r3ktbot Is an automation script that configures Debian-based hosts to download and apply blacklists from the most reputable sources on the internet. By blocking these major contributors to Internet Background Radiation, web administrators can enjoy fewer notifications in their Application-layer security logs, simplifying administration. Navigate to the main site.
Features v0.94:
- AbuseIpDb integration
- Sans top 10k addresses
- Patched problem with some blacklists listing Google DNS and local loopback addresses in their blacklists.
Features v0.93:
- Configures iptables and ipsets to both log and block connection attempts from blacklisted IPs.
- Automatic dependency installation.
- Identification tags in log files to determine which blacklists are most effective.
- Easy configuration. Add your own sources, by adding 1 line of code.
- Ability to import ipsets from the localhost.
- Tested on Ubuntu 18/20 and Debian 10.
Planned for Future Iterations:
- Configuration via command switches.
- Ability to turn on/off logging.
- Error handling
- Migration to Python and Github.
The Script:
Download the script here
#!/bin/bash
#
# ** r3ktbot v0.94a ** 30/05/2021 "Security Scan" and Anonymity Autoblocker
# A. van Wyk ambro@ambrovanwyk.com 27/04/2021
# 27/04/2021
# Updated 05/11/2023
# abuseIpDb API key goes here.
#apiKey=0000000000000000000000000000000
#
# Enter your sources here:
declare -A sources sources=(
["torExit"]="https://check.torproject.org/exit-addresses"
["palo_alto"]="https://r3ktbot.ncah.co.za/ipset/Palo%20Alto%20Networks"
["censys"]="https://r3ktbot.ncah.co.za/ipset/Censys%20Inc."
["linode"]="https://r3ktbot.ncah.co.za/ipset/Linode%20LLC"
["d_ocean"]="https://r3ktbot.ncah.co.za/ipset/DigitalOcean%20LLC"
["ip_volume"]="https://r3ktbot.ncah.co.za/ipset/IP%20Volume%20Inc"
)
#
#
# Check for root privs
if [[ $(whoami) != 'root' ]]
then
echo "Run command with sudo."
exit 1
fi
#
#
# Check and install dependencies
if [[ ! $(dpkg -s ipset | grep installed) ]]
then
apt install ipset
fi
#
if [[ ! $(dpkg -s iptables-persistent | grep installed) ]]
then
apt install iptables-persistent
fi
#
if [[ ! $(dpkg -s ipset-persistent | grep installed) ]]
then
apt install ipset-persistent
fi
#
if [[ ! $(dpkg -s netfilter-persistent | grep installed) ]]
then
apt install netfilter-persistent
systemctl start netfilter-persistent
systemctl enable netfilter-persistent
fi
#
#
if [[ $apiKey ]]
then
sources+=(["abuseIpDb"]="")
fi
#
for i in ${!sources[@]}
do
if [[ $(ipset list $i 2> /dev/null ) ]]
then
echo "Flushing the $i ipset..."
ipset flush $i
else
echo "Creating the $i ipset..."
ipset create $i hash:net
fi
#
#
#
if [[ ! $(iptables -S | grep "\-N r3ktbot\-$i") ]]
then
echo "Setting up iptables for the $i blacklist"
iptables -N r3ktbot-$i
iptables -I INPUT -m set --match-set $i src -j r3ktbot-$i
iptables -A r3ktbot-$i -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[r3kt-$i] "
iptables -A r3ktbot-$i -j DROP
fi
#
#
#
if [[ ${sources[$i]} == http* ]]
then
echo "Downloading the $i blacklist"
curl ${sources[$i]} -s \
| egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}(/([0-9]{1,2}))?' \
| grep -v "^10\.\|^127\.\|^172\.31\|^192\.168\.\|8\.8\.8\.8" \
| sort -n \
| uniq \
> $i.ipset
echo "Applying..."
for IP in $(cat $i.ipset)
do
ipset add $i $IP
done
elif [[ ${sources[$i]} = /* ]]
then
echo "Copying the $i blacklist" cat ${sources[$i]} \
| egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}(/([0-9]{1,2}))?' \
| grep -v "^10\.\|^127\.\|^172\.31\|^192\.168\.\|8\.8\.8\.8" \
| sort -n \
| uniq \
> $i.ipset
echo "Applying..."
for IP in $(cat $i.ipset)
do
ipset add $i $IP
done
elif [[ $i == abuseIpDb ]]
then
echo "Downloading the $i blacklist" curl -s -G https://api.abuseipdb.com/api/v2/blacklist \
-d confidenceMinimum=100 \
-d limit=9999999 \
-H "Key: $apiKey" \
-H "Accept: application/json" \
| egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}(/([0-9]{1,2}))?' \
| grep -v "^10\.\|^127\.\|^172\.31\|^192\.168\.\|8\.8\.8\.8" \
| sort -n \
| uniq \
> $i.ipset
echo "Applying..."
for IP in $(cat $i.ipset)
do
ipset add $i $IP
done
else
echo -e "\n\n\n --- Syntax error in: ${sources[$i]} \n\n\n"
fi
#
done
#
#
#
if [[ ! -f /var/log/r3kt.log ]]
then
echo "Setting up log monitoring..."
touch /var/log/r3kt.log
chown syslog:adm /var/log/r3kt.log
fi
#
if [[ ! -f /etc/rsyslog.d/15-r3kt.conf ]]
then
echo ':msg,regex,".*r3kt.*" -/var/log/r3kt.log' \
> /etc/rsyslog.d/15-r3kt.conf
systemctl restart rsyslog.service
fi
#
for i in ${!sources[@]}
do
echo "$(wc -l $i.ipset | cut -d ' ' -f 1) $i Entries."
echo "[$(date)] - $(wc -l $i.ipset | cut -d ' ' -f 1) $i Entries." \
>> /var/log/r3kt.log
done
#
#
#
echo "Applying persistency..."
netfilter-persistent save -sorted >> /dev/null
cp /etc/iptables/rules.v4 /etc/iptables/rules.v4.r3kt
cat /etc/iptables/rules.v4.r3kt | egrep -v 'f2b' > /etc/iptables/rules.v4
echo "Done"