├── example-whitelist.txt ├── README.md └── blacklists.sh /example-whitelist.txt: -------------------------------------------------------------------------------- 1 | # 2 | # Public DNS servers from your /etc/resolv.conf 3 | 8.8.8.8 #google Public dns 4 | 8.8.4.4 5 | 209.244.0.3 #level3 public dns 6 | 209.244.0.4 7 | 208.67.222.222 #opendns Public dns 8 | 208.67.220.220 9 | # 10 | # Primary/Secondary DNS providers that manage your domains. 11 | # 12 | 173.244.206.26 #a.transfer.buddyns.com 13 | 88.198.106.11 #b.transfer.buddyns.com, c.ns.buddyns.com. Europe, Germany 14 | 209.177.145.51 #d.ns.buddyns.com USA, New York 15 | 213.183.56.98 #e.ns.buddyns.com Moscow, Russia 16 | 199.167.17.21 #g.ns.buddyns.com Canada, Vancouver 17 | 119.252.20.56 #h.ns.buddyns.com Australia, Adelaide 18 | 103.6.87.125 #f.ns.buddyns.com Asia, India 19 | 173.244.206.25 #b.ns.buddyns.com USA, Arizona 20 | # 21 | 64.68.192.210 #dns1.easydns.com 22 | 72.52.2.1 #dns2.easydns.com 23 | 64.68.195.10 #dns3.easydns.com 24 | # 25 | # Root DNS servers. 26 | # dnscache root dns servers for if you use a DNS cache. 27 | # 28 | 198.41.0.4 29 | 192.228.79.201 30 | 192.33.4.12 31 | 128.8.10.90 32 | 192.203.230.10 33 | 192.5.5.241 34 | 192.112.36.4 35 | 128.63.2.53 36 | 192.36.148.17 37 | 192.58.128.30 38 | 193.0.14.129 39 | 199.7.83.42 40 | 202.12.27.33 41 | # 42 | # beyondsecurity.com scan 43 | # 44 | 67.207.202.9 45 | 54.235.163.229 46 | 54.215.13.26 47 | # 48 | # automatic - jetpack 49 | # -- not sure how to deal with whitelisting port ranges yet. 50 | #192.0.80.0/20 51 | #209.15.20.0/22 52 | #192.0.64.0/18 53 | #66.155.0.0/17 54 | 192.0.84.33 55 | 192.0.84.35 56 | 192.0.80.167 57 | 192.0.81.17 58 | 192.0.81.57 59 | 209.15.21.80 60 | 209.15.21.85 61 | 209.15.21.87 62 | 209.15.21.96 63 | 209.15.21.104 64 | 209.15.21.122 65 | 209.15.21.131 66 | 209.15.21.137 67 | # 68 | # Apple facetime and im 69 | # 70 | 17.173.254.222 71 | 17.173.254.223 72 | 73 | # 74 | # Add Your own servers and their associated routers. 75 | # 76 | 77 | # 78 | # Add Your work/home pc ip's here 79 | # 80 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | iptables-ipset-blacklists 2 | ========================= 3 | 4 | There are lots of tools and services that do a good job of identifying abusers, spammers and 5 | hackers. They provide lists of bad IPs in blacklists. By blocking these bad IPs from 6 | accessing your websites and servers you can go a long way to protecting them and also 7 | preventing a lot of useless traffic being logged in your logs. It also helps prevent 8 | a lot of noise so that your snort, ossec, logwatcher, mod-security, psad etc. tools can 9 | do some real work of finding legitimate and directed attacks to your servers. 10 | 11 | NOTE: Some hosting companies will shutdown your VPS server if you use more than .9 load. 12 | So we recommending using **cpulimit** to invoke blacklists.sh 13 | 14 | `cpulimit -l 20 /usr/local/bin/blacklists.sh` 15 | 16 | ## Requires 17 | 18 | - iptables 19 | - ipset 20 | 21 | ## Installation 22 | 23 | - setup your personal whitelist and blacklist (optional) 24 | - /var/lib/blacklists/{whitelist.txt,blacklist.txt} 25 | - run _sudo blacklists.sh_ 26 | - setup your _/etc/crontab_ 27 | 28 | ~~~ 29 | @reboot root /usr/local/bin/blacklists.sh 30 | @daily root /usr/local/bin/blacklists.sh 31 | ~~~ 32 | 33 | - NOTE: If your hosting provider is Ramnode your terms of service prevent you from using all 34 | your available CPU load. So use cpulimit to restrict the CPU usage to 20%. 