first commit

Author: haikelfazzani

.gitignore

@@ -0,0 +1,12 @@
+test
+node_modules
+.cache
+.vscode
+testr
+temp
+testfile
+test.js
+test.sh
+*.tmp
+
+package-lock.json

firewall/Readme.md

@@ -0,0 +1,50 @@
+# Firewall
+
+## Install
+```shell
+apt install ipset iptables netfilter-persistent ipset-persistent iptables-persistent
+```
+
+## Iptables common rules
+
+**DROP RFC1918 PACKETS**
+```shell
+-A INPUT -s 10.0.0.0/8 -j DROP
+-A INPUT -s 172.16.0.0/12 -j DROP
+-A INPUT -s 192.168.0.0/16 -j DROP
+```
+
+**Outbound UDP Flood protection**
+```shell
+iptables -N udp-flood
+iptables -A OUTPUT -p udp -j udp-flood
+iptables -A udp-flood -p udp -m limit --limit 50/s -j RETURN
+iptables -A udp-flood -j LOG --log-level 4 --log-prefix 'UDP-flood attempt: '
+iptables -A udp-flood -j DROP
+```
+
+**prevent flooding general**
+```shell
+iptables -N udp-flood
+iptables -A udp-flood -m limit --limit 4/second --limit-burst 4 -j RETURN
+iptables -A udp-flood -j DROP
+iptables -A INPUT -i eth0 -p udp -j udp-flood
+iptables -A INPUT -i eth0 -f -j DROP
+```
+
+**prevent amplification attack**
+```shell
+iptables -N DNSAMPLY
+iptables -A DNSAMPLY -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
+iptables -A DNSAMPLY -p udp -m hashlimit --hashlimit-srcmask 24 --hashlimit-mode srcip --hashlimit-upto 30/m --hashlimit-burst 10 --hashlimit-name DNSTHROTTLE --dport 53 -j ACCEPT
+iptables -A DNSAMPLY -p udp -m udp --dport 53 -j DROP
+```
+
+## Notes
+- [A Tutorial for Controlling Network Traffic with iptables](https://www.linode.com/docs/guides/control-network-traffic-with-iptables/)
+- [IPset reference](https://manpages.debian.org/testing/ipset/ipset.8.en.html)
+- [Iptables Essentials](https://github.com/trimstray/iptables-essentials/blob/master/README.md#xmas-packets)
+- [IPtables persist](https://unix.stackexchange.com/questions/52376/why-do-iptables-rules-disappear-when-restarting-my-debian-system)
+
+# License
+MIT

firewall/block_malicious_ips.sh

@@ -0,0 +1,55 @@
+#!/bin/bash
+
+source ./firewall/constants.sh
+
+block_malicious_ips() {
+    SRC_URL="https://gitlab.com/haikelfazzani/blocklist/-/raw/master/ips/malicious.txt"
+
+    curl -s -X GET \
+        -H "Content-type: application/json" \
+        -H "Accept: application/json" \
+        "$SRC_URL" >$TEMP_FILE_PATH
+
+    uniq_ips=$(awk '{if (++dup[$0] == 1) print $0;}' $TEMP_FILE_PATH)
+
+    ipset_name="malicious-set"
+
+    ipset -q flush $ipset_name
+    ipset create $ipset_name hash:net -exist
+
+    # echo "$uniq_ips"
+    echo "$uniq_ips" >$TEMP_FILE_PATH
+
+    sed -i '/^$/d; / *#/d; /\//d' $TEMP_FILE_PATH
+
+    while read -r ip; do
+        if [[ "$ip" =~ $ipRegexV4 ]]; then
+            ipset add $ipset_name $ip -exist
+        else
+            echo $ip >>$TEMP_FILE_INVALID_PATH
+            sed -i "/$ip/d" $TEMP_FILE_PATH
+        fi
+    done <"$TEMP_FILE_PATH"
+
+    ipset save
+
+    iptables -D INPUT -m set --match-set $ipset_name src -j DROP 2>/dev/null
+    iptables -D OUTPUT -m set --match-set $ipset_name src -j DROP 2>/dev/null
+
+    iptables -I INPUT -m set --match-set $ipset_name src -j DROP
+    iptables -I OUTPUT -m set --match-set $ipset_name src -j DROP
+
+    iptables-save >/etc/iptables/rules.v4
+    iptables -S
+}
+
+(
+    set -e
+    block_malicious_ips
+)
+
+errorCode=$?
+if [ $errorCode -ne 0 ]; then
+    echo "Error in block_malicious_ips: $errorCode"
+    exit $errorCode
+fi

