├── README.md ├── TOR_bulk_exit.sh ├── anonymous_proxy.sh ├── project_honeypot.sh └── waf_red.sh /README.md: -------------------------------------------------------------------------------- 1 | # Reputation IP 2 | set of bash scripts that download list of IP address with a bad reputation, from public database/website like: 3 | - MaxMind GeoIP Anonymous Proxies 4 | - Tor Exit Nodes 5 | - Project Honey Pot Directory of Dictionary Attacker IPs 6 | - WAF.Red API [https://waf.red](https://waf.red) 7 | - more repo coming soon... 8 | 9 | very useful for integrate into regular expression or blacklist. It can escape dot (`\.`) and you can sepcify the field separator between each ip (`-s "|"`). The output can be a **list** (one ip per line) or **csv** (with a comma as default separator). 10 | 11 | ## Scripts and descriptions 12 | 13 | Script | Description 14 | ------ | ------------ 15 | anonymous_proxy.sh | MaxMind GeoIP Anonymous Proxies 16 | TOR_bulk_exit.sh | Tor Exit Nodes 17 | project_honeypot.sh | Project Honey Pot Directory of Dictionary Attacker IPs 18 | waf_red.sh | WAF.Red API User Black-list 19 | 20 | ## Real Life usage example 21 | 22 | #### Drop all Dictionary Attacker IPs from Project Honey Pot Directory: 23 | ```sh 24 | ./project_honeypot.sh -o list | egrep '[0-9\.]+' | awk '{ print "iptables -A INPUT -s " $1 " -j DROP" }' 25 | ``` 26 | ```sh 27 | iptables -A INPUT -s 85.16.128.242 -j DROP 28 | iptables -A INPUT -s 95.130.11.147 -j DROP 29 | iptables -A INPUT -s 162.248.9.218 -j DROP 30 | iptables -A INPUT -s 95.130.11.178 -j DROP 31 | iptables -A INPUT -s 159.253.1.177 -j DROP 32 | # etc ... 33 | ``` 34 | 35 | #### Find Dictionary Attacker IPs in Nginx access logs 36 | ```sh 37 | cat /usr/local/nginx/logs/access.log | egrep '(`./project_honeypot.sh -o csv -e -s "|"`)' 38 | ``` 39 | ```sh 40 | 85.16.128.242 - - [26/Nov/2015:12:59:14 +0100] "GET / HTTP/1.0" 200 2461 "-" 41 | 95.130.11.147 - - [30/Nov/2015:18:32:09 +0100] "GET / HTTP/1.0" 200 2461 "-" 42 | 159.253.1.177 - - [01/Dec/2015:01:14:41 +0100] "GET / HTTP/1.0" 200 2461 "-" 43 | # etc ... 44 | ``` 45 | 46 | #### List all blocked IP Address from your WAF.Red account 47 | Get your WAF.Red black-list using WAF.Red API, more info at [https://waf.red](https://waf.red) 48 | ```sh 49 | ./waf_red.sh -o list -u demo@waf.red -p demo 50 | 1.2.3.4 51 | 1.2.3.5 52 | 1.2.3.6 53 | ``` 54 | CSV output regex 55 | ```sh 56 | ./waf_red.sh -o csv -e -u demo@waf.red -p demo 57 | 1\.2\.3\.4,1\.2\.3\.5,1\.2\.3\.6 58 | ``` 59 | 60 | ## Syntax 61 | 62 | ### anonymous_proxy.sh 63 | Download from maxmind.com a list of 250 Open Proxy. From https://www.maxmind.com/en/proxy-detection-sample-list 64 | "most used IP addresses in the minFraud network that have been identified by the Proxy Detection service as higher risk." 65 | ``` 66 | # ./anonymous_proxy.sh -h 67 | + 68 | Usage ./anonymous_proxy.sh [options] 69 | + 70 | -h this help 71 | -s Separator char between each IP 72 | -e Escape dot for use in regex (ex: 127\.0\.0\.1) 73 | -o Output format (list or csv). 