35 | ~~~ 36 | @reboot root cpulimit -z -l 20 /usr/local/bin/blacklists.sh 37 | @daily root cpulimit -z -l 20 /usr/local/bin/blacklists.sh 38 | ~~~ 39 | 40 | - setup logging 41 | 42 | _/etc/logrotate.d/blacklist_ 43 | ~~~ 44 | /var/log/blacklists.log 45 | { 46 | rotate 4 47 | weekly 48 | missingok 49 | notifempty 50 | compress 51 | delaycompress 52 | sharedscripts 53 | postrotate 54 | invoke-rc.d rsyslog reload >/dev/null 2>&1 || true 55 | endscript 56 | } 57 | ~~~ 58 | 59 | _/etc/rsyslog.d/30-blacklist.conf_ 60 | ~~~ 61 | # Log kernel generated UFW log messages to file 62 | :msg,contains,"[BL " /var/log/blacklists.log 63 | & ~ 64 | ~~~ 65 | 66 | ## Features 67 | 68 | - loads known authoritative blacklists and allows you to add/configure others easily 69 | - allows you to create your own blacklist of IPs and net ranges. 70 | - allows you to create a whitelist and notifies you if one of your whitelisted IPs 71 | is in a blacklist. Don't block legitimate traffic. 72 | - supports network range blacklists as well as ip based blacklists. 73 | - automatically adds dedicated/separate iptables chain for blacklisting (tested on Ubuntu/Centos ). 74 | It sets up the firewall rules for you. 75 | - logs access to customer facing ports such as http/https/domain with rate limiting so you can 76 | go back to check your logs in case you are blocking real users/customers. All other 77 | ports are blocked without logging. 78 | - keeps cache of downloaded blacklists, so it only downloads a blacklist once in 24 hour period. 79 | This prevents blacklist providers banning your IP for downloading too often. 80 | - uses a temporary ipset when loading updated blacklists to ensure you are always protected 81 | during blacklist updates. 82 | - after a reboot cached ipsets are loaded to ensure you are protected faster after an outage and not left exposed until the blacklists are re-imported. 83 | 84 | ## Example syslog messages 85 | 86 | - everything is logged to syslog, for your monitoring to pick up issues. 87 | 88 | ~~~ 89 | Jan 14 14:51:32 serverx [/usr/local/bin/blacklists.sh]: ftmon.org blacklist script started 90 | Jan 14 14:52:17 serverx [/usr/local/bin/blacklists.sh]: ERROR Your whitelist IP 54.235.163.229 has been blacklisted in lists-blocklist-de-all 91 | Jan 14 14:57:47 serverx [/usr/local/bin/blacklists.sh]: ERROR Your whitelist IP 67.207.202.9 has been blacklisted in infiltrated.net 92 | Jan 14 15:02:03 serverx [/usr/local/bin/blacklists.sh]: bad_ips: current=53435 previous=53435 bad_nets: previous=1535 current=1535 93 | Jan 14 15:02:03 serverx [/usr/local/bin/blacklists.sh]: ftmon.org blacklist script completed 94 | ~~~ 95 | 96 | ### Example email message 97 | 98 | - optional feature to be emailed if there are issues. 99 | 100 | ~~~ 101 | From: root 102 | Date: Wed, Jan 1, 2015 at 3:09 PM 103 | Subject: [/usr/local/bin/blacklists.sh] sever.org 104 | To: root 105 | 106 | 107 | bad_ips: current=29294 previous=57196 bad_nets: previous=1536 current=1536 108 | 109 | ERROR Your whitelist IP 192.0.81.17 has been blacklisted in lists-blocklist-de-all 110 | ERROR Your whitelist IP 192.0.81.57 has been blacklisted in lists-blocklist-de-all 111 | ERROR Your whitelist IP 67.207.202.9 has been blacklisted in infiltrated.net 112 | ~~~ 113 | 114 | 115 | ### Firewall audit log of production ports 116 | 117 | - only ports such as DNS,HTTP,HTTPS are logged, so you can 118 | go back and do auditing in case legitimate traffic is being blocked. 