Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update spamhaus.sh #4

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update spamhaus.sh #4

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
89 changes: 74 additions & 15 deletions spamhaus.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,31 +1,89 @@
#!/bin/bash

# based off the following two scripts
# based off the following three scripts
# http://www.theunsupported.com/2012/07/block-malicious-ip-addresses/
# http://www.cyberciti.biz/tips/block-spamming-scanning-with-iptables.html
# https://github.com/cowgill/spamhaus/edit/master/spamhaus.sh

# path to iptables
IPTABLES="/sbin/iptables";

# list of known spammers
URL="www.spamhaus.org/drop/drop.lasso";

# save local copy here
# save temp local copy here
FILE="/tmp/drop.lasso";

# save permanent local copy here
SAVE="/etc/blacklist/drop.lasso"

# iptables custom chain
CHAIN="Spamhaus";
CHAIN="spamhaus";

# Runtime flags
# Quiet run for cron usage
if [ "$1" == "-q" ] ; then
QUIET=1
shift
else
QUIET=0
fi

# Allow reload in rc.local without consulting spamhaus
if [ "$1" == "-l" ] ; then
shift
LOCAL=1
else
LOCAL=0
fi

# Download only if requested
if [ $LOCAL -eq 0 ] ; then

# get a copy of the spam list
if [ $QUIET -eq 0 ] ; then
wget -qc $URL -O $FILE
else
wget -qqqqqc $URL -O $FILE
fi

# Verify we got a file
if [ `wc -l $FILE | cut -f1 -d\ ` != "0" ] ; then
mv "$FILE" "$SAVE"
else
unlink $FILE
fi
fi

# Download from spamhaus without erasing content
if [ "$1" == "-n" ] ;then
if [ $QUIET -eq 0 ] ; then
echo "Dry run complete"
echo "File results are in $SAVE"
fi
exit
fi

# At this stage, we have a valid new file or we have the old file still intact
# Loading IPTables now means that if the download failed, we will not leave
# our mail server unprotected while there is no spamhaus update file

# check to see if the chain already exists
$IPTABLES -L $CHAIN -n
if [ $QUIET -eq 0 ] ; then
$IPTABLES -L $CHAIN -n
else
$IPTABLES -L $CHAIN -n >/dev/null 2>/dev/null
fi

# check to see if the chain already exists
if [ $? -eq 0 ]; then

# flush the old rules
$IPTABLES -F $CHAIN

echo "Flushed old rules. Applying updated Spamhaus list...."
if [ $QUIET -eq 0 ] ; then
echo "Flushed old rules. Applying updated Spamhaus list...."
fi

else

Expand All @@ -37,28 +95,29 @@ else

# don't allow this traffic through
$IPTABLES -A FORWARD -j $CHAIN

echo "Chain not detected. Creating new chain and adding Spamhaus list...."


if [ $QUIET -eq 0 ] ; then
echo "Chain not detected. Creating new chain and adding Spamhaus list...."
fi
fi;

# get a copy of the spam list
wget -qc $URL -O $FILE

# iterate through all known spamming hosts
for IP in $( cat $FILE | egrep -v '^;' | awk '{ print $1}' ); do
for IP in $( cat $SAVE | egrep -v '^;' | awk '{ print $1}' ); do

# add the ip address log rule to the chain
$IPTABLES -A $CHAIN -p 0 -s $IP -j LOG --log-prefix "[SPAMHAUS BLOCK]" -m limit --limit 3/min --limit-burst 10

# add the ip address to the chain
$IPTABLES -A $CHAIN -p 0 -s $IP -j DROP

echo $IP
if [ $QUIET -eq 0 ] ; then
echo $IP
fi

done

echo "Done!"
if [ $QUIET -eq 0 ] ; then
echo "Done!"
fi

# remove the spam list
unlink $FILE