firewall/block_range_ips.sh

@@ -0,0 +1,58 @@
+#!/bin/bash
+
+source ./firewall/constants.sh
+
+block_range_ips() {
+    SRC_URL="https://gitlab.com/haikelfazzani/blocklist/-/raw/master/ips/range.txt"
+
+    curl -s -X GET \
+        -H "Content-type: application/json" \
+        -H "Accept: application/json" \
+        "$SRC_URL" >$TEMP_FILE_PATH
+
+    uniq_ips=$(awk '{if (++dup[$0] == 1) print $0;}' $TEMP_FILE_PATH)
+
+    ipset_name="blacklist-range-set"
+
+    ipset -q flush $ipset_name
+    ipset create $ipset_name hash:net -exist
+
+    # echo "$uniq_ips"
+    echo "$uniq_ips" >$TEMP_FILE_PATH
+
+    sed -r -i '/^\s*$/d; /^[[:blank:]]*#/d;s/#.*//' $TEMP_FILE_PATH
+
+    while read -r ip_range; do
+        ip=$(echo $ip_range | sed -r 's/\/.*//g')
+
+        if [[ "$ip" =~ $ipRegexV4 ]]; then
+            ipset add $ipset_name $ip_range -exist
+            # echo "==> $ip_range"
+        else
+            echo $ip_range >>$TEMP_FILE_INVALID_PATH
+            sed -i "/$ip/d" $TEMP_FILE_PATH
+        fi
+    done <"$TEMP_FILE_PATH"
+
+    ipset save
+
+    iptables -D INPUT -m set --match-set $ipset_name src -j DROP 2>/dev/null
+    iptables -D OUTPUT -m set --match-set $ipset_name src -j DROP 2>/dev/null
+
+    iptables -I INPUT -m set --match-set $ipset_name src -j DROP
+    iptables -I OUTPUT -m set --match-set $ipset_name src -j DROP
+
+    iptables-save >/etc/iptables/rules.v4
+    iptables -S
+}
+
+(
+    set -e
+    block_range_ips
+)
+
+errorCode=$?
+if [ $errorCode -ne 0 ]; then
+    echo "Error in block_range_ips: $errorCode"
+    exit $errorCode
+fi

firewall/common-rules.sh

@@ -0,0 +1,75 @@
+#!/bin/bash
+
+IPT=/sbin/iptables
+
+cleanOldRules() {
+  $IPT -F
+  $IPT -X
+  $IPT -t nat -F
+  $IPT -t nat -X
+  $IPT -t mangle -F
+  $IPT -t mangle -X
+  $IPT -P INPUT ACCEPT
+  $IPT -P OUTPUT ACCEPT
+  $IPT -P FORWARD ACCEPT
+}
+
+applyRules() {
+  iptables -A INPUT -i lo -j ACCEPT
+  iptables -A OUTPUT -o lo -j ACCEPT
+  iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+  iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+
+  iptables -A INPUT -m conntrack --ctstate INVALID -j DROP # Dropping Invalid Packets
+  iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
+  iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP
+  iptables -N port-scanning
+  iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
+  iptables -A port-scanning -j DROP
+  iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
+  iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
+  iptables -N syn_flood
+
+  iptables -A INPUT -p tcp --syn -j syn_flood
+  iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
+  iptables -A syn_flood -j DROP
+
+  iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
+
+  iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
+  iptables -A INPUT -p icmp -j DROP
+
+  iptables -A OUTPUT -p icmp -j ACCEPT
+  iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
+  iptables -A INPUT -f -j DROP
+  iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
+  iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
+  iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
+  iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
+  iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+  iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
+  iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
+  iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
+  iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
+  iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
+  iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
+  iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
+  iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
+  iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
+  iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
+
+  iptables-save >/etc/iptables/rules.v4
+  iptables -S
+}
+
+(
+  set -e
+  cleanOldRules
+  applyRules
+)
+
+errorCode=$?
+if [ $errorCode -ne 0 ]; then
+  echo "Error in common-rules: $errorCode"
+  exit $errorCode
+fi

