├── original_instruction.pdf
├── 51-iptables-rugov.conf
├── README.md
├── install.sh
└── updater.sh


/original_instruction.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/freemedia-tech/iptables-rugov-block/HEAD/original_instruction.pdf


--------------------------------------------------------------------------------
/51-iptables-rugov.conf:
--------------------------------------------------------------------------------
1 | :programname, isequal, "sudo" ~
2 | :msg, contains, "Blocked RUGOV IP attempt:" /var/log/rugov_blacklist/blacklist.log
3 | & ~
4 | 
5 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Keep your webserver clean from RKN bots using iptables.
 2 | 
 3 | This project uses blacklists from https://github.com/C24Be/AS_Network_List/blob/main/blacklists/blacklist.txt
 4 | 
 5 | Pay attention! This script was tested on Ubuntu 22.04, there could be any issues on other versions or Linuxes!
 6 | 
 7 | You can find all the original instructions from the author of this solution here: [original_instruction.pdf](original_instruction.pdf)
 8 | 
 9 | ## How to use
10 | 
11 | First, check that you have all necessary packages: `sudo apt-get install iptables-persistent` and `sudo apt-get install rsyslog` if you want to keep logs.
12 | Clone this repo to your server and run `sudo ./install.sh`
13 | To enable logging of all requests from forbidden ips run `sudo ./install.sh --log` instead. This requires rsyslogd to be up and running. If you are unsure - install it without logs.
14 | All the logs are in the file /var/log/rugov_blacklist/blacklist.log . Keep in mind - if your target could be interesting, you can get a lot of disk space used by this log!
15 | 
16 | ## What it does
17 | 
18 | - adds rsyslogd rules in /etc/rsyslog.d/51-iptables-rugov.conf (only with --log)
19 | - makes directory /var/log/rugov_blacklist/
20 | - puts there all necessary files
21 | - runs the update process 
22 | - installs cron script to /etc/cron.daily/rugov_updater
23 | 
24 | 


--------------------------------------------------------------------------------
/install.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -euo pipefail
 3 | IFS=$'\n\t'
 4 | 
 5 | FMTCURID=$(id -u)
 6 | FMTDIR=$(dirname "$(readlink -f "$0")")
 7 | FMTDOLOGS=""
 8 | 
 9 | if [[ -n ${1+x} && "$1" == "--log" ]];then
10 | 	FMTDOLOGS="do"
11 | fi
12 | 
13 | if [[ "$FMTCURID" != "0" ]]; then
14 | 	echo "The script is intended to run under root"
15 | 	exit 1
16 | fi
17 | 
18 | if [[ ! -d "/etc/iptables/" ]]; then
19 | 	echo "The script is intended to be used with iptables. Are you sure all the necessary packages are installed? Run: 'sudo apt-get install iptables-persistent'"
20 | 	exit 2
21 | fi
22 | 
23 | if [[ "$FMTDOLOGS" ]]; then
24 | 	echo "Installing rsyslogd config..."
25 | 	if [[ ! -d "/etc/rsyslog.d/" ]]; then
26 | 		echo "/etc/rsyslog.d/ not found, are you sure rsyslogd is installed? Run: 'sudo apt-get install rsyslog'"
27 | 		exit 1
28 | 	fi
29 | 
30 | 	cat "$FMTDIR/51-iptables-rugov.conf" > /etc/rsyslog.d/51-iptables-rugov.conf
31 | 
32 | 	service rsyslog restart
33 | fi
34 | 
35 | echo "Installing common files..."
36 | mkdir -p /var/log/rugov_blacklist
37 | chown nobody:adm /var/log/rugov_blacklist
38 | chmod 0755 /var/log/rugov_blacklist
39 | 
40 | 
41 | cat "$FMTDIR/updater.sh" > /var/log/rugov_blacklist/updater.sh
42 | chmod +x /var/log/rugov_blacklist/updater.sh
43 | touch /var/log/rugov_blacklist/blacklist.txt
44 | 
45 | echo "Running initial setup process..."
46 | /var/log/rugov_blacklist/updater.sh
47 | 
48 | ln -sf /var/log/rugov_blacklist/updater.sh /etc/cron.daily/rugov_updater
49 | 
50 | echo "Installation finished successfully!"
51 | 


