Docker image to download and update most recent FireHOL IP list
FireHOL update-ipsets is a great script to download and update most recent iplist of internet attackers.
This docker image will run update-ipsets and apply the ipset to the local computer periodically.
First, lets download and start a firehol-update-ipsets container. By entering the following command, permanent periodic update process will be created.
$ docker volume create firehol-update-ipsets
$ docker run --name firehol-update-ipsets -it -d --restart=always --cap-add=NET_ADMIN --net=host -v firehol-update-ipsets:/etc/firehol/ipsets devrt/firehol-update-ipsets
Then, lets enable the ipset. For example, we enable protection by firehol_level2 and tor_exits iplist.
$ docker exec firehol-update-ipsets enable firehol_level2
$ docker exec firehol-update-ipsets enable tor_exits
Above command will apply the ipset to iptables automatically, so be careful when you enable the ipset which contains private IPs (e.g. firehol_level1). You will be locked out from the server if such ipset is enabled. You can find the iplist contains private IPs from the following URL:
http://iplists.firehol.org/?ipset=iblocklist_iana_private
Lets check that the ipset applied to the kernel correctly.
$ sudo ipset list -t
$ sudo iptables-save
From now on, the ipset is updated periodically to the most recent one by the update-ipsets script. You can confirm the update by the following command.
$ docker logs firehol-update-ipsets
Notes: The container will not run as root user. A special non-root user with UID 6721 is embedded into the image. It is not possible to change it to a different user because it would mess up the file permissions.
Example docker-compose.yml:
version: '3'
services:
firehol-update-ipsets:
container_name: firehol-update-ipsets
image: "ghcr.io/verybadsoldier/docker-firehol-update-ipsets:1.3.0"
environment:
- IPTABLES_CMD=iptables
- SKIP_LISTS=fullbogons greensnow
- FIREHOL_LISTS_INIT=firehol_level1 firehol_level2 firehol_level3 blocklist_de blocklist_net_ua botscout_30d blocklist_de bruteforceblocker
volumes:
- ./data:/etc/firehol/ipsets
network_mode: host
cap_drop:
- ALL
cap_add:
- NET_ADMIN
- NET_RAW
restart: always
Make sure to give UID 6721 file permisssions to the data
folder.
Yosuke Matsusaka yosuke.matsusaka@gmail.com
tweaks by vbs vbs@springrts.de
Distributed under MIT license.