From c2a92269e4c3eaf3809873c6488f5c3449e74b1e Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Sat, 5 Oct 2019 12:28:30 +0300
Subject: [PATCH] roles/common: Add ipsets of abusive IPs to firewalld

This uses the ipsets feature of the Linux kernel to create lists of
IPs (though could be MACs, IP:port, etc) that we can block via the
existing firewalld zone we are already using. In my testing it works
on CentOS 7, Ubuntu 16.04, and Ubuntu 18.04.

The list of abusive IPs currently comes from HPC's systemd journal,
where I filtered for hosts that had attempted and failed to log in
over 100 times. The list is formatted with tidy, for example:

    $ tidy -xml -iq -m -w 0 roles/common/files/abusers-ipv4.xml

See: https://firewalld.org/2015/12/ipset-support
---
 roles/common/files/abusers-ipv4.xml    | 463 +++++++++++++++++++++++++
 roles/common/files/abusers-ipv6.xml    |   7 +
 roles/common/tasks/firewall_Debian.yml |   9 +
 roles/common/tasks/firewall_Ubuntu.yml |   9 +
 4 files changed, 488 insertions(+)
 create mode 100644 roles/common/files/abusers-ipv4.xml
 create mode 100644 roles/common/files/abusers-ipv6.xml

diff --git a/roles/common/files/abusers-ipv4.xml b/roles/common/files/abusers-ipv4.xml
new file mode 100644
index 0000000..c74992a
--- /dev/null
+++ b/roles/common/files/abusers-ipv4.xml
@@ -0,0 +1,463 @@
+<?xml version="1.0" encoding="utf-8"?>
+<ipset type="hash:ip">
+  <option name="family" value="inet" />
+  <short>abusers-ipv4</short>
+  <description>A list of abusive IPv4 addresses.</description>
+  <entry>102.165.35.92</entry>
+  <entry>103.208.220.122</entry>
+  <entry>103.208.220.226</entry>
+  <entry>103.91.210.33</entry>
+  <entry>104.244.72.115</entry>
+  <entry>104.244.72.221</entry>
+  <entry>104.244.72.251</entry>
+  <entry>104.244.77.49</entry>
+  <entry>104.244.78.55</entry>
+  <entry>104.244.79.222</entry>
+  <entry>107.155.49.126</entry>
+  <entry>112.85.42.171</entry>
+  <entry>112.85.42.172</entry>
+  <entry>112.85.42.173</entry>
+  <entry>112.85.42.174</entry>
+  <entry>112.85.42.175</entry>
+  <entry>112.85.42.177</entry>
+  <entry>112.85.42.178</entry>
+  <entry>112.85.42.179</entry>
+  <entry>112.85.42.180</entry>
+  <entry>112.85.42.182</entry>
+  <entry>119.146.223.134</entry>
+  <entry>122.195.200.14</entry>
+  <entry>122.195.200.148</entry>
+  <entry>122.195.200.36</entry>
+  <entry>128.14.136.158</entry>
+  <entry>139.199.162.76</entry>
+  <entry>139.199.170.159</entry>
+  <entry>139.199.79.66</entry>
+  <entry>144.217.164.104</entry>
+  <entry>144.217.165.133</entry>
+  <entry>144.217.166.26</entry>
+  <entry>144.217.166.59</entry>
+  <entry>144.217.255.89</entry>
+  <entry>144.217.7.154</entry>
+  <entry>144.217.90.68</entry>
+  <entry>146.185.194.219</entry>
+  <entry>149.202.170.60</entry>
+  <entry>149.56.44.47</entry>
+  <entry>153.36.236.35</entry>
+  <entry>153.36.242.143</entry>
+  <entry>157.157.87.22</entry>
+  <entry>158.69.113.76</entry>
+  <entry>158.69.192.200</entry>
+  <entry>158.69.192.239</entry>
