#!/bin/bash MY_IP=$(curl ifconfig.me) NGINX_ACCESS="/var/log/nginx/access.log" WIREGUARD=(57692 853) WEB=(80 443) ADGUARD=(53 3000 8082 67) CUPS=(631 5353) BITCOIN=(8333 8332 8334 4050) LND=(9735 8080 28334 28333 19998 29000) SYNCTHING=(22000 8384 21027) NFS=(2049 111) JELLYFIN=(8096 1900 7359) MACHINES=(192.168.0.55 192.168.0.146) ADMIN=(22 9090) #### IPTABLES CONFIG #### IPTABLES_TCP='/usr/sbin/iptables -A INPUT -p tcp -m tcp ' IPTABLES_UDP='/usr/sbin/iptables -A INPUT -p udp -m udp ' IPTABLES_DROP='-j DROP' IPTABLES_ACCEPT='-j ACCEPT' #### SAVED_BOTS='/root/firewall/bots.txt' CRAWLER_DB='/root/firewall/crawlers.txt' PEDO_DB='/root/firewall/pedo.txt' PEDO_LOG='/root/firewall/pedo-log.txt' ATTACKER_DB='/root/firewall/attacker-db.txt' ATTACKER_LOG='/root/firewall/attackers.txt' BOT_ACCOUNT="blockbot@detroitriotcity.com" CRAWLER_TMP='/tmp/crawlers.txt' DATE="$(date +%Y:%H: -d "1 hour ago")" #DATE="$(date +%Y:%H:)"; ddos-protection() { attacker-search pedo-search bot-search } bot-search() { CRAWLERS=($(cat $NGINX_ACCESS | grep -vEi $MY_IP | grep -Evi 'spank|report|rape|block' | grep -Ei -f $CRAWLER_DB | cut -d "-" -f1 | sort -u)) echo >$CRAWLER_TMP echo echo "Processing Web Crawler list into iptables....." echo for i in "${CRAWLERS[@]}"; do $IPTABLES_TCP -s $i $IPTABLES_DROP echo $i >>$CRAWLER_TMP done BOT_LOG=($(cat $SAVED_BOTS | sort -u)) echo echo "Feeding $SAVED_BOTS into iptables....." echo for i in "${BOT_LOG[@]}"; do $IPTABLES_TCP -s $i $IPTABLES_DROP echo $i >>$CRAWLER_TMP done echo "Saving Bot list to $SAVED_BOTS....." cat $CRAWLER_TMP | sort -u >$SAVED_BOTS } pedo-search() { echo echo "Processing Pedo Searches into iptables....." PEDO_SEARCH=($(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep -Ei -f $PEDO_DB | grep -Ei 'tag|search' | cut -d "-" -f1 | sort -u)) for i in "${PEDO_SEARCH[@]}"; do $IPTABLES_TCP -s $i $IPTABLES_DROP QUERY=$(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep -Ei 'tag|search' | grep -Evi -f $CRAWLER_DB | grep -Evi 'packs|media|akkoma|timeline|favicon|announcements|notifications|accounts|pleroma|mutes|emoji|static|images|oauth' | grep $i | grep -Ei -f $PEDO_DB | head -1) if [ -z "$QUERY" ]; then echo "No Pedos Found" else echo "Found Pedo!" if [[ "$QUERY" == *"detroit"* ]]; then noscl publish --profile=33c74427f3b2b73d5e38f3e6c991c122a55d204072356f71da49a0e209fb6940 "$QUERY" toot activate $BOT_ACCOUNT toot post ":emergency: :hacker_p: :hacker_e: :hacker_d: :hacker_o: :trans: :hacker_a: :hacker_l: :hacker_e: :hacker_r: :hacker_t: :emergency2: $QUERY" -m /root/detroit/akkoma/blockbot/pedo.png else noscl publish --profile=33c74427f3b2b73d5e38f3e6c991c122a55d204072356f71da49a0e209fb6940 "[Pedo Alert] A Pedo has been found! $QUERY" fi echo $i >>$PEDO_LOG fi done } attacker-search() { echo echo "Processing Attacker Searches into iptables....." echo ATTACKER_SEARCH=($(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep -Ei -f $ATTACKER_DB | cut -d "-" -f1 | sort -u)) for i in "${ATTACKER_SEARCH[@]}"; do $IPTABLES_TCP -s $i $IPTABLES_DROP