Got Fail2Ban working? Have a Web Server running? Post a public blocklist for others to use!

So I have fail2ban working, reporting happily to blocklist.de, as documented in this post.

I also happen to have lighthttpd web server running on the server. The fail2ban-client tool that is included with fail2ban can list out all the IP addresses in a jail. So I wrote a simple script to dump the banned IPs in the fail2ban jail into a file in a location under the web server's root. Then, adding it to cron, I have a free brute force attack source public IP address blocklist based on real brute-force attacks on my server. Others can use this list as one of the sources of bad IP addresses to block on their own server.

Here is the little script:

	#!/bin/bash
	#
	# ------------
	# /root/security/dump-fail2ban-blocklist.sh
	# Dumps banned IPs into text file, for use by web-server for published blocklist
	# Includes TOR exit nodes
	# See http://supratim-sanyal.blogspot.com/2016/09/got-fail2ban-working-have-web-server.html
	#
	# License:
	# "THE BEER-WARE LICENSE" (Revision 42):
	# Supratim Sanyal <https://goo.gl/FqzyBW> wrote this file. As long as you retain this notice you
	# can do whatever you want with this stuff. If we meet some day, and you think
	# this stuff is worth it, you can buy me a beer in return.
	# ------------
	# ++
	# Full path to file to create the blocklist
	# --
	dumpfile=/var/www/lighttpd/blocklist.txt
	export TMP=/tmp
	export TMPDIR=/tmp
	tmpfile=/tmp/f2bd.tmp
	/bin/echo "###" >$dumpfile
	/bin/echo "# http://`hostname`/blocklist.txt" >>$dumpfile
	/bin/echo "# `date`" >>$dumpfile
	/bin/echo "# FREE IP ADDRESS BLOCKLIST WITH CIDR RANGES FOR YOUR FIREWALL" >>$dumpfile
	/bin/echo "# Actual Brute force attacks to this server in last 48 hours" >>$dumpfile
	/bin/echo "# And also combined IP addresses from public blocklists from" >>$dumpfile
	/bin/echo "# other maintainers." >>$dumpfile
	/bin/echo "# License: GNU AGPLv3 http://tuklusan.decsystem.org/agpl-3.0.txt" >>$dumpfile
	/bin/echo "###" >>$dumpfile
	# ++
	# One line for every jail you have configured on fail2ban
	# Use "fail2ban-client -q status" to see a list of configured jails
	# Jail list:
	# dovecot, pam-generic, postfix, postfix-rbl, postfix-sasl, sendmail-auth, sendmail-reject, sshd, sshd-ddos
	# --
	/bin/fail2ban-client -q status dovecot | /bin/grep Banned | /bin/cut -c 23- | /bin/tr ' ' '\n' >>$tmpfile
	/bin/fail2ban-client -q status pam-generic | /bin/grep Banned | /bin/cut -c 23- | /bin/tr ' ' '\n' >>$tmpfile
	/bin/fail2ban-client -q status postfix | /bin/grep Banned | /bin/cut -c 23- | /bin/tr ' ' '\n' >>$tmpfile
	/bin/fail2ban-client -q status postfix-rbl | /bin/grep Banned | /bin/cut -c 23- | /bin/tr ' ' '\n' >>$tmpfile
	/bin/fail2ban-client -q status postfix-sasl | /bin/grep Banned | /bin/cut -c 23- | /bin/tr ' ' '\n' >>$tmpfile
	/bin/fail2ban-client -q status sendmail-auth | /bin/grep Banned | /bin/cut -c 23- | /bin/tr ' ' '\n' >>$tmpfile
	/bin/fail2ban-client -q status sendmail-reject | /bin/grep Banned | /bin/cut -c 23- | /bin/tr ' ' '\n' >>$tmpfile
	/bin/fail2ban-client -q status sshd | /bin/grep Banned | /bin/cut -c 23- | /bin/tr ' ' '\n' >$tmpfile
	/bin/fail2ban-client -q status sshd-ddos | /bin/grep Banned | /bin/cut -c 23- | /bin/tr ' ' '\n' >>$tmpfile
	# --
	# ++
	# Dump IP addresses blocked by pfSense at home
	# --
	#---- grep " filterlog: " /var/log/messages | grep "in,4" | grep "match,block" | cut -d "," -f 19 | sort | uniq | grep -v "^10.42." >>$tmpfile
	# ++
	# Dump whatever IPs are currently in IPSET lists
	# --
	ipset --list | egrep "^[0-9]" >>$tmpfile
	# ++
	# Dump TOR Exit Nodes
	# ++
	curl -o /tmp/torexit.tmp https://check.torproject.org/exit-addresses
	grep ExitAddress /tmp/torexit.lis | cut -f 2 -d " " >>$tmpfile
	# ++
	# These tried root login
	# ++
	grep "Failed password for invalid user root from " /var/log/messages | cut -d " " -f 13 | egrep "^[0-9]" >>$tmpfile
	/bin/sort -V $tmpfile | /bin/uniq | /bin/grep -v '^$' >>$dumpfile
	numips=`/bin/grep -v '^#' $dumpfile | /bin/wc -l`
	/bin/echo "###" >>$dumpfile
	/bin/echo "# $numips list entries" >>$dumpfile
	/bin/echo "###" >>$dumpfile
	# ++
	# For security, change ownership of blocklist to userid that your web servers runs under
	# --
	/bin/chown lighttpd:lighttpd $dumpfile
	# --
	/bin/chmod a+r $dumpfile
	/bin/ls -l $dumpfile
	/bin/cat $dumpfile
	exit

view raw dump-fail2ban-blocklist.sh hosted with ❤ by GitHub

And here is the cron job file saved in /etc/cron.d/dump-fail2ban-blocklist

	#/etc/cron.d/dump-fail2ban-blocklist
	SHELL=/bin/bash
	PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin
	MAILTO=""
	HOME=/
	# Every 7th minute past the hour, dump the fail2ban blocklist
	7 * * * * root /root/security/dump-fail2ban-blocklist.sh >/var/log/dump-fail2ban-blocklist.log 2>&1

view raw dump-fail2ban-blocklist hosted with ❤ by GitHub

Remember - files in the /etc/cron.d directory should not have write permissions, i.e. the permissions on /etc/cron.d/dump-fail2ban-blocklist should be:

# ls -l /etc/cron.d/dump-fail2ban-blocklist
-r-------- 1 root root 284 Sep 23 17:22 /etc/cron.d/dump-fail2ban-blocklist