Securiser Nginx en utilisant certaines blacklistes

De $1

 howto05_small.pngL'idée..

 Basée sur ce tuto : Securiser son Mikrotik avec Spamhaus OpenBL Dshield Malc0de Myip Squidblacklist MalwareDomainList, l'idée est d'appliquer la même chose à Nginx

 installations-logiciels-professionnels-entreprises02_small50.pngLe script de mise en forme

 

Créer un dossier deny dans le répertoire /etc/nginx.

mkdir deny

 

Créer le script permettant de télécharger et mettre en forme les fichiers conf pour NGINX :

#!/bin/sh
saveTo=/etc/nginx/deny
now=$(date);

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/dshield-deny.conf
wget -O - http://feeds.dshield.org/block.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.0\t/ { print "deny " $1 "/24; # comment=DShield"}' >> $saveTo/dshield-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/spamhaus-deny.conf
wget -O - http://www.spamhaus.org/drop/drop.txt | awk --posix '/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\// { print "deny " $1 "; # comment=SpamHaus"}' >> $saveTo/spamhaus-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/spamhaus2-deny.conf
wget -O - http://www.spamhaus.org/drop/edrop.txt | awk --posix '/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\// { print "deny " $1 "; # comment=edrop"}' >> $saveTo/spamhaus2-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/malc0de-deny.conf
wget -O - http://malc0de.com/bl/IP_Blacklist.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=malc0de"}' >> $saveTo/malc0de-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/myipms-deny.conf
wget -O - https://myip.ms/files/blacklist/general/latest_blacklist.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=myipms"}' >> $saveTo/myipms-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/blocklist-deny.conf
wget -O - https://lists.blocklist.de/lists/all.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=blocklist"}' >> $saveTo/blocklist-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/zeustracker-deny.conf
wget -O - https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=zeustracker"}' >> $saveTo/zeustracker-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/ransomwaretracker-deny.conf
wget -O - http://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=ransomwaretracker"}' >> $saveTo/ransomwaretracker-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/TeslaCrypt-deny.conf
wget -O - http://ransomwaretracker.abuse.ch/downloads/TC_PS_IPBL.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=TeslaCrypt"}' >> $saveTo/TeslaCrypt-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/CryptoWall-deny.conf
wget -O - http://ransomwaretracker.abuse.ch/downloads/CW_PS_IPBL.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=CryptoWall"}' >> $saveTo/CryptoWall-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/Locky-deny.conf
wget -O - http://ransomwaretracker.abuse.ch/downloads/LY_C2_IPBL.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=Locky"}' >> $saveTo/Locky-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/Locky2-deny.conf
wget -O - http://ransomwaretracker.abuse.ch/downloads/LY_PS_IPBL.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=Locky2"}' >> $saveTo/Locky2-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/TorrentLockerC2-deny.conf
wget -O - http://ransomwaretracker.abuse.ch/downloads/TL_C2_IPBL.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=TorrentLockerC2"}' >> $saveTo/TorrentLockerC2-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/TorrentLocker-deny.conf
wget -O - http://ransomwaretracker.abuse.ch/downloads/TL_PS_IPBL.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=TorrentLocker"}' >> $saveTo/TorrentLocker-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/Aattack30d-deny.conf
wget -O - https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/atlas_attacks_30d.ipset | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=Aattack30d"}' >> $saveTo/Aattack30d-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/Abotnets30d-deny.conf
wget -O - https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/atlas_botnets_30d.ipset | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=Abotnets30d"}' >> $saveTo/Abotnets30d-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/Afastflux30d-deny.conf
wget -O - https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/atlas_fastflux_30d.ipset | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=Afastflux30d"}' >> $saveTo/Afastflux30d-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/Aphishing30d-deny.conf
wget -O - https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/atlas_phishing_30d.ipset | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=Aphishing30d"}' >> $saveTo/Aphishing30d-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/Ascans30d-deny.conf
wget -O - https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/atlas_scans_30d.ipset | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=Ascans30d"}' >> $saveTo/Ascans30d-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/Biany230d-deny.conf
wget -O - https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bi_any_2_30d.ipset | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=Biany230d"}' >> $saveTo/Biany230d-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/ciarmy-deny.conf
wget -O - https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ciarmy.ipset | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=ciarmy"}' >> $saveTo/ciarmy-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/asproxc2-deny.conf
wget -O - https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/asprox_c2.ipset | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=asproxc2"}' >> $saveTo/asproxc2-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/cleanmxviruses-deny.conf
wget -O - https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/cleanmx_viruses.ipset | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=cleanmxviruses"}' >> $saveTo/cleanmxviruses-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/cleanmxphishing-deny.conf
wget -O - https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/cleanmx_phishing.ipset | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=cleanmxphishing"}' >> $saveTo/cleanmxphishing-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/iwspamlist-deny.conf
wget -O - https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/iw_spamlist.ipset | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=iwspamlist"}' >> $saveTo/iwspamlist-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/ipmasterlist-deny.conf
wget -O - http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 ";"}' | awk -F "," '{gsub("IP"," ",$1);print $1"; # comment=ipmasterlist"}' >> $saveTo/ipmasterlist-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/cybercrime-deny.conf
wget -O - https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/cybercrime.ipset | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=cybercrime"}' >> $saveTo/cybercrime-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/stopforumspam30d-deny.conf
wget -O - https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/stopforumspam_30d.ipset | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=stopforumspam30d"}' >> $saveTo/stopforumspam30d-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/torexits30d-deny.conf
wget -O - https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/tor_exits_30d.ipset | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=torexits30d"}' >> $saveTo/torexits30d-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/fireholanon-deny.conf
wget -O - https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_anonymous.netset | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=fireholanon"}' >> $saveTo/fireholanon-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/firehol_level1-deny.conf
wget -O - https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=firehol_level1"}' >> $saveTo/firehol_level1-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/normshield-deny.conf
wget -O - https://iplists.firehol.org/files/normshield_all_wannacry.ipset | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=normshield"}' >> $saveTo/normshield-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/php_spammers_30d-deny.conf
wget -O - https://iplists.firehol.org/files/php_spammers_30d.ipset | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=php_spammers_30d"}' >> $saveTo/php_spammers_30d-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/yakakliker-deny.conf
wget -O - http://www.yakakliker.org/@api/deki/files/1451/=yakakliker.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=yakakliker"}' >> $saveTo/yakakliker-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/malwaredomainlist-deny.conf
wget -O - http://www.malwaredomainlist.com/hostslist/ip.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ sub("\r$", "") { print "deny " $1 "; # comment=malwaredomainlist"}' >> $saveTo/malwaredomainlist-deny.conf