+  <entry>158.69.193.32</entry>
+  <entry>158.69.212.107</entry>
+  <entry>158.69.217.248</entry>
+  <entry>158.69.217.87</entry>
+  <entry>158.69.63.54</entry>
+  <entry>162.247.72.199</entry>
+  <entry>162.247.73.192</entry>
+  <entry>162.247.74.200</entry>
+  <entry>162.247.74.201</entry>
+  <entry>162.247.74.202</entry>
+  <entry>162.247.74.204</entry>
+  <entry>162.247.74.206</entry>
+  <entry>162.247.74.213</entry>
+  <entry>162.247.74.216</entry>
+  <entry>162.247.74.217</entry>
+  <entry>162.247.74.27</entry>
+  <entry>162.247.74.7</entry>
+  <entry>162.247.74.74</entry>
+  <entry>163.172.106.114</entry>
+  <entry>164.132.51.91</entry>
+  <entry>166.70.207.2</entry>
+  <entry>167.71.56.222</entry>
+  <entry>169.197.112.102</entry>
+  <entry>169.197.97.34</entry>
+  <entry>171.25.193.20</entry>
+  <entry>171.25.193.235</entry>
+  <entry>171.25.193.25</entry>
+  <entry>171.25.193.77</entry>
+  <entry>171.25.193.78</entry>
+  <entry>172.247.76.85</entry>
+  <entry>172.96.118.14</entry>
+  <entry>173.244.209.5</entry>
+  <entry>175.126.163.116</entry>
+  <entry>178.165.72.177</entry>
+  <entry>18.18.248.17</entry>
+  <entry>18.27.197.252</entry>
+  <entry>183.131.82.99</entry>
+  <entry>185.100.85.61</entry>
+  <entry>185.100.87.206</entry>
+  <entry>185.117.215.9</entry>
+  <entry>185.127.25.192</entry>
+  <entry>185.129.62.62</entry>
+  <entry>185.130.44.108</entry>
+  <entry>185.169.42.133</entry>
+  <entry>185.216.32.170</entry>
+  <entry>185.220.102.4</entry>
+  <entry>185.220.102.6</entry>
+  <entry>185.220.102.7</entry>
+  <entry>185.220.102.8</entry>
+  <entry>185.227.68.78</entry>
+  <entry>185.246.128.25</entry>
+  <entry>185.254.122.114</entry>
+  <entry>185.34.33.2</entry>
+  <entry>185.65.135.180</entry>
+  <entry>185.83.214.121</entry>
+  <entry>188.213.49.176</entry>
+  <entry>188.214.104.146</entry>
+  <entry>18.85.192.253</entry>
+  <entry>188.92.75.248</entry>
+  <entry>188.92.77.12</entry>
+  <entry>188.92.77.235</entry>
+  <entry>192.42.116.13</entry>
+  <entry>192.42.116.14</entry>
+  <entry>192.42.116.15</entry>
+  <entry>192.42.116.16</entry>
+  <entry>192.42.116.17</entry>
+  <entry>192.42.116.18</entry>
+  <entry>192.42.116.19</entry>
+  <entry>192.42.116.20</entry>
+  <entry>192.42.116.22</entry>
+  <entry>192.42.116.23</entry>
+  <entry>192.42.116.24</entry>
+  <entry>192.42.116.25</entry>
+  <entry>192.42.116.26</entry>
+  <entry>192.42.116.27</entry>
+  <entry>192.42.116.28</entry>
+  <entry>193.110.157.151</entry>
+  <entry>193.169.255.102</entry>
+  <entry>193.171.202.150</entry>
+  <entry>193.201.224.216</entry>
+  <entry>193.201.224.218</entry>
+  <entry>193.201.224.232</entry>
+  <entry>193.32.163.182</entry>
+  <entry>193.32.163.89</entry>
+  <entry>193.90.12.115</entry>
+  <entry>193.9.114.139</entry>
+  <entry>193.9.115.24</entry>
+  <entry>194.187.249.57</entry>
+  <entry>195.206.105.217</entry>
+  <entry>198.100.148.114</entry>
+  <entry>198.96.155.3</entry>
+  <entry>198.98.50.112</entry>
+  <entry>198.98.52.143</entry>