QUERY=$(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep $i | grep -Ei -f $ATTACKER_DB | head -1) if [ -z "$QUERY" ]; then echo "No Attackers Found" else echo "Found Attacker!" noscl publish --profile=33c74427f3b2b73d5e38f3e6c991c122a55d204072356f71da49a0e209fb6940 "[Attacker Alert] An attacker has been found! $QUERY" echo $i >>$ATTACKER_LOG fi done } basic-security() { /usr/sbin/iptables -F /usr/sbin/iptables -P INPUT DROP /usr/sbin/iptables -P FORWARD ACCEPT /usr/sbin/iptables -P OUTPUT ACCEPT /usr/sbin/iptables -A INPUT -m conntrack --ctstate established,related $IPTABLES_ACCEPT /usr/sbin/iptables -A INPUT -i lo $IPTABLES_ACCEPT /usr/sbin/ip6tables -F /usr/sbin/ip6tables -P INPUT DROP /usr/sbin/ip6tables -P FORWARD ACCEPT /usr/sbin/ip6tables -P OUTPUT ACCEPT /usr/sbin/ip6tables -A INPUT -m conntrack --ctstate established,related $IPTABLES_ACCEPT /usr/sbin/ip6tables -A INPUT -i lo $IPTABLES_ACCEPT #iptables -A INPUT -j LOG --log-prefix "iptables: " --log-level 4 #ip6tables -A INPUT -j LOG --log-prefix "iptables: " --log-level 4 } start() { basic-security #Trust Servers #for i in "${MACHINES[@]}"; do # $IPTABLES_TCP -s $i $IPTABLES_ACCEPT # $IPTABLES_UDP -s $i $IPTABLES_ACCEPT #done if [[ $HOSTNAME == *"nas"* ]]; then ddos-protection for i in "${ADMIN[@]}"; do $IPTABLES_TCP --dport $i $IPTABLES_ACCEPT done #WireGuard sysctl -w net.ipv4.conf.all.forwarding=1 for i in "${WIREGUARD[@]}"; do $IPTABLES_TCP --dport $i $IPTABLES_ACCEPT $IPTABLES_UDP --dport $i $IPTABLES_ACCEPT done #Uptime podman restart uptime-kuma #Web for i in "${WEB[@]}"; do $IPTABLES_TCP --dport $i $IPTABLES_ACCEPT done #AdGuard for i in "${ADGUARD[@]}"; do $IPTABLES_TCP --dport $i $IPTABLES_ACCEPT $IPTABLES_UDP --dport $i $IPTABLES_ACCEPT done #CUPS for i in "${CUPS[@]}"; do $IPTABLES_TCP --dport $i $IPTABLES_ACCEPT $IPTABLES_UDP --dport $i $IPTABLES_ACCEPT done #Bitcoin for i in "${BITCOIN[@]}"; do $IPTABLES_TCP --dport $i $IPTABLES_ACCEPT done #LND for i in "${LND[@]}"; do $IPTABLES_TCP --dport $i $IPTABLES_ACCEPT done #SyncThing for i in "${SYNCTHING[@]}"; do $IPTABLES_TCP --dport $i $IPTABLES_ACCEPT $IPTABLES_UDP --dport $i $IPTABLES_ACCEPT done #NFS for i in "${NFS[@]}"; do $IPTABLES_TCP --dport $i $IPTABLES_ACCEPT $IPTABLES_UDP --dport $i $IPTABLES_ACCEPT done #Jellyfin for i in "${JELLYFIN[@]}"; do $IPTABLES_TCP --dport $i $IPTABLES_ACCEPT $IPTABLES_UDP --dport $i $IPTABLES_ACCEPT done else { /usr/bin/systemctl restart libvirtd } fi } stop() { iptables -F iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -t nat -F iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED $IPTABLES_ACCEPT iptables -A INPUT -i lo $IPTABLES_ACCEPT iptables -F ip6tables -P INPUT ACCEPT ip6tables -P FORWARD ACCEPT ip6tables -P OUTPUT ACCEPT ip6tables -t nat -F ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED $IPTABLES_ACCEPT ip6tables -A INPUT -i lo $IPTABLES_ACCEPT } if [ "$1" = "start" ]; then start elif [ "$1" = "ddos" ]; then ddos-protection elif [ "$1" = "stop" ]; then stop else echo "Invalid Choice" fi