diff --git a/.github/scripts/db-blocklist-download.sh b/.github/scripts/db-blocklist-download.sh index b6841ec2b..9c8042718 100755 --- a/.github/scripts/db-blocklist-download.sh +++ b/.github/scripts/db-blocklist-download.sh @@ -1,3 +1,5 @@ +#!/bin/bash + # # # @usage https://github.com/Aetherinox/csf-firewall # @type bash script @@ -15,17 +17,45 @@ # πŸ“„ db-blocklist-download.sh # πŸ“ workflows # πŸ“„ db-blocklist-download.yml +# +# @uage db-blocklist-download.sh +# db-blocklist-download.sh https://path/to/website/ipv4.list csf.deny # # -#!/bin/bash +# # +# Define > Parameters +# # s100_90d_url="$1" s100_90d_file="$2" + +# # +# Define > IPThreat.net Lists +# # + +ipt_url="https://lists.ipthreat.net/file/ipthreat-lists/threat/threat-90.txt" +ipt_file="_ipb.txt" + +# # +# Define > General +# # + NOW=`date -u` lines_static=0 lines_dynamic=0 +lines_ipt=0 -echo -e "⭐ Starting" +# # +# Output > Header +# # + +echo -e +echo -e " ──────────────────────────────────────────────────────────────────────────────────────────────" +echo -e " csf.deny Blacklist Generation" +echo -e " ──────────────────────────────────────────────────────────────────────────────────────────────" + +echo -e +echo -e " ⭐ Starting" # # # Func > Download List @@ -36,23 +66,27 @@ download_list() local url=$1 local file=$2 + echo -e " 🌎 Downloading IP blacklist to ${file}" + curl ${url} -o ${file} >/dev/null 2>&1 - sed -i '/^#/d' ${file} - sed -i 's/$/\t\t\t\#\ do\ not\ delete/' ${file} - lines_dynamic=$(wc -l < ${file}) + sed -i '/^#/d' ${file} # remove lines starting with `#` + sed -i 's/$/\t\t\t\#\ do\ not\ delete/' ${file} # add csf `# do not delete` to end of each line + lines_dynamic=$(wc -l < ${file}) # count ip lines - echo -e "Dynamic Count: ${lines_dynamic}" +# # +# Header > Dynamic List +# # ed -s ${file} < Modify +# # + +curl ${ipt_url} -o ${ipt_file} >/dev/null 2>&1 +sed -i 's/\ #.*//' ${ipt_file} # remove comments at end +sed -i 's/\-.*//' ${ipt_file} # remove hyphens for ip ranges +sed -i '/^#/d' ${ipt_file} # remove lines starting with `#` +sed -i 's/$/\t\t\t\#\ do\ not\ delete/' ${ipt_file} # add csf `# do not delete` to end of each line + +lines_ipt=$(wc -l < ${ipt_file}) # count ip lines + +# # +# IPThreat > Add Header +# # + +ed -s ${s100_90d_file} < Save list to csf.deny +# # + +cat ${ipt_file} >> ${s100_90d_file} + +# # +# Static > Add Header +# # + +ed -s ${s100_90d_file} <> ${s100_90d_file} + count=$(grep -c "^[0-9]" ${file} | wc -l < ${file}) # count lines starting with number, print line count + lines_static=`expr $lines_static + $count` # add line count from each file together done fi # # -# Static > Get IP Count +# Header > Add Counts # # -lines_static=$(grep -c "^[0-9]" ${file} | wc -l < ${file}) -echo -e "Static Count: ${lines_static}" +lines=`expr $lines_static + $lines_dynamic + $lines_ipt` +sed -i -e "s/{COUNT_TOTAL}/$lines/g" ${s100_90d_file} +sed -i -e "s/{COUNT_IPT}/$lines_ipt/g" ${s100_90d_file} +sed -i -e "s/{COUNT_STATIC}/$lines_static/g" ${s100_90d_file} # # -# Set header line count +# Output # # -lines=`expr $lines_static + $lines_dynamic` -sed -i -e "s/{COUNT}/$lines/g" ${s100_90d_file} +echo -e +echo -e " ──────────────────────────────────────────────────────────────────────────────────────────────" +printf "%-25s | %-30s\n" " #️⃣ Dynamic" "${lines_dynamic}" +printf "%-25s | %-30s\n" " #️⃣ IPThreat" "${lines_ipt}" +printf "%-25s | %-30s\n" " #️⃣ Static" "${lines_static}" +echo -e \ No newline at end of file diff --git a/README.md b/README.md index 7e7e366c4..8e9ec764d 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@
-
New dark theme, and support for Docker, Traefik, and OpenVPN servers
+
New dark theme, support for Docker, Traefik, and OpenVPN servers. Includes a "bad actor" blocklist.

♾️ ConfigServer Firewall ♾️


@@ -8,6 +8,10 @@ ConfigServer Security & Firewall (CSF) is a popular and powerful firewall solution for Linux servers. This repo contains complete installation guides, a new dark theme, and also numerous patches for `Docker` and `OpenVPN` firewall support so that you can allow traffic between these services without interruption. +
+ +We also host a `csf.deny` blocklist which is updated daily and contains a list of bad actor IP addresses which are widely known for port sniffing, SSH bruteforce attempts, etc. You can apply this file to `/etc/csf/csf.deny` and block these IP addresses from accessing your server. Powered by services such as [AbuseIPDB](https://abuseipdb.com/) and [IPThreat](https://ipthreat.net/). +