I also used to use ipdeny for a block list until they went down or, at
least, served rubbish for a while last year. I did write a python
program to do it all. It also consolidated the subnets where possible to
make the list shorter. Just as I finished to program the site started
serving corrupt data.
I then found a site https://ip.ludost.net which can serve a consolidated
list so I do it all in bash now:
#!/bin/bash
# A list of the ISO country codes can be found at
http://en.wikipedia.org/wiki/ISO_3166-1
# Countries are case insensitive for this script
ISO="at be ch cy cz de dk es fr gb gr ie it lu mt nl pt eu va sm mc
je gg im"
MAXELEM=131072
if [ "`lsmod | grep ip_set`" = "" ]; then
modprobe ip_set
fi
# Destroy country-list-temp in case it exists and is populated
ipset destroy -q country-list-temp
# Make sure the new lists exist
ipset create country-list nethash maxelem $MAXELEM -exist
ipset create country-list-temp nethash maxelem $MAXELEM -exist
# Load the country list
curl -s -d country=1 --data-urlencode "country_list=$ISO" -d
format_template=prefix https://ip.ludost.net/cgi/process | grep -v
^# | while read -r line
do
ipset -A -exist country-list-temp $line
done
if [ $(ipset list country-list-temp | wc -l) -le 7 ]; then
logger -t country-list "Update failed"
echo 'Country List Update failed' | mail -s 'Country List
Update failed' [email protected]
ipset destroy -q country-list-temp
exit
fi
# Make the temp list current
ipset swap country-list country-list-temp
# Destroy the (now old) temp list
ipset destroy -q country-list-temp
# Create save list for loading on boot
ipset save country-list > /usr/src/ipset_country-list.save
sed -i 's/create/create -exist/g' /usr/src/ipset_country-list.save
sed -i 's/add/add -exist/g' /usr/src/ipset_country-list.save
logger -t country-list "Updated"
FWIW if you are trying to block all non-US, I would expect it would be a
lot more efficient to generate a US only list then block all on no match
with the following in your iptables rule:
-m set ! --match-set US-list
Another thing I found out is that the country lists vary on your
sources. This is especially so in Europe with trans-national ISP, so an
ISP may get a block of addresses from one country and allocate them to
customers in more than one country. It is probably the same with the US
and Canada. Ipdeny do not take this into account, but ludost.net
attempts to. There are also commercial offerings which take this into
account.
Nick
On 27/08/2019 04:14, Kenneth Porter wrote:
--On Monday, August 26, 2019 8:45 PM -0500 Mike <[email protected]> wrote:
btw, how did you create your nonUS set Ken?
I posted this to the list on 8/2. ;)
<https://gist.github.com/SpareSimian/c8475f140664e415fdc37b1073b563a1>
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