119 | 120 | _/var/log/blacklists.log_ 121 | ~~~ 122 | Jan 1 19:24:42 server kernel: [541334.229673] [BL DROP] IN=eth0 OUT= MAC=d4:be:d9:a1:62:06:78:da:6e:25:cc:00:08:00 SRC=124.232.142.220 DST=x.x.x.x LEN=58 TOS=0x00 PREC=0x00 TTL=234 ID=54321 PROTO=UDP SPT=47479 DPT=53 LEN=38 123 | ~~~ 124 | 125 | ### Firewall rules created 126 | 127 | - this is the iptables chain that is automatically created based on `TCP_PORTS="53,80,443"` 128 | and `UDP_PORTS="53"` 129 | - production ports are rejected not droped so as not to "stir up" hackers. 130 | - there is also rate limiting on production port logging. 131 | 132 | 133 | ~~~ 134 | iptables -L ftmon-blacklists 135 | Chain ftmon-blacklists (2 references) 136 | target prot opt source destination 137 | LOG tcp -- anywhere anywhere multiport dports http,https limit: avg 5/min burst 5 LOG level warning prefix "[BL DROP] " 138 | LOG udp -- anywhere anywhere multiport dports domain limit: avg 5/min burst 5 LOG level warning prefix "[BL DROP] " 139 | REJECT tcp -- anywhere anywhere state NEW multiport dports http,https reject-with icmp-port-unreachable 140 | REJECT udp -- anywhere anywhere state NEW multiport dports domain reject-with icmp-port-unreachable 141 | DROP all -- anywhere anywhere state NEW 142 | 143 | ~~~ 144 | 145 | ## References and Other blacklist scripts 146 | 147 | [blacklist script](http://sysadminnotebook.blogspot.com.au/2013_07_01_archive.html) 148 | 149 | [ipset-blacklist](https://github.com/trick77/ipset-blacklist/) 150 | 151 | [ipsets](http://kirkkosinski.com/2013/11/mass-blocking-evil-ip-addresses-iptables-ip-sets/) 152 | -------------------------------------------------------------------------------- /blacklists.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #--------------------------------------------------------------------------- 3 | # @(#)$Id$ 4 | #title :blacklists.sh 5 | #description :Uses iptables ipset to block ip's in known blacklists. 6 | #author :Danny W Sheehan 7 | #date :July 2014 8 | #website :www.ftmon.org www.setuptips.com 9 | #--------------------------------------------------------------------------- 10 | 11 | # 12 | # Where we keep all the blacklists. 13 | BL_DIR="/var/lib/blacklists" 14 | mkdir -p $BL_DIR 15 | 16 | # Some hosting services such as RamNode will ban you for using > 90% of the cpu!!! 17 | # So we recommend installing cpulimit and limiting to 20% of cpu usage when 18 | # calling this script. 19 | # 20 | ## cpulimit -z -l 20 /usr/local/bin/blacklists.sh 21 | # cpulimit dosn't like scripts writing to stdout/stderr so them redirect to 22 | # an output file. 23 | # 24 | exec > $BL_DIR/blacklists.out 2>&1 25 | 26 | SCRIPT_NAME=$0 27 | HOST_NAME=`uname -n` 28 | 29 | # default syslog messages priority and tag. 30 | LOG_PRI="local0.notice" 31 | LOG_TAG="[$SCRIPT_NAME]" 32 | 33 | # Set to empty string if you don't want error emails. Otherwise, set to an admin email. 34 | MAIL_ADMIN="root" 35 | 36 | # Logging is enabled for the following ports this is so we can do later audit checks 37 | # in case we are droping legitimate traffic. 38 | TCP_PORTS="53,80,443" 39 | UDP_PORTS="53" 40 | 41 | # If PSAD is installed then block Danger Level = $DL and above attackers 42 | # each time the blacklists are reloaded. 