MAC=bc:16:2e:08:69:d4:3c:08:f6:d9:93:a5:08:00 SRC=61.174.51.207 DST=10.179.134.230 LEN=40 TOS=0x00 PREC=0x00 TTL=102 ID=256 PROTO=TCP SPT=6000 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0\n\nTraffic (SSH password bruteforce scanners) blocked by [OSSEC HIDS](http://www.ossec.net/) (Linux):\n\n    BLOCK manual-blacklist IN=eth1 OUT= MAC=bc:76:2e:08:69:d4:3c:08:f6:d9:93:a5:08:00 SRC=89.46.14.48 DST=10.179.134.230 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=62214 DF PROTO=TCP SPT=51436 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 \n    BLOCK manual-blacklist IN=eth1 OUT= MAC=bc:76:2e:08:69:d4:3c:08:f6:d9:93:a5:08:00 SRC=89.46.14.48 DST=10.179.134.230 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=62215 DF PROTO=TCP SPT=51436 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 \n\n## FireHOL Blacklists\nIf you are looking for a mature firewall management solution for Linux that supports blacklists, definitely have a look at [FireHOL](http://firehol.org/) and its excellent [FireHOL IP Lists](http://iplists.firehol.org/) add-on. Compared to FireHOL, this script is a quick hack and I keep maintaining it primarily because FireHOL seems to be an overkill for OpenWRT/LEDE devices.\n\nQuick start with FireHOL blacklists:\n\n* Run `update-ipsets enable dshield` and then `update-ipsets`\n* Modify `/etc/firehol/firehol.conf` (remember to run `firehol start` afterwards)\n\n```\nipv4 ipset create dshield hash:net\nipv4 ipset addfile dshield ipsets/dshield.netset\nblacklist4 stateful inface eth0 connlog \"BLACKLIST \" ipset:dshield\ninterface eth0 world4\n    server4 ssh deny src4 ipset:manual-blacklist\n    ...\n```\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspithash%2Fipset-blacklist-script","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fspithash%2Fipset-blacklist-script","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspithash%2Fipset-blacklist-script/lists"}