74 | for 'csv' you can specify a separator with -s 75 | default: csv 76 | + 77 | ``` 78 | #### Example anonymous_proxy.sh 79 | ```sh 80 | # ./anonymous_proxy.sh -o list -e | more 81 | 5\.9\.36\.66 82 | 5\.9\.158\.75 83 | 5\.28\.62\.85 84 | 5\.39\.79\.8 85 | 5\.79\.68\.161 86 | 5\.79\.74\.233 87 | 5\.135\.66\.213 88 | 5\.135\.143\.104 89 | 5\.135\.158\.101 90 | # etc... 91 | ``` 92 | 93 | ``` 94 | # ./anonymous_proxy.sh -o csv -s "|" 95 | 5.9.36.66|5.9.158.75|5.28.62.85|5.39.79.8|5.79.68.161|5.79.74.233|5.135.66.213|5.135.143.104.... 96 | ``` 97 | 98 | ### Others scripts 99 | all scripts have the same syntax. 100 | 101 | # Contact 102 | ``` 103 | Andrea (aka theMiddle) Menin 104 | themiddle@waf.red 105 | https://waf.red 106 | ``` 107 | -------------------------------------------------------------------------------- /TOR_bulk_exit.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | bingrep=$(which grep); 4 | binegrep=$(which egrep); 5 | bintr=$(which tr); 6 | binwc=$(which wc); 7 | bincurl=$(which curl); 8 | binsed=$(which sed); 9 | binawk=$(which awk); 10 | 11 | SEPARATOR=","; 12 | ESCAPEDOT=0; 13 | OUTPUTFOR="csv"; 14 | while getopts :hes:o: OPTION; do 15 | case $OPTION in 16 | h) 17 | echo "+" 18 | echo " Usage ${0} [options]" 19 | echo "+" 20 | echo "-h this help" 21 | echo "-s Separator char between each IP" 22 | echo "-e Escape dot for use in regex (ex: 127\.0\.0\.1)" 23 | echo "-o Output format (list or csv)." 24 | echo " for 'csv' you can specify a separator with -s" 25 | echo " default: csv" 26 | echo "+" 27 | 28 | exit; 29 | ;; 30 | s) 31 | SEPARATOR=$OPTARG; 32 | ;; 33 | o) 34 | OUTPUTFOR=$OPTARG; 35 | ;; 36 | e) 37 | ESCAPEDOT=1; 38 | ;; 39 | esac 40 | done 41 | 42 | if [ $ESCAPEDOT -eq 1 ]; then 43 | ESCAPECDM="s/\\./\\\\./g"; 44 | else 45 | ESCAPECDM="s/\\./\\./g"; 46 | fi 47 | 48 | if [ "${OUTPUTFOR}" == "csv" ]; then 49 | PROXYLIST=$($bincurl -A "Mozilla/5.0 (compatible; theMiddleBlue/1.0; +https://github.com/theMiddleBlue)" -s "https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1" | $binegrep '^[0-9]+\.' | $bintr "\n" "${SEPARATOR}" | $binsed -e ${ESCAPECDM} | $binawk '{print substr($0, 0, length($0)) }') 50 | fi 51 | 52 | if [ "${OUTPUTFOR}" == "list" ]; then 53 | PROXYLIST=$($bincurl -A "Mozilla/5.0 (compatible; theMiddleBlue/1.0; +https://github.com/theMiddleBlue)" -s "https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1" | $binegrep '^[0-9]+\.' | $binawk '{print($1"\\n");}' | $binsed -e ${ESCAPECDM}) 54 | fi 55 | 56 | echo -e ${PROXYLIST}; 57 | -------------------------------------------------------------------------------- /anonymous_proxy.