+  <entry>198.98.57.155</entry>
+  <entry>199.195.251.84</entry>
+  <entry>199.87.154.255</entry>
+  <entry>204.17.56.42</entry>
+  <entry>204.8.156.142</entry>
+  <entry>205.185.117.149</entry>
+  <entry>205.185.127.219</entry>
+  <entry>207.244.70.35</entry>
+  <entry>209.141.34.95</entry>
+  <entry>209.141.41.103</entry>
+  <entry>209.141.51.150</entry>
+  <entry>209.141.58.114</entry>
+  <entry>209.95.51.11</entry>
+  <entry>212.21.66.6</entry>
+  <entry>213.61.215.54</entry>
+  <entry>216.218.134.12</entry>
+  <entry>216.239.90.19</entry>
+  <entry>217.115.10.132</entry>
+  <entry>217.170.197.83</entry>
+  <entry>217.170.197.89</entry>
+  <entry>218.92.0.131</entry>
+  <entry>218.92.0.132</entry>
+  <entry>218.92.0.133</entry>
+  <entry>218.92.0.134</entry>
+  <entry>218.92.0.135</entry>
+  <entry>218.92.0.137</entry>
+  <entry>218.92.0.138</entry>
+  <entry>218.92.0.139</entry>
+  <entry>218.92.0.141</entry>
+  <entry>218.92.0.143</entry>
+  <entry>218.92.0.144</entry>
+  <entry>218.92.0.145</entry>
+  <entry>218.92.0.146</entry>
+  <entry>218.92.0.147</entry>
+  <entry>218.92.0.154</entry>
+  <entry>218.92.0.155</entry>
+  <entry>218.92.0.156</entry>
+  <entry>218.92.0.157</entry>
+  <entry>218.92.0.158</entry>
+  <entry>218.92.0.160</entry>
+  <entry>218.92.0.161</entry>
+  <entry>218.92.0.163</entry>
+  <entry>218.92.0.167</entry>
+  <entry>218.92.0.168</entry>
+  <entry>218.92.0.170</entry>
+  <entry>218.92.0.171</entry>
+  <entry>218.92.0.172</entry>
+  <entry>218.92.0.173</entry>
+  <entry>218.92.0.174</entry>
+  <entry>218.92.0.175</entry>
+  <entry>218.92.0.178</entry>
+  <entry>218.92.0.180</entry>
+  <entry>218.92.0.181</entry>
+  <entry>218.92.0.182</entry>
+  <entry>218.92.0.184</entry>
+  <entry>218.92.0.185</entry>
+  <entry>218.92.0.186</entry>
+  <entry>218.92.0.187</entry>
+  <entry>218.92.0.188</entry>
+  <entry>218.92.0.190</entry>
+  <entry>218.92.0.193</entry>
+  <entry>218.92.0.204</entry>
+  <entry>218.92.0.210</entry>
+  <entry>218.92.0.212</entry>
+  <entry>218.98.26.162</entry>
+  <entry>218.98.26.163</entry>
+  <entry>218.98.26.164</entry>
+  <entry>218.98.26.165</entry>
+  <entry>218.98.26.166</entry>
+  <entry>218.98.26.167</entry>
+  <entry>218.98.26.168</entry>
+  <entry>218.98.26.169</entry>
+  <entry>218.98.26.170</entry>
+  <entry>218.98.26.171</entry>
+  <entry>218.98.26.172</entry>
+  <entry>218.98.26.174</entry>
+  <entry>218.98.26.175</entry>
+  <entry>218.98.26.177</entry>
+  <entry>218.98.26.178</entry>
+  <entry>218.98.26.180</entry>
+  <entry>218.98.26.182</entry>
+  <entry>218.98.26.183</entry>
+  <entry>218.98.26.184</entry>
+  <entry>218.98.40.131</entry>
+  <entry>218.98.40.132</entry>
+  <entry>218.98.40.134</entry>
+  <entry>218.98.40.136</entry>
+  <entry>218.98.40.137</entry>
+  <entry>218.98.40.138</entry>
+  <entry>218.98.40.140</entry>
+  <entry>218.98.40.141</entry>
+  <entry>218.98.40.142</entry>
+  <entry>218.98.40.143</entry>
+  <entry>218.98.40.144</entry>
+  <entry>218.98.40.145</entry>