--------------------------------------------------------------------------------
/updater.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -euo pipefail
 3 | IFS=$'\n\t'
 4 | 
 5 | # Paths to files with IP addresses
 6 | OLD_IP_FILE="/var/log/rugov_blacklist/old_blacklist.txt"
 7 | NEW_IP_FILE="/var/log/rugov_blacklist/blacklist.txt"
 8 | FMT_LOGS=""
 9 | if [[ -f "/etc/rsyslog.d/51-iptables-rugov.conf" ]]; then
10 | 	FMT_LOGS="do"
11 | fi
12 | 
13 | # Rename the existing blacklist.txt file to old_blacklist.txt
14 | mv "$NEW_IP_FILE" "$OLD_IP_FILE"
15 | 
16 | # Copy the blacklist.txt file from the source via the link
17 | if ! sudo wget -O "$NEW_IP_FILE" https://github.com/C24Be/AS_Network_List/raw/main/blacklists/blacklist.txt; then
18 | 	echo "Failed to load new blacklist. Lets leave the old list unchanged."
19 | 	echo "$(date +"%Y-%m-%d %H:%M:%S") - Failed to load new blacklist. Lets leave the old list unchanged." >> /var/log/rugov_blacklist/blacklist_updater.log
20 | 	exit 1
21 | fi
22 | 
23 | # Read IP addresses from old file
24 | old_addresses=()
25 | while IFS= read -r ip || [[ -n "$ip" ]]; do
26 | old_addresses+=("$ip")
27 | done < "$OLD_IP_FILE"
28 | 
29 | # Read IP addresses from a new file
30 | new_addresses=()
31 | while IFS= read -r ip || [[ -n "$ip" ]]; do
32 | new_addresses+=("$ip")
33 | done < "$NEW_IP_FILE"
34 | 
35 | # Add new addresses and remove old ones from the rules
36 | added=0
37 | removed=0
38 | for addr in "${new_addresses[@]}"; do
39 | 	if [[ $(echo "$addr" | grep -c ":") -ge 1 ]]; then
40 | 		FMT_IPCMD="ip6tables"
41 | 	else
42 | 		FMT_IPCMD="iptables"
43 | 	fi
44 | 
45 | 	if ! sudo "$FMT_IPCMD" -n -t raw -C PREROUTING -s "$addr" -j DROP &>/dev/null; then
46 | 		if [[ "$FMT_LOGS" ]]; then
47 | 			"$FMT_IPCMD" -t raw -A PREROUTING -s "$addr" -j LOG --log-prefix "Blocked RUGOV IP attempt: "
48 | 		fi
49 | 		"$FMT_IPCMD" -t raw -A PREROUTING -s "$addr" -j DROP
50 | 		((added++)) || true
51 | 	fi
52 | done
53 | 
54 | for addr in "${old_addresses[@]}"; do
55 | 	if [[ $(echo "$addr" | grep -c ":") -ge 1 ]]; then
56 | 		FMT_IPCMD="ip6tables"
57 | 	else
58 | 		FMT_IPCMD="iptables"
59 | 	fi
60 | 
61 | 	if ! grep -q "$addr" "$NEW_IP_FILE"; then
62 | 		"$FMT_IPCMD" -t raw -D PREROUTING -s "$addr" -j LOG --log-prefix "Blocked RUGOV IP attempt: " || true
63 | 		"$FMT_IPCMD" -t raw -D PREROUTING -s "$addr" -j DROP
64 | 		((removed++)) || true
65 | 	fi
66 | done
67 | 
68 | # Save firewall rules to a file
69 | iptables-save > /etc/iptables/rules.v4
70 | 
71 | # Display information about added and deleted addresses
72 | echo "Added addresses to the blacklist: $added"
73 | echo "Addresses removed from the blacklist: $removed"
74 | 
75 | # Add an entry to the log file
76 | echo "$(date +"%Y-%m-%d %H:%M:%S") - Added addresses to the blacklist: $added, addresses removed from the blacklist: $removed" >> /var/log/rugov_blacklist/blacklist_updater.log
77 | 


--------------------------------------------------------------------------------