[WebUI] Add support for blacklist script

Author: Lupul

bin/v-add-firewall-ipset

@@ -125,14 +125,15 @@ inet_ver="inet"
 [ "$ip_version" == "v6" ] && inet_ver="inet6"
 
 $IPSET_BIN create "$ip_name" -exist hash:net family $inet_ver
-$IPSET_BIN create "${ip_name}-tmp" -exist hash:net family $inet_ver
+$IPSET_BIN -quiet destroy "${ip_name}-tmp"
+$IPSET_BIN create "${ip_name}-tmp" -exist hash:net family $inet_ver maxelem 1048576
 $IPSET_BIN flush "${ip_name}-tmp"
 
 sed -rn -e '/^#|^$/d'  -e "s/^(.*)/add ${ip_name}-tmp \\1/p" "${IPSET_PATH}/${IPSET_FILE}.iplist" | $IPSET_BIN -quiet restore
 check_result $? "Populating ipset table"
 
 $IPSET_BIN swap "${ip_name}-tmp" "${ip_name}"
-$IPSET_BIN --quiet destroy "${ip_name}-tmp"
+$IPSET_BIN -quiet destroy "${ip_name}-tmp"
 
 
 # Generating timestamp

bin/v-delete-firewall-ipset

@@ -50,11 +50,11 @@ fi
 #                       Action                             #
 #----------------------------------------------------------#
 
-if $IPSET_BIN --quiet list "${ip_name}-tmp"; then
+if $IPSET_BIN --quiet list "${ip_name}-tmp" >/dev/null; then
     $IPSET_BIN --quiet destroy "${ip_name}-tmp"
 fi
 
-if $IPSET_BIN --quiet list "${ip_name}"; then
+if $IPSET_BIN --quiet list "${ip_name}" >/dev/null; then
     $IPSET_BIN --quiet destroy "${ip_name}"
     check_result $? "ipset ${ip_name} still used by iptables. Cannot remove"
 fi

install/deb/firewall/ipset/blacklist.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+# Script and blacklist urls partially taken from:
+# https://github.com/trick77/ipset-blacklist/blob/master/ipset-blacklist.conf
+#
+
+BLACKLISTS=(
+    "https://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1" # Project Honey Pot Directory of Dictionary Attacker IPs
+    "https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1"  # TOR Exit Nodes
+    "https://www.maxmind.com/en/high-risk-ip-sample-list" # MaxMind GeoIP Anonymous Proxies
+    "http://danger.rulez.sk/projects/bruteforceblocker/blist.php" # BruteForceBlocker IP List
+    "https://www.spamhaus.org/drop/drop.lasso" # Spamhaus Don't Route Or Peer List (DROP)
+    "https://cinsscore.com/list/ci-badguys.txt" # C.I. Army Malicious IP List
+    "https://lists.blocklist.de/lists/all.txt" # blocklist.de attackers
+    "https://blocklist.greensnow.co/greensnow.txt" # GreenSnow
+    "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset" # Firehol Level 1
+    "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/stopforumspam_7d.ipset" # Stopforumspam via Firehol
+)
+
+
+IP_BLACKLIST_TMP=$(mktemp)
+for i in "${BLACKLISTS[@]}"; do
+    IP_TMP=$(mktemp)
+    (( HTTP_RC=$(curl -L --connect-timeout 10 --max-time 10 -o "$IP_TMP" -s -w "%{http_code}" "$i") ))
+    if (( HTTP_RC == 200 || HTTP_RC == 302 || HTTP_RC == 0 )); then # "0" because file:/// returns 000
+        command grep -Po '^(?:\d{1,3}\.){3}\d{1,3}(?:/\d{1,2})?' "$IP_TMP" | sed -r 's/^0*([0-9]+)\.0*([0-9]+)\.0*([0-9]+)\.0*([0-9]+)$/\1.\2.\3.\4/' >> "$IP_BLACKLIST_TMP"
+    elif (( HTTP_RC == 503 )); then
+        echo >&2 -e "\\nUnavailable (${HTTP_RC}): $i"
+    else
+        echo >&2 -e "\\nWarning: curl returned HTTP response code $HTTP_RC for URL $i"
+    fi
+    rm -f "$IP_TMP"
+done
+
+sed -r -e '/^(0\.0\.0\.0|10\.|127\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[0-1]\.|192\.168\.|22[4-9]\.|23[0-9]\.)/d' "$IP_BLACKLIST_TMP"|sort -n|sort -mu
+rm -f "$IP_BLACKLIST_TMP"

web/templates/admin/add_firewall_ipset.html

@@ -140,13 +140,37 @@
         */
     ];
 
+    var blacklist_iplists = [
+        {name: "[ipv4] Blacklist Script",       source:"script:/usr/local/hestia/install/deb/firewall/ipset/blacklist.sh"},
+        /*
+        {name: "[ipv6] Blacklist Script",       source:"script:/usr/local/hestia/install/deb/firewall/ipset/blacklist.ipv6.sh"},
+        */
+    ];
+
     country_iplists.sort(function (a, b) {
         return a.name > b.name;
     });
 
+    blacklist_iplists.sort(function (a, b) {
+        return a.name > b.name;
+    });
+
     $(function() {
         var targetelement = document.getElementById('datasource_list');
 
+        // Blacklist
+        var newEl = document.createElement("option");
+        newEl.text="BLACKLIST";
+        newEl.disabled=true;
+        targetelement.appendChild(newEl);
+
+        blacklist_iplists.forEach(iplist => {
+            var newEl = document.createElement("option");
+            newEl.text=iplist.name;
+            newEl.value=iplist.source;
+            targetelement.appendChild(newEl);
+        });
+
         // IPVERSE
         var newEl = document.createElement("option");
         newEl.text="IPVERSE";