+  <entry>218.98.40.146</entry>
+  <entry>218.98.40.147</entry>
+  <entry>218.98.40.148</entry>
+  <entry>218.98.40.150</entry>
+  <entry>218.98.40.151</entry>
+  <entry>218.98.40.152</entry>
+  <entry>218.98.40.154</entry>
+  <entry>222.186.10.47</entry>
+  <entry>222.186.15.101</entry>
+  <entry>222.186.15.110</entry>
+  <entry>222.186.15.160</entry>
+  <entry>222.186.15.197</entry>
+  <entry>222.186.15.204</entry>
+  <entry>222.186.15.217</entry>
+  <entry>222.186.15.28</entry>
+  <entry>222.186.15.33</entry>
+  <entry>222.186.15.65</entry>
+  <entry>222.186.169.192</entry>
+  <entry>222.186.169.194</entry>
+  <entry>222.186.173.119</entry>
+  <entry>222.186.173.142</entry>
+  <entry>222.186.173.154</entry>
+  <entry>222.186.173.180</entry>
+  <entry>222.186.173.183</entry>
+  <entry>222.186.173.201</entry>
+  <entry>222.186.173.215</entry>
+  <entry>222.186.173.238</entry>
+  <entry>222.186.175.140</entry>
+  <entry>222.186.175.147</entry>
+  <entry>222.186.175.148</entry>
+  <entry>222.186.175.150</entry>
+  <entry>222.186.175.151</entry>
+  <entry>222.186.175.154</entry>
+  <entry>222.186.175.155</entry>
+  <entry>222.186.175.161</entry>
+  <entry>222.186.175.163</entry>
+  <entry>222.186.175.167</entry>
+  <entry>222.186.175.169</entry>
+  <entry>222.186.175.182</entry>
+  <entry>222.186.175.183</entry>
+  <entry>222.186.175.202</entry>
+  <entry>222.186.175.212</entry>
+  <entry>222.186.175.215</entry>
+  <entry>222.186.175.216</entry>
+  <entry>222.186.175.217</entry>
+  <entry>222.186.175.220</entry>
+  <entry>222.186.175.6</entry>
+  <entry>222.186.175.8</entry>
+  <entry>222.186.180.147</entry>
+  <entry>222.186.180.17</entry>
+  <entry>222.186.180.19</entry>
+  <entry>222.186.180.20</entry>
+  <entry>222.186.180.21</entry>
+  <entry>222.186.180.223</entry>
+  <entry>222.186.180.41</entry>
+  <entry>222.186.180.6</entry>
+  <entry>222.186.180.8</entry>
+  <entry>222.186.180.9</entry>
+  <entry>222.186.190.17</entry>
+  <entry>222.186.190.2</entry>
+  <entry>222.186.190.65</entry>
+  <entry>222.186.190.92</entry>
+  <entry>222.186.30.111</entry>
+  <entry>222.186.30.152</entry>
+  <entry>222.186.30.165</entry>
+  <entry>222.186.31.136</entry>
+  <entry>222.186.31.144</entry>
+  <entry>222.186.31.145</entry>
+  <entry>222.186.3.179</entry>
+  <entry>222.186.42.117</entry>
+  <entry>222.186.42.15</entry>
+  <entry>222.186.42.163</entry>
+  <entry>222.186.42.241</entry>
+  <entry>222.186.42.4</entry>
+  <entry>222.186.42.94</entry>
+  <entry>222.186.52.107</entry>
+  <entry>222.186.52.123</entry>
+  <entry>222.186.52.124</entry>
+  <entry>222.186.52.155</entry>
+  <entry>222.186.52.78</entry>
+  <entry>222.186.52.89</entry>
+  <entry>23.129.64.100</entry>
+  <entry>23.129.64.150</entry>
+  <entry>23.129.64.151</entry>
+  <entry>23.129.64.152</entry>
+  <entry>23.129.64.153</entry>
+  <entry>23.129.64.154</entry>
+  <entry>23.129.64.155</entry>
+  <entry>23.129.64.156</entry>
+  <entry>23.129.64.157</entry>
+  <entry>23.129.64.158</entry>