43 | DL=3 44 | 45 | # Retrieve new blacklists only when they are older then BL_AGE 46 | BL_AGE="23 hours ago" 47 | 48 | #--------------------------------------------------------------------------- 49 | 50 | # logmessage 51 | logmessage () { 52 | MSG="$1" 53 | logger -s -p $LOG_PRI -t $LOG_TAG "$MSG" 54 | } 55 | 56 | # goodinbadnets 57 | # - returns whitelist that that are in blacklists. 58 | goodinbadnets () { 59 | myips="" 60 | for good in `ipset list good_ips | egrep -E "^[1-9]"` 61 | do 62 | myip=`ipset test bad_nets_n $good 2>&1 | grep "is in" | awk '{print $1}'` 63 | if [ -n "$myip" ];then 64 | myips="$myips $myip" 65 | fi 66 | done 67 | echo $myips 68 | } 69 | 70 | # blacklistit 71 | # - blacklists the given to bad_nets_n or gad_ips_n 72 | # - also checks if the blacklists one of your whitelisted ips, and 73 | # if so it will remove it from the blacklist and warn you. 74 | blacklistit () { 75 | IP=$1 76 | LISTNAME=$2 77 | if echo "$IP" | egrep -q "\/[0-9]+"; then 78 | ipset add bad_nets_n $IP -exist 79 | badip=`goodinbadnets` 80 | if [ -n "$badip" ]; then 81 | error_msg="ERROR Your whitelist IP $badip has been blacklisted in $LISTNAME" 82 | logmessage "$error_msg" 83 | ERROR_MSGS="$ERROR_MSGS\n$error_msg" 84 | ipset del bad_nets_n $IP 85 | fi 86 | 87 | else 88 | if ipset test good_ips $IP 2> /dev/null; then 89 | error_msg="ERROR Your whitelist IP $IP has been blacklisted in $LISTNAME" 90 | logmessage "$error_msg" 91 | ERROR_MSGS="$ERROR_MSGS\n$error_msg" 92 | else 93 | ipset add bad_ips_n $IP -exist 94 | fi 95 | fi 96 | } 97 | 98 | # loadblacklist 99 | # - loads standard form blacklist from website, labels cache files with 100 | loadblacklist () { 101 | BL_NAME=$1 102 | BL_URL=$2 103 | 104 | BL_FILE="$BL_DIR/$BL_NAME.txt" 105 | if [ ! -f "$BL_FILE" ] || [ $(date +%s -r "$BL_FILE") -lt $(date +%s --date="$BL_AGE") ]; then 106 | echo "-- getting fresh $BL_NAME from $BL_URL" 107 | wget -q -t 2 --output-document=$BL_FILE $BL_URL 108 | fi 109 | 110 | if [ -f "$BL_FILE" ]; then 111 | echo "-- loading $BL_NAME from $BL_FILE" 112 | 113 | # strip comments - mac address and ipv6 not supported yet so strip : 114 | awk '{print $1}' $BL_FILE | cut -d\; -f1 | cut -d\, -f1 | grep -Ev "^#|^ *$|:" | sed -e "s/[^0-9\.\/]//g" | grep -E "^[0-9]" > ${BL_FILE}.filtered 115 | echo "-- loading $BL_NAME - `wc -l ${BL_FILE}.filtered` entries" 116 | 117 | for ip in `cat ${BL_FILE}.filtered`; do 118 | blacklistit $ip $BL_NAME 119 | done 120 | fi 121 | } 122 | 123 | #--------------------------------------------------------------------------- 124 | # MAIN 125 | #--------------------------------------------------------------------------- 126 | 127 | # concatenated list of all error message 128 | ERROR_MSGS="" 129 | 130 | 131 | if ! which ipset > /dev/null 2>&1;then 132 | echo "ERROR: You must install 'ipset'" 133 | exit 1 134 | fi 135 | 136 | 137 | logmessage "ftmon.org blacklist script started" 138 | 139 | 140 | # Create temporary swap ipsets 141 | ipset create bad_ips_n hash:ip hashsize 4096 maxelem 262144 2> /dev/null 142 | ipset flush bad_ips_n 143 | 144 | ipset create bad_nets_n hash:net hashsize 4096 maxelem 262144 2> /dev/null 145 | ipset flush bad_nets_n 146 | 147 | # 148 | # Setup the active ipsets if they don't yet exist. 149 | # Load them from last save sets to speed up load times in cases of reboot 150 | # and ensure protection faster. 151 | # 152 | if ! ipset list bad_ips > /dev/null 2>&1 153 | then 154 | echo "-- creating bad_ips ipset as does not exist." 