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | bingrep=$(which grep); 4 | binwc=$(which wc); 5 | bincurl=$(which curl); 6 | binsed=$(which sed); 7 | binawk=$(which awk); 8 | 9 | SEPARATOR=","; 10 | ESCAPEDOT=0; 11 | OUTPUTFOR="csv"; 12 | while getopts :hes:o: OPTION; do 13 | case $OPTION in 14 | h) 15 | echo "+" 16 | echo " Usage ${0} [options]" 17 | echo "+" 18 | echo "-h this help" 19 | echo "-s Separator char between each IP" 20 | echo "-e Escape dot for use in regex (ex: 127\.0\.0\.1)" 21 | echo "-o Output format (list or csv)." 22 | echo " for 'csv' you can specify a separator with -s" 23 | echo " default: csv" 24 | echo "+" 25 | 26 | exit; 27 | ;; 28 | s) 29 | SEPARATOR=$OPTARG; 30 | ;; 31 | o) 32 | OUTPUTFOR=$OPTARG; 33 | ;; 34 | e) 35 | ESCAPEDOT=1; 36 | ;; 37 | esac 38 | done 39 | 40 | if [ $ESCAPEDOT -eq 1 ]; then 41 | ESCAPECDM="s/\\./\\\\./g"; 42 | else 43 | ESCAPECDM="s/\\./\\./g"; 44 | fi 45 | 46 | if [ "${OUTPUTFOR}" == "csv" ]; then 47 | PROXYLIST=$($bincurl -A "Mozilla/5.0 (compatible; theMiddleBlue/1.0; +https://github.com/theMiddleBlue)" -s "https://www.maxmind.com/en/proxy-detection-sample-list" | $bingrep 'proxy-detection-sample' | while read line; do if [[ "$line" =~ \>([0-9\.]+)\<.a ]]; then echo ${BASH_REMATCH[1]}; fi done | tr "\n" "${SEPARATOR}" | $binsed -e ${ESCAPECDM} | $binawk '{print substr($0, 0, length($0)) }') 48 | fi 49 | 50 | if [ "${OUTPUTFOR}" == "list" ]; then 51 | PROXYLIST=$($bincurl -A "Mozilla/5.0 (compatible; theMiddleBlue/1.0; +https://github.com/theMiddleBlue)" -s "https://www.maxmind.com/en/proxy-detection-sample-list" | $bingrep 'proxy-detection-sample' | while read line; do if [[ "$line" =~ \>([0-9\.]+)\<.a ]]; then echo -n "${BASH_REMATCH[1]}\\n"; fi done | $binsed -e ${ESCAPECDM}) 52 | fi 53 | 54 | echo -e ${PROXYLIST}; 55 | -------------------------------------------------------------------------------- /project_honeypot.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | bingrep=$(which grep); 4 | binwc=$(which wc); 5 | bincurl=$(which curl); 6 | binsed=$(which sed); 7 | binawk=$(which awk); 8 | 9 | SEPARATOR=","; 10 | ESCAPEDOT=0; 11 | OUTPUTFOR="csv"; 12 | while getopts :hes:o: OPTION; do 13 | case $OPTION in 14 | h) 15 | echo "+" 16 | echo " Usage ${0} [options]" 17 | echo "+" 18 | echo "-h this help" 19 | echo "-s Separator char between each IP" 20 | echo "-e Escape dot for use in regex (ex: 127\.0\.0\.1)" 21 | echo "-o Output format (list or csv)." 22 | echo " for 'csv' you can specify a separator with -s" 23 | echo " default: csv" 24 | echo "+" 25 | 26 | exit; 27 | ;; 28 | s) 29 | SEPARATOR=$OPTARG; 30 | ;; 31 | o) 32 | OUTPUTFOR=$OPTARG; 33 | ;; 34 | e) 35 | ESCAPEDOT=1; 36 | ;; 37 | esac 38 | done 39 | 40 | if [ $ESCAPEDOT -eq 1 ]; then 41 | ESCAPECDM="s/\\./\\\\./g"; 42 | else 43 | ESCAPECDM="s/\\./\\./g"; 44 | fi 45 | 46 | if [ "${OUTPUTFOR}" == "csv" ]; then 47 | PROXYLIST=$($bincurl -A "Mozilla/5.0 (compatible; theMiddleBlue/1.0; +https://github.com/theMiddleBlue)" -s "http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1" | $bingrep '\([0-9\.]