echo "# Generated by Yakakliker.org for NGINX" `date` > $saveTo/darklist_de-deny.conf
wget -O - https://iplists.firehol.org/files/darklist_de.netset | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=darklist_de"}' >> $saveTo/darklist_de-deny.conf

echo "# Generated by Yakakliker.org" `date` > $saveTo/cybercrime-deny.conf
wget -O - https://iplists.firehol.org/files/cybercrime.ipset | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=cybercrime"}' >> $saveTo/cybercrime-deny.conf

echo "# Generated by Yakakliker.org" `date` > $saveTo/tor-deny.conf
wget -O - https://iplists.firehol.org/files/tor_exits_30d.ipset | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "deny " $1 "; # comment=tor"}' >> $saveTo/tor-deny.conf

 

Editer le fichier /etc/nginx/nginx.conf et rajouter la ligne :

   include /etc/nginx/deny/*.conf;

 

Redémarrer le service nginx après chaque mise à jour des fichiers conf :

sudo service nginx restart

 

La tache planifiée :

30 0 * * * /home/administrateur/getblacklist.sh >> /var/log/blacklist.log

 

Pour les flemmards :

Liste des fichiers mis en forme :

http://blacklist.yakakliker.org/nginx/

 

Script de téléchargement des fichiers :

#!/bin/sh
saveTo=/etc/nginx/deny
now=$(date);


rm $saveTo/*

wget -O - http://blacklist.yakakliker.org/nginx/dshield-deny.conf >> $saveTo/dshield-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/spamhaus-deny.conf >> $saveTo/spamhaus-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/spamhaus2-deny.conf >> $saveTo/spamhaus2-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/malc0de-deny.conf >> $saveTo/malc0de-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/myipms-deny.conf >> $saveTo/myipms-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/blocklist-deny.conf >> $saveTo/blocklist-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/zeustracker-deny.conf >> $saveTo/zeustracker-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/ransomwaretracker-deny.conf >> $saveTo/ransomwaretracker-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/TeslaCrypt-deny.conf >> $saveTo/TeslaCrypt-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/CryptoWall-deny.conf >> $saveTo/CryptoWall-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/Locky-deny.conf >> $saveTo/Locky-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/Locky2-deny.conf >> $saveTo/Locky2-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/TorrentLockerC2-deny.conf >> $saveTo/TorrentLockerC2-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/TorrentLocker-deny.conf >> $saveTo/TorrentLocker-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/Aattack30d-deny.conf >> $saveTo/Aattack30d-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/Abotnets30d-deny.conf >> $saveTo/Abotnets30d-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/Afastflux30d-deny.conf >> $saveTo/Afastflux30d-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/Aphishing30d-deny.conf >> $saveTo/Aphishing30d-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/Ascans30d-deny.conf >> $saveTo/Ascans30d-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/Biany230d-deny.conf >> $saveTo/Biany230d-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/ciarmy-deny.conf >> $saveTo/ciarmy-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/asproxc2-deny.conf >> $saveTo/asproxc2-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/cleanmxviruses-deny.conf >> $saveTo/cleanmxviruses-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/cleanmxphishing-deny.conf >> $saveTo/cleanmxphishing-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/iwspamlist-deny.conf >> $saveTo/iwspamlist-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/ipmasterlist-deny.conf >> $saveTo/ipmasterlist-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/cybercrime-deny.conf >> $saveTo/cybercrime-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/stopforumspam30d-deny.conf >> $saveTo/stopforumspam30d-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/torexits30d-deny.conf >> $saveTo/torexits30d-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/fireholanon-deny.conf >> $saveTo/fireholanon-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/firehol_level1-deny.conf >> $saveTo/firehol_level1-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/normshield-deny.conf >> $saveTo/normshield-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/php_spammers_30d-deny.conf >> $saveTo/php_spammers_30d-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/yakakliker-deny.conf >> $saveTo/yakakliker-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/malwaredomainlist-deny.conf >> $saveTo/malwaredomainlist-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/darklist_de-deny.conf >> $saveTo/darklist_de-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/cybercrime-deny.conf >> $saveTo/cybercrime-deny.conf

wget -O - http://blacklist.yakakliker.org/nginx/tor-deny.conf >> $saveTo/tor-deny.conf

service nginx restart

 

 

 

 howto05_small.pngVous en pensez quoi ?


 

 

 

 

Enrichissez Yakakliker en y contribuant vous aussi.

FichierTailleDateAttaché par 
blacklistnginx.sh
Script de mise en forme
11.53 Ko11:41, 26 Jan 2019franckActions
getblacklist.sh
Script de mise en forme
3.91 Ko11:45, 26 Jan 2019franckActions
Images (0)
 
Commentaires (0)
Vous devez être connecté pour poster un commentaire.