From 3cc90fdf8e91c75a939f3223028cbca699ada9cb Mon Sep 17 00:00:00 2001
From: t3chn0m4g3 <t3chn0m4g3@gmail.com>
Date: Mon, 7 Feb 2022 11:56:31 +0000
Subject: [PATCH] tweaking, switch to maltrail mass scanner list

---
 README.md        |  3 ++-
 bin/blackhole.sh | 52 ++++++++++++++++++++++++++++--------------------
 2 files changed, 32 insertions(+), 23 deletions(-)

diff --git a/README.md b/README.md
index b2042c5c..04b10bc7 100644
--- a/README.md
+++ b/README.md
@@ -501,7 +501,7 @@ The software that T-Pot is built on uses the following licenses.
 <br>GPLv2: [conpot](https://github.com/mushorg/conpot/blob/master/LICENSE.txt), [dionaea](https://github.com/DinoTools/dionaea/blob/master/LICENSE), [honeysap](https://github.com/SecureAuthCorp/HoneySAP/blob/master/COPYING), [honeytrap](https://github.com/armedpot/honeytrap/blob/master/LICENSE), [suricata](http://suricata-ids.org/about/open-source/)
 <br>GPLv3: [adbhoney](https://github.com/huuck/ADBHoney), [elasticpot](https://gitlab.com/bontchev/elasticpot/-/blob/master/LICENSE), [ewsposter](https://github.com/telekom-security/ews/), [log4pot](https://github.com/thomaspatzke/Log4Pot/blob/master/LICENSE), [fatt](https://github.com/0x4D31/fatt/blob/master/LICENSE), [rdpy](https://github.com/citronneur/rdpy/blob/master/LICENSE), [heralding](https://github.com/johnnykv/heralding/blob/master/LICENSE.txt), [ipphoney](https://gitlab.com/bontchev/ipphoney/-/blob/master/LICENSE), [redishoneypot](https://github.com/cypwnpwnsocute/RedisHoneyPot/blob/main/LICENSE), [snare](https://github.com/mushorg/snare/blob/master/LICENSE), [tanner](https://github.com/mushorg/snare/blob/master/LICENSE)
 <br>Apache 2 License: [cyberchef](https://github.com/gchq/CyberChef/blob/master/LICENSE), [dicompot](https://github.com/nsmfoo/dicompot/blob/master/LICENSE), [elasticsearch](https://github.com/elasticsearch/elasticsearch/blob/master/LICENSE.txt), [logstash](https://github.com/elasticsearch/logstash/blob/master/LICENSE), [kibana](https://github.com/elasticsearch/kibana/blob/master/LICENSE.md), [docker](https://github.com/docker/docker/blob/master/LICENSE)
-<br>MIT license: [ciscoasa](https://github.com/Cymmetria/ciscoasa_honeypot/blob/master/LICENSE), [ddospot](https://github.com/aelth/ddospot/blob/master/LICENSE), [elasticvue](https://github.com/cars10/elasticvue/blob/master/LICENSE), [glutton](https://github.com/mushorg/glutton/blob/master/LICENSE), [hellpot](https://github.com/yunginnanet/HellPot/blob/master/LICENSE)
+<br>MIT license: [ciscoasa](https://github.com/Cymmetria/ciscoasa_honeypot/blob/master/LICENSE), [ddospot](https://github.com/aelth/ddospot/blob/master/LICENSE), [elasticvue](https://github.com/cars10/elasticvue/blob/master/LICENSE), [glutton](https://github.com/mushorg/glutton/blob/master/LICENSE), [hellpot](https://github.com/yunginnanet/HellPot/blob/master/LICENSE), [maltrail](https://github.com/stamparm/maltrail/blob/master/LICENSE)
 <br> Unlicense: [endlessh](https://github.com/skeeto/endlessh/blob/master/UNLICENSE)
 <br> Other: [citrixhoneypot](https://github.com/MalwareTech/CitrixHoneypot#licencing-agreement-malwaretech-public-licence), [cowrie](https://github.com/micheloosterhof/cowrie/blob/master/LICENSE.md), [mailoney](https://github.com/awhitehatter/mailoney), [Debian licensing](https://www.debian.org/legal/licenses/), [Elastic License](https://www.elastic.co/licensing/elastic-license)
 <br> AGPL-3.0: [honeypots](https://github.com/qeeqbox/honeypots/blob/main/LICENSE)
@@ -542,6 +542,7 @@ Without open source and the fruitful development community (we are proud to be a
 * [logstash](https://github.com/elastic/logstash/graphs/contributors)
 * [log4pot](https://github.com/thomaspatzke/Log4Pot/graphs/contributors)
 * [mailoney](https://github.com/awhitehatter/mailoney)
+* [maltrail](https://github.com/stamparm/maltrail/graphs/contributors)
 * [medpot](https://github.com/schmalle/medpot/graphs/contributors)
 * [p0f](http://lcamtuf.coredump.cx/p0f3/)
 * [rdpy](https://github.com/citronneur/rdpy)
diff --git a/bin/blackhole.sh b/bin/blackhole.sh
index 9207c43f..3e19c801 100755
--- a/bin/blackhole.sh
+++ b/bin/blackhole.sh
@@ -4,7 +4,8 @@
 myWHOAMI=$(whoami)
 if [ "$myWHOAMI" != "root" ]
   then
-    echo "Need to run as root ..."
+    echo "### Need to run as root ..."
+    echo
     exit
 fi
 