155 | ipset create bad_ips hash:ip hashsize 4096 maxelem 262144 156 | if [ -f "$BL_DIR/bad_ips.sav" ]; then 157 | echo "-- importing from save file $BL_DIR/bad_ips.sav" 158 | grep -v "create" $BL_DIR/bad_ips.sav | ipset restore 159 | fi 160 | fi 161 | 162 | if ! ipset list bad_nets > /dev/null 2>&1 163 | then 164 | echo "-- creating bad_nets ipset as does not exist." 165 | ipset create bad_nets hash:net hashsize 4096 maxelem 262144 166 | if [ -f "$BL_DIR/bad_nets.sav" ]; then 167 | echo "-- importing from save file $BL_DIR/bad_nets.sav" 168 | grep -v "create" $BL_DIR/bad_nets.sav | ipset restore 169 | fi 170 | fi 171 | 172 | # 173 | # Setup our firewall ip chains 174 | # 175 | if ! iptables -L ftmon-blacklists -n > /dev/null 2>&1; then 176 | 177 | echo "-- creating iptables rules for first time" 178 | iptables -N ftmon-blacklists 179 | 180 | iptables -I INPUT \ 181 | -m set --match-set bad_ips src -j ftmon-blacklists 182 | 183 | # insert the smaller set first. 184 | iptables -I INPUT \ 185 | -m set --match-set bad_nets src -j ftmon-blacklists 186 | 187 | # keep a record of our business traffic ports. 188 | # so we can check if we blocked legitimate traffic if need be. 189 | # DNS and http/https are most typical legit ports 190 | iptables -A ftmon-blacklists -p tcp -m multiport --dports $TCP_PORTS \ 191 | -m limit --limit 5/min \ 192 | -j LOG --log-prefix "[BL DROP] " 193 | iptables -A ftmon-blacklists -p udp -m multiport --dport $UDP_PORTS \ 194 | -m limit --limit 5/min \ 195 | -j LOG --log-prefix "[BL DROP] " 196 | iptables -A ftmon-blacklists -m state --state NEW \ 197 | -p tcp -m multiport --dports $TCP_PORTS -j REJECT 198 | iptables -A ftmon-blacklists -m state --state NEW \ 199 | -p udp -m multiport --dports $UDP_PORTS -j REJECT 200 | iptables -A ftmon-blacklists -m state --state NEW -j DROP 201 | fi 202 | 203 | 204 | # List of ips to whitelist 205 | if ! ipset list good_ips > /dev/null 2>&1; then 206 | ipset create good_ips hash:ip 207 | fi 208 | 209 | # load fresh white list each time as the list should be small. 210 | ipset flush good_ips 211 | 212 | # load your good ip's 213 | WL_CUSTOM="$BL_DIR/whitelist.txt" 214 | count=0 215 | if [ -f "$WL_CUSTOM" ]; then 216 | for ip in `grep -Ev "^#|^ *$" $WL_CUSTOM | sed -e "s/#.*$//" -e "s/[^.0-9\/]//g"`; do 217 | ipset add good_ips $ip -exist 218 | count=$((count+1)) 219 | done 220 | fi 221 | echo "-- loaded $count entries from $WL_CUSTOM" 222 | 223 | # load your personal custom blacklists. 224 | BL_CUSTOM="$BL_DIR/blacklist.txt" 225 | count=0 226 | if [ -f "$BL_CUSTOM" ]; then 227 | for ip in `grep -Ev "^#|^ *$" $BL_CUSTOM | sed -e "s/#.*$//" -e "s/[^.0-9\/]//g"`; do 228 | blacklistit $ip $BLACKLIST 229 | count=$((count+1)) 230 | done 231 | fi 232 | echo "-- loaded `ipset list bad_ips_n | egrep "^[1-9]" | wc -l` entries from blacklist " 233 | echo "-- loaded $count entries from $BL_CUSTOM" 234 | 235 | # If PSAD is installed then use some of it's good detection work 236 | # to stop attackers. 237 | count=0 238 | if [ -f "/var/log/psad/top_attackers" ]; then 239 | for ip in `awk '{print $2, $1}' /var/log/psad/top_attackers | grep "^[$DL-]" | awk '{print $2}'`; do 240 | blacklistit $ip $BLACKLIST 241 | count=$((count+1)) 242 | done 243 | fi 244 | echo "-- loaded $count entries from /var/log/psad/top_attackers " 245 | 246 | # 247 | # Load Standard format blacklists 248 | # Some of them are over zealous, you may want to comment out. 249 | # 250 | loadblacklist \ 251 | "lists-blocklist-de-all" \ 252 | "http://lists.blocklist.de/lists/all.txt" 253 | 254 | loadblacklist \ 255 | "ipsec-pl" \ 256 | "http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt" 257 | 258 | loadblacklist \ 259 | "infiltrated.net" \ 260 | "http://www.infiltrated.net/blacklisted" 261 | 262 | loadblacklist \ 263 | "openbl-org-base" \ 264 | "http://www.openbl.org/lists/base.txt" 265 | 266 | loadblacklist \ 267 | "ci-army-malcious" \ 268 | "http://cinsscore.com/list/ci-badguys.txt" 269 | 270 | loadblacklist \ 271 | "autoshun-org" \ 272 | "http://www.autoshun.org/files/shunlist.csv" 273 | 274 | loadblacklist \ 275 | "bruteforceblocker" \ 276 | "http://danger.rulez.sk/projects/bruteforceblocker/blist.php" 277 | 278 | loadblacklist \ 279 | "torexitnodes" \ 280 | "https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1" 281 | 282 | loadblacklist \ 283 | "spamhaus-org-lasso" \ 284 | "http://www.spamhaus.org/drop/drop.lasso" 285 | 286 | loadblacklist \ 287 | "dshield.org-top-10-2" \ 288 | "http://feeds.dshield.org/top10-2.txt" 289 | 290 | # 291 | # bot nets 292 | # 293 | # https://palevotracker.abuse.ch/blocklists.php 294 | loadblacklist \ 295 | "palevotracker-abuse-ch" \ 296 | "https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist" 297 | 298 | # https://spyeyetracker.abuse.ch/blocklist.php 299 | loadblacklist \ 300 | "spyeyetracker-abuse-ch" \ 301 | "https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist" 302 | 303 | # https://zeustracker.abuse.ch/blocklist.php 304 | loadblacklist \ 305 | "zeustracker-abuse-ch-badips" \ 306 | "https://zeustracker.abuse.ch/blocklist.php?download=badips" 307 | 308 | 309 | # 310 | # special cases, custom formats blacklists 311 | # 312 | 313 | # Obtain List of badguys from dshield.org 314 | # https://isc.sans.edu/feeds_doc.html 315 | BL_NAME="dshield.org-top-10-2" 316 | BL_URL="http://feeds.dshield.org/top10-2.txt" 317 | 318 | BL_FILE="$BL_DIR/$BL_NAME.txt" 319 | if [ ! -f "$BL_FILE" ] || [ $(date +%s -r "$BL_FILE") -lt $(date +%s --date="$BL_AGE") ]; then 320 | echo "-- getting fresh $BL_NAME from $BL_URL" 321 | wget -q -t 2 --output-document=$BL_FILE $BL_URL 322 | fi 323 | 324 | if [ -f "$BL_FILE" ]; then 325 | echo "-- loading $BL_NAME from $BL_FILE" 326 | for ip in `grep -E "^[1-9]" $BL_FILE | cut -f1`; do 327 | blacklistit $ip $BL_NAME 328 | done 329 | fi 330 | 331 | 332 | 333 | # swap in the new sets. 334 | ipset swap bad_ips_n bad_ips 335 | ipset swap bad_nets_n bad_nets 336 | 337 | # show before and after counts. 338 | complete_msg="bad_ips: current=`ipset --list bad_ips_n | egrep '^[1-9]' | wc -l` \ 339 | previous=`ipset --list bad_ips | egrep '^[1-9]' | wc -l` \ 340 | bad_nets: previous=`ipset --list bad_nets | egrep '^[1-9]' | wc -l` \ 341 | current=`ipset --list bad_nets_n | egrep '^[1-9]' | wc -l`" 342 | 343 | logmessage "$complete_msg" 344 | 345 | # only send email if problems. 346 | if [ -n "$MAIL_ADMIN" ] && [ -n "$ERROR_MSGS" ]; then 347 | echo -e "${complete_msg}\n${ERROR_MSGS}" | mail -s "$LOG_TAG $HOST_NAME" $MAIL_ADMIN 348 | fi 349 | 350 | 351 | # save memory space by destroying the temporary swap ipset 352 | ipset destroy bad_ips_n 353 | ipset destroy bad_nets_n 354 | 355 | 356 | # save our ipsets for quick import on reboot. 357 | ipset save bad_ips > $BL_DIR/bad_ips.sav 358 | ipset save bad_nets > $BL_DIR/bad_nets.sav 359 | 360 | logmessage "ftmon.org blacklist script completed" 361 | 362 | --------------------------------------------------------------------------------