firewall/constants.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+export ipRegexV4="^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$"
+
+export TEMP_FILE_PATH="./firewall/ips.tmp"
+
+export TEMP_FILE_INVALID_PATH="./firewall/ips_invalid.tmp"

hosts-file/Readme.md

@@ -0,0 +1,9 @@
+# blacklist domains ressources
+
+- [adfilt](https://github.com/DandelionSprout/adfilt)
+- [neohosts](https://github.com/neoFelhz/neohosts)
+- [Ad-set-hosts](https://github.com/rentianyu/Ad-set-hosts)
+
+# License
+
+MIT

hosts-file/index.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+
+# colors
+Color_Off='\033[0m' # Text Reset
+
+# Regular Colors
+Red='\033[0;31m'    # Red
+Green='\033[0;32m'  # Green
+Yellow='\033[0;33m' # Yellow
+
+# update /etc/hosts
+declare -a remote_files=("_domains" "apple" "cloudfront" "common" "facebook" "google" "microsoft" "msn" "twitter" "yahoo")
+TEMP_FILE_PATH='./hosts-file/hosts_file.tmp'
+HOSTS_FILE_PATH='/etc/hosts'
+
+date=$(date +%F)
+hostname=$(hostname)
+
+echo -e ">>${Green} [Start] updating /etc/hosts ${Color_Off}"
+
+HEADER="# Last updated: $date\n
+\n
+# The following lines are desirable for IPv4 capable hosts\n
+\n\n
+127.0.0.1       localhost\n
+127.0.1.1       $hostname\n
+# The following lines are desirable for IPv6 capable hosts\n
+\n\n
+::1             localhost ip6-localhost ip6-loopback\n
+fe00::0         ip6-localnet\n
+ff02::1         ip6-allnodes\n
+ff02::2         ip6-allrouters\n
+ff02::3         ip6-allhosts\n
+\n\n
+# The following lines are desirable for blocked domains\n
+\n"
+
+echo -e $HEADER >$TEMP_FILE_PATH
+
+for i in "${remote_files[@]}"; do
+  domains=$(curl -s -X GET \
+    -H "Content-type: text/plain; charset=UTF-8" \
+    -H "Accept: text/plain; charset=UTF-8" \
+    "https://gitlab.com/haikelfazzani/blocklist/-/raw/master/hosts/_domains.txt")
+
+  echo "$domains" | sed 's/[|^]//g; /^$/d; s/ *$//' | sed -E "/^[^#]/ s/^/0.0.0.0       /" >>$TEMP_FILE_PATH
+  echo -e "> ${Yellow} [End Processing] $i ${Color_Off}"
+done
+
+awk -i inplace '!seen[$0]++' $TEMP_FILE_PATH
+sed -i -e 's/0.0.0.0.*#/# /g' $TEMP_FILE_PATH
+cat $TEMP_FILE_PATH >$HOSTS_FILE_PATH
+
+echo -e ">>${Green} [End] updating /etc/hosts ${Color_Off}"