@@ -23,38 +24,44 @@ if [ "$1" == "" ];
     exit
 fi
 
-# QnD paths
+# QnD paths, files
 mkdir -p /etc/blackhole
 cd /etc/blackhole
+myFILE="mass_scanner.txt"
+myURL="https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner.txt"
+myBASELINE="3000"
+# Alternatively, using less routes, but blocking complete /24 networks
+#myFILE="mass_scanner_cidr.txt"
+#myURL="https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner_cidr.txt"
+#myBASELINE="500"
 
-# Calculate age of downloaded reputation list
-if [ -f "iprep.yaml" ];
+# Calculate age of downloaded list, read IPs
+if [ -f "$myFILE" ];
   then
     myNOW=$(date +%s)
-    myOLD=$(date +%s -r iprep.yaml)
+    myOLD=$(date +%s -r "$myFILE")
     myDAYS=$(( (now-old) / (60*60*24) ))
-    echo "### Downloaded reputation list is $myDAYS days old."
-    myBLACKHOLE_IPS=$(grep "mass scanner" iprep.yaml | cut -f 1 -d":" | tr -d '"')
+    echo "### Downloaded $myFILE list is $myDAYS days old."
+    myBLACKHOLE_IPS=$(grep -o -P "\b(?:\d{1,3}\.){3}\d{1,3}\b" "$myFILE" | sort -u)
 fi
 
-# Let's load ip reputation list from listbot service
-if [[ ! -f "iprep.yaml" && "$1" == "add" || "$myDAYS" -gt 30 ]];
+# Let's load ip list
+if [[ ! -f "$myFILE" && "$1" == "add" || "$myDAYS" -gt 30 ]];
   then
-    echo "### Downloading reputation list."
-    aria2c -s16 -x 16 https://listbot.sicherheitstacho.eu/iprep.yaml.bz2 && \
-    bunzip2 -f *.bz2
-    myBLACKHOLE_IPS=$(grep "mass scanner" iprep.yaml | cut -f 1 -d":" | tr -d '"')
+    echo "### Downloading $myFILE list."
+    aria2c --allow-overwrite -s16 -x 16 "$myURL" && \
+    myBLACKHOLE_IPS=$(grep -o -P "\b(?:\d{1,3}\.){3}\d{1,3}\b" "$myFILE" | sort -u) 
 fi
 
 myCOUNT=$(echo $myBLACKHOLE_IPS | wc -w)
 # Let's extract mass scanner IPs
-if [ "$myCOUNT" -lt "3000" ] && [ "$1" == "add" ];
+if [ "$myCOUNT" -lt "$myBASELINE" ] && [ "$1" == "add" ];
   then
-    echo "### Something went wrong. Please check contents of /etc/blackhole/iprep.yaml."
+    echo "### Something went wrong. Please check contents of /etc/blackhole/$myFILE."
     echo "### Aborting."
     echo
     exit
-elif [ "$(ip r | grep 'blackhole' -c)" -gt "3000" ] && [ "$1" == "add" ];
+elif [ "$(ip r | grep 'blackhole' -c)" -gt "$myBASELINE" ] && [ "$1" == "add" ];
   then
     echo "### Blackhole already enabled."
     echo "### Aborting."
@@ -63,14 +70,13 @@ elif [ "$(ip r | grep 'blackhole' -c)" -gt "3000" ] && [ "$1" == "add" ];
 fi
 
 # Let's add blackhole routes for all mass scanner IPs
-# Your personal preferences may vary, feel free to adjust accordingly
 if [ "$1" == "add" ];
   then
     echo
     echo -n "Now adding $myCOUNT IPs to blackhole."
     for i in $myBLACKHOLE_IPS;
       do
-        ip route add blackhole $i
+        ip route add blackhole "$i"
 	echo -n "."
     done
     echo
@@ -83,18 +89,20 @@ if [ "$1" == "add" ];
 fi
 
 # Let's delete blackhole routes for all mass scanner IPs
-if [ "$1" == "del" ] && [ "$myCOUNT" -gt 3000 ];
+if [ "$1" == "del" ] && [ "$myCOUNT" -gt "$myBASELINE" ];
   then
     echo
     echo -n "Now deleting $myCOUNT IPs from blackhole."
       for i in $myBLACKHOLE_IPS;
         do
-          ip route del blackhole $i
+          ip route del blackhole "$i"
 	  echo -n "."
       done
       echo
       echo "$(ip r | grep 'blackhole' -c) IPs remaining in blackhole."
-      rm iprep.yaml
+      echo
+      rm "$myFILE"
   else
-    echo "Blackhole already disabled."
+    echo "### Blackhole already disabled."
+    echo
 fi