+  <entry>23.129.64.159</entry>
+  <entry>23.129.64.160</entry>
+  <entry>23.129.64.161</entry>
+  <entry>23.129.64.162</entry>
+  <entry>23.129.64.163</entry>
+  <entry>23.129.64.165</entry>
+  <entry>23.129.64.166</entry>
+  <entry>23.129.64.167</entry>
+  <entry>23.129.64.168</entry>
+  <entry>23.129.64.169</entry>
+  <entry>23.129.64.170</entry>
+  <entry>23.129.64.180</entry>
+  <entry>23.129.64.181</entry>
+  <entry>23.129.64.182</entry>
+  <entry>23.129.64.183</entry>
+  <entry>23.129.64.184</entry>
+  <entry>23.129.64.185</entry>
+  <entry>23.129.64.186</entry>
+  <entry>23.129.64.187</entry>
+  <entry>23.129.64.188</entry>
+  <entry>23.129.64.189</entry>
+  <entry>23.129.64.190</entry>
+  <entry>23.129.64.191</entry>
+  <entry>23.129.64.192</entry>
+  <entry>23.129.64.193</entry>
+  <entry>23.129.64.194</entry>
+  <entry>23.129.64.195</entry>
+  <entry>23.129.64.196</entry>
+  <entry>23.129.64.200</entry>
+  <entry>23.129.64.201</entry>
+  <entry>23.129.64.202</entry>
+  <entry>23.129.64.203</entry>
+  <entry>23.129.64.204</entry>
+  <entry>23.129.64.205</entry>
+  <entry>23.129.64.206</entry>
+  <entry>23.129.64.207</entry>
+  <entry>23.129.64.208</entry>
+  <entry>23.129.64.209</entry>
+  <entry>23.129.64.210</entry>
+  <entry>23.129.64.211</entry>
+  <entry>23.129.64.212</entry>
+  <entry>23.129.64.213</entry>
+  <entry>23.129.64.214</entry>
+  <entry>23.129.64.215</entry>
+  <entry>23.129.64.216</entry>
+  <entry>23.133.240.6</entry>
+  <entry>31.185.104.21</entry>
+  <entry>35.0.127.52</entry>
+  <entry>36.156.24.43</entry>
+  <entry>36.156.24.78</entry>
+  <entry>36.156.24.79</entry>
+  <entry>37.220.36.240</entry>
+  <entry>37.28.154.68</entry>
+  <entry>37.46.114.5</entry>
+  <entry>46.182.106.190</entry>
+  <entry>46.29.248.238</entry>
+  <entry>49.88.112.111</entry>
+  <entry>49.88.112.115</entry>
+  <entry>49.88.112.116</entry>
+  <entry>49.88.112.117</entry>
+  <entry>49.88.112.54</entry>
+  <entry>49.88.112.55</entry>
+  <entry>49.88.112.57</entry>
+  <entry>49.88.112.62</entry>
+  <entry>49.88.112.63</entry>
+  <entry>49.88.112.64</entry>
+  <entry>49.88.112.66</entry>
+  <entry>49.88.112.67</entry>
+  <entry>49.88.112.71</entry>
+  <entry>49.88.112.76</entry>
+  <entry>49.88.112.77</entry>
+  <entry>49.88.112.78</entry>
+  <entry>49.88.112.80</entry>
+  <entry>49.88.112.85</entry>
+  <entry>49.88.112.90</entry>
+  <entry>50.99.193.144</entry>
+  <entry>51.15.1.221</entry>
+  <entry>51.15.3.205</entry>
+  <entry>51.15.76.60</entry>
+  <entry>51.158.184.28</entry>
+  <entry>51.38.150.104</entry>
+  <entry>51.38.150.105</entry>
+  <entry>51.38.150.109</entry>
+  <entry>51.75.21.57</entry>
+  <entry>51.77.193.218</entry>
+  <entry>51.77.52.216</entry>
+  <entry>51.83.76.139</entry>
+  <entry>5.199.130.188</entry>
+  <entry>54.36.108.162</entry>
+  <entry>54.36.189.105</entry>
+  <entry>54.37.157.229</entry>
+  <entry>54.37.234.66</entry>
+  <entry>54.39.148.232</entry>
+  <entry>54.39.148.233</entry>
+  <entry>54.39.148.234</entry>
