Automated malware IP blocking on Linux using iptables and ipset. Built with bash script to ensure maximum compatibility and minimal dependencies.
malware-ip-ban blocks known malware IPs based on blocklists, DNS filtering, and manual configurations. It can download blocklists, be defined manually, or block by country.
It blocks these IPs on both inbound and outbound connections.
It ensures seamless integration with Linux firewalls and DNS resolvers while protecting essential system resources.
This is an initial commit to get the project shared and online.
It has been tested in production but should still be considered beta.
Manual installation is currently required, but the goal is a single one-line installation for set it and forget it malware IP protection.
It incorporates multiple safety checks and redundancies to ensure reliable blocking of malicious WAN IP ranges. Key features in this area include allow-listing for servers providing blocklist files, offline blocklist caching, ensures no downtime during updates via instant list swapping, and automatic exclusion of LAN ranges.
v2.6 — README.md for github
- Block Malware IPs: Dynamically fetch and block IPs from external blocklists.
- Allow-list Support: Exclude trusted IPs or DNS domains.
- Country Blocking: Block entire countries using aggregated CIDR lists.
- DNS Filtering: Resolve and block domains dynamically.
- System Integration: Works with
systemdandcronfor automation. - Production-Tested: Stable and reliable performance.
An automated setup is not yet developed. Manual instructions are below. You may prefer an alternative method, but the below instructions will ensure the script runs on boot once the network is ready, and again daily at midnight.
(NOTE: For all of the below, be sure to update /path/to/malware-ip-ban.sh to the real location of the script on your system)
- Place
malware-ip-ban.shandmalware-ip-ban-config.cfgin the same folder -git clone https://github.com/matthewlordtech/malware-ip-ban.git- then ensure the files are only editable by root - Edit
malware-ip-ban-config.cfgand ensure only IPv4 addresses are used, including CIDR blocks. IPv6 is not yet supported. - Make the script executable:
sudo chmod +x malware-ip-ban.sh
You can now run the script to test it with sudo ./malware-ip-ban.sh while inside its directory.
- Install as a Service (so runs on boot once network is available):
-
Create the service file:
sudo nano /etc/systemd/system/malware-ip-ban.service -
Add the following content:
[Unit] Description=Run malware-ip-ban.sh After=network.target [Service] Type=oneshot ExecStart=/path/to/malware-ip-ban.sh RemainAfterExit=yes [Install] WantedBy=multi-user.target -
Reload
systemdand enable the service:sudo systemctl daemon-reload sudo systemctl enable malware-ip-ban.service sudo systemctl start malware-ip-ban.service sudo systemctl status malware-ip-ban.service -
Monitor the script's progress:
journalctl -u malware-ip-ban -f
- Set up a Daily Cron Job (so runs every day for latest updates):
-
Open crontab:
sudo crontab -e -
Add the following line to run the script daily at midnight:
0 0 * * * /path/to/malware-ip-ban.sh > /path/to/malware-ip-ban.log
Edit malware-ip-ban-config.cfg to customize:
- Blocklist URLs
- Whitelist IPs and domains
- Country-based blocks
- Cache paths and durations
- Linux Kernel-based systems
- Bash 4.3+
- Tools:
iptables,ipset,curl,dig,md5sum - Root privileges
crontabandsystemdfor automation (may change in future updates once automated installer developed)
- One-Command Installer: Simplified installation via
.DEBpackage or similar. - Enhanced Config Management: Dynamic loading of default and custom configs, command line tools to manage configs.
- User-Friendly Logs: Improved error tracking and reporting. Logs are currently verbose by default. Less chatty log modes should be introduced as a new default.
- IPv6 support.
Pull requests and issues are welcome!