5 éve · 13e1d6a35b
--- a/bin/v-add-firewall-ipset
+++ b/bin/v-add-firewall-ipset
@@ -125,14 +125,15 @@ inet_ver="inet"
 
				 [ "$ip_version" == "v6" ] && inet_ver="inet6"
			
 
				 
			
 
				 $IPSET_BIN create "$ip_name" -exist hash:net family $inet_ver
			
 
				-$IPSET_BIN create "${ip_name}-tmp" -exist hash:net family $inet_ver
			
 
				+$IPSET_BIN -quiet destroy "${ip_name}-tmp"
			
 
				+$IPSET_BIN create "${ip_name}-tmp" -exist hash:net family $inet_ver maxelem 1048576
			
 
				 $IPSET_BIN flush "${ip_name}-tmp"
			
 
				 
			
 
				 sed -rn -e '/^#|^$/d'  -e "s/^(.*)/add ${ip_name}-tmp \\1/p" "${IPSET_PATH}/${IPSET_FILE}.iplist" | $IPSET_BIN -quiet restore
			
 
				 check_result $? "Populating ipset table"
			
 
				 
			
 
				 $IPSET_BIN swap "${ip_name}-tmp" "${ip_name}"
			
 
				-$IPSET_BIN --quiet destroy "${ip_name}-tmp"
			
 
				+$IPSET_BIN -quiet destroy "${ip_name}-tmp"
			
 
				 
			
 
				 
			
 
				 # Generating timestamp
			
--- a/bin/v-delete-firewall-ipset
+++ b/bin/v-delete-firewall-ipset
@@ -50,11 +50,11 @@ fi
 
				 #                       Action                             #
			
 
				 #----------------------------------------------------------#
			
 
				 
			
 
				-if $IPSET_BIN --quiet list "${ip_name}-tmp"; then
			
 
				+if $IPSET_BIN --quiet list "${ip_name}-tmp" >/dev/null; then
			
 
				     $IPSET_BIN --quiet destroy "${ip_name}-tmp"
			
 
				 fi
			
 
				 
			
 
				-if $IPSET_BIN --quiet list "${ip_name}"; then
			
 
				+if $IPSET_BIN --quiet list "${ip_name}" >/dev/null; then
			
 
				     $IPSET_BIN --quiet destroy "${ip_name}"
			
 
				     check_result $? "ipset ${ip_name} still used by iptables. Cannot remove"
			
 
				 fi
			
--- a/install/deb/firewall/ipset/blacklist.sh
+++ b/install/deb/firewall/ipset/blacklist.sh
@@ -0,0 +1,36 @@
 
				+#!/bin/bash
			
 
				+
			
 
				+# Script and blacklist urls partially taken from:
			
 
				+# https://github.com/trick77/ipset-blacklist/blob/master/ipset-blacklist.conf
			
 
				+#
			
 
				+
			
 
				+BLACKLISTS=(
			
 
				+    "https://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1" # Project Honey Pot Directory of Dictionary Attacker IPs
			
 
				+    "https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1"  # TOR Exit Nodes
			
 
				+    "https://www.maxmind.com/en/high-risk-ip-sample-list" # MaxMind GeoIP Anonymous Proxies
			
 
				+    "http://danger.rulez.sk/projects/bruteforceblocker/blist.php" # BruteForceBlocker IP List
			
 
				+    "https://www.spamhaus.org/drop/drop.lasso" # Spamhaus Don't Route Or Peer List (DROP)
			
 
				+    "https://cinsscore.com/list/ci-badguys.txt" # C.I. Army Malicious IP List
			
 
				+    "https://lists.blocklist.de/lists/all.txt" # blocklist.de attackers
			
 
				+    "https://blocklist.greensnow.co/greensnow.txt" # GreenSnow
			
 
				+    "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset" # Firehol Level 1
			
 
				+    "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/stopforumspam_7d.ipset" # Stopforumspam via Firehol
			
 
				+)
			
 
				+
			
 
				+
			
 
				+IP_BLACKLIST_TMP=$(mktemp)
			
 
				+for i in "${BLACKLISTS[@]}"; do
			
 
				+    IP_TMP=$(mktemp)
			
 
				+    (( HTTP_RC=$(curl -L --connect-timeout 10 --max-time 10 -o "$IP_TMP" -s -w "%{http_code}" "$i") ))
			
 
				+    if (( HTTP_RC == 200 || HTTP_RC == 302 || HTTP_RC == 0 )); then # "0" because file:/// returns 000
			
 
				+        command grep -Po '^(?:\d{1,3}\.){3}\d{1,3}(?:/\d{1,2})?' "$IP_TMP" | sed -r 's/^0*([0-9]+)\.0*([0-9]+)\.0*([0-9]+)\.0*([0-9]+)$/\1.\2.\3.\4/' >> "$IP_BLACKLIST_TMP"
			
 
				+    elif (( HTTP_RC == 503 )); then
			
 
				+        echo >&2 -e "\\nUnavailable (${HTTP_RC}): $i"
			
 
				+    else
			
 
				+        echo >&2 -e "\\nWarning: curl returned HTTP response code $HTTP_RC for URL $i"
			
 
				+    fi
			
 
				+    rm -f "$IP_TMP"
			
 
				+done
			
 
				+
			
 
				+sed -r -e '/^(0\.0\.0\.0|10\.|127\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[0-1]\.|192\.168\.|22[4-9]\.|23[0-9]\.)/d' "$IP_BLACKLIST_TMP"|sort -n|sort -mu
			
 
				+rm -f "$IP_BLACKLIST_TMP"
			
--- a/web/templates/admin/add_firewall_ipset.html
+++ b/web/templates/admin/add_firewall_ipset.html
@@ -140,13 +140,37 @@
 
				         */
			
 
				     ];
			
 
				 
			
 
				+    var blacklist_iplists = [
			
 
				+        {name: "[ipv4] Blacklist Script",       source:"script:/usr/local/hestia/install/deb/firewall/ipset/blacklist.sh"},
			
 
				+        /*
			
 
				+        {name: "[ipv6] Blacklist Script",       source:"script:/usr/local/hestia/install/deb/firewall/ipset/blacklist.ipv6.sh"},
			
 
				+        */
			
 
				+    ];
			
 
				+
			
 
				     country_iplists.sort(function (a, b) {
			
 
				         return a.name > b.name;
			
 
				     });
			
 
				 
			
 
				+    blacklist_iplists.sort(function (a, b) {
			
 
				+        return a.name > b.name;
			
 
				+    });
			
 
				+
			
 
				     $(function() {
			
 
				         var targetelement = document.getElementById('datasource_list');
			
 
				 
			
 
				+        // Blacklist
			
 
				+        var newEl = document.createElement("option");
			
 
				+        newEl.text="BLACKLIST";
			
 
				+        newEl.disabled=true;
			
 
				+        targetelement.appendChild(newEl);
			
 
				+
			
 
				+        blacklist_iplists.forEach(iplist => {
			
 
				+            var newEl = document.createElement("option");
			
 
				+            newEl.text=iplist.name;
			
 
				+            newEl.value=iplist.source;
			
 
				+            targetelement.appendChild(newEl);
			
 
				+        });
			
 
				+
			
 
				         // IPVERSE
			
 
				         var newEl = document.createElement("option");
			
 
				         newEl.text="IPVERSE";