+  <entry>54.39.151.167</entry>
+  <entry>58.218.213.128</entry>
+  <entry>62.102.148.68</entry>
+  <entry>62.102.148.69</entry>
+  <entry>62.210.105.116</entry>
+  <entry>62.210.140.24</entry>
+  <entry>62.210.37.15</entry>
+  <entry>62.210.37.82</entry>
+  <entry>62.210.99.162</entry>
+  <entry>64.113.32.29</entry>
+  <entry>77.120.113.64</entry>
+  <entry>77.247.181.162</entry>
+  <entry>77.247.181.163</entry>
+  <entry>77.247.181.165</entry>
+  <entry>78.130.128.106</entry>
+  <entry>79.134.234.247</entry>
+  <entry>79.137.79.167</entry>
+  <entry>80.67.172.162</entry>
+  <entry>82.221.128.191</entry>
+  <entry>82.221.131.102</entry>
+  <entry>82.221.131.5</entry>
+  <entry>82.221.131.71</entry>
+  <entry>87.120.254.98</entry>
+  <entry>87.120.36.157</entry>
+  <entry>89.234.157.254</entry>
+  <entry>89.41.173.191</entry>
+  <entry>91.250.242.12</entry>
+  <entry>91.92.109.43</entry>
+  <entry>92.222.127.232</entry>
+  <entry>92.62.139.103</entry>
+  <entry>92.63.194.26</entry>
+  <entry>92.63.194.47</entry>
+  <entry>93.115.241.194</entry>
+  <entry>94.100.6.27</entry>
+  <entry>94.102.51.78</entry>
+  <entry>95.128.43.164</entry>
+  <entry>95.130.9.90</entry>
+  <entry>95.142.161.63</entry>
+</ipset>
diff --git a/roles/common/files/abusers-ipv6.xml b/roles/common/files/abusers-ipv6.xml
new file mode 100644
index 0000000..3c4c766
--- /dev/null
+++ b/roles/common/files/abusers-ipv6.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+  <ipset type="hash:ip">
+  <option name="family" value="inet6"/>
+  <short>abusers-ipv4</short>
+  <description>A list of abusive IPv6 addresses.</description>
+  <entry>2a03:2880:11ff:10::face:b00c</entry>
+</ipset>
diff --git a/roles/common/tasks/firewall_Debian.yml b/roles/common/tasks/firewall_Debian.yml
index bab1664..477c787 100644
--- a/roles/common/tasks/firewall_Debian.yml
+++ b/roles/common/tasks/firewall_Debian.yml
@@ -21,6 +21,15 @@
     command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
     notify:
       - reload firewalld
+
+  - name: Copy ipsets of abusive IPs
+    when: ansible_distribution_major_version is version_compare('8', '>=')
+    copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
+    loop:
+      - abusers-ipv4.xml
+      - abusers-ipv6.xml
+    notify:
+      - reload firewalld
   tags: firewall
 
 # vim: set sw=2 ts=2:
diff --git a/roles/common/tasks/firewall_Ubuntu.yml b/roles/common/tasks/firewall_Ubuntu.yml
index 9394493..22216d5 100644
--- a/roles/common/tasks/firewall_Ubuntu.yml
+++ b/roles/common/tasks/firewall_Ubuntu.yml
@@ -17,6 +17,15 @@
     command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
     notify:
       - reload firewalld
+
+  - name: Copy ipsets of abusive IPs
+    when: ansible_distribution_major_version is version_compare('15.04', '>=')
+    copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
+    loop:
+      - abusers-ipv4.xml
+      - abusers-ipv6.xml
+    notify:
+      - reload firewalld
   tags: firewall
 
 # vim: set sw=2 ts=2: