search

firehol / blocklist-ipsets

ipsets dynamically updated with firehol's update-ipsets.sh script
https://iplists.firehol.org
3.14k stars 382 forks source link

Searching for an IP address #63

Open szepeviktor opened 6 years ago

szepeviktor commented 6 years ago

Is there a clean way to search for a single IP address in all lists?

The files in this repo are in different formats so a simple tool like grepcidr will not work.

Thank you.

szepeviktor commented 6 years ago

Here's a grep.sh

#!/bin/bash
#
# Search all ipset and netset lists for a single IP address.
#
# DEPENDS: grepcidr

ADDRESS="$1"

set -e

test -n "$ADDRESS"

find -type f -name "*.ipset" -or -name "*.netset" \
    | while read -r IPSET; do
        if echo "$ADDRESS" | grepcidr -f "$IPSET"; then
            echo "Was found in ${IPSET}" 1>&2
        fi
    done
elico commented 6 years ago

@szepeviktor I am trying to understand what are you looking for. Do you want to know if the ipset contains any match for the ip and the exact match or if it's in the set? Instead of grepcidr and a bash loop you can just load a set into a temporary one and use ipset test x testset. As long it's not a big set it would use less CPU less RAM and might be faster then grepcidr in the userspace. I have not tested it but this is what usually the pro's say: "the kernel does things the best". So... given an example it would be nice to benchmark them (for the sake of the embedd world).

szepeviktor commented 6 years ago

I run a small list of known hostile networks and the above tool is necessary to check common IP-s. The other thing is my Fail2ban notifications are filtered by a script checking ~