+) ]]; then echo ${BASH_REMATCH[1]}; fi done | tr "\n" "${SEPARATOR}" | $binsed -e ${ESCAPECDM} | $binawk '{print substr($0, 0, length($0)) }') 48 | fi 49 | 50 | if [ "${OUTPUTFOR}" == "list" ]; then 51 | # curl -s "http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1" | egrep 'title.[0-9\.]+' 52 | PROXYLIST=$($bincurl -A "Mozilla/5.0 (compatible; theMiddleBlue/1.0; +https://github.com/theMiddleBlue)" -s "http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1" | $bingrep '\([0-9\.]+) ]]; then echo -n "${BASH_REMATCH[1]}\\n"; fi done | $binsed -e ${ESCAPECDM}) 53 | fi 54 | 55 | echo -e ${PROXYLIST}; 56 | -------------------------------------------------------------------------------- /waf_red.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | bingrep=$(which grep); 4 | binwc=$(which wc); 5 | bincurl=$(which curl); 6 | binsed=$(which sed); 7 | binawk=$(which awk); 8 | 9 | SEPARATOR=","; 10 | ESCAPEDOT=0; 11 | OUTPUTFOR="csv"; 12 | while getopts :hes:o:u:p: OPTION; do 13 | case $OPTION in 14 | h) 15 | echo "+" 16 | echo " Usage ${0} [options]" 17 | echo "+" 18 | echo "-h this help" 19 | echo "-s Separator char between each IP" 20 | echo "-e Escape dot for use in regex (ex: 127\.0\.0\.1)" 21 | echo "-o Output format (list or csv)." 22 | echo "-u WAF.Red Username" 23 | echo "-p WAF.Red Password" 24 | echo " for 'csv' you can specify a separator with -s" 25 | echo " default: csv" 26 | echo "+" 27 | 28 | exit; 29 | ;; 30 | s) 31 | SEPARATOR=$OPTARG; 32 | ;; 33 | o) 34 | OUTPUTFOR=$OPTARG; 35 | ;; 36 | u) 37 | USERNAME=$OPTARG; 38 | ;; 39 | p) 40 | PASSWORD=$OPTARG; 41 | ;; 42 | e) 43 | ESCAPEDOT=1; 44 | ;; 45 | esac 46 | done 47 | 48 | if [ -z $USERNAME ]; then 49 | echo "Error: set WAF.Red username with -u"; 50 | exit 0; 51 | fi 52 | 53 | if [ -z $PASSWORD ]; then 54 | echo "Error: set WAF.Red password with -p"; 55 | exit 0; 56 | fi 57 | 58 | if [ $ESCAPEDOT -eq 1 ]; then 59 | ESCAPECDM="s/\\./\\\\./g"; 60 | else 61 | ESCAPECDM="s/\\./\\./g"; 62 | fi 63 | 64 | if [ "${OUTPUTFOR}" == "csv" ]; then 65 | WAFRED=$($bincurl -A "Mozilla/5.0 (compatible; theMiddleBlue/1.0; +https://github.com/theMiddleBlue)" -u "${USERNAME}:${PASSWORD}" -s "https://node1.waf.red/api/scream48.com/blacklist/list" | while read line; do if [[ "$line" =~ ([0-9\.]+) ]]; then echo ${BASH_REMATCH[1]}; fi done | tr "\n" "${SEPARATOR}" | $binsed -e ${ESCAPECDM} | $binawk '{print substr($0, 0, length($0)) }') 66 | fi 67 | 68 | if [ "${OUTPUTFOR}" == "list" ]; then 69 | WAFRED=$($bincurl -A "Mozilla/5.0 (compatible; theMiddleBlue/1.0; +https://github.com/theMiddleBlue)" -u "${USERNAME}:${PASSWORD}" -s "https://node1.waf.red/api/scream48.com/blacklist/list" | while read line; do if [[ "$line" =~ ([0-9\.]+) ]]; then echo -n "${BASH_REMATCH[1]}\\n"; fi done | $binsed -e ${ESCAPECDM}) 70 | fi 71 | 72 | echo -e ${WAFRED}; 73 | --------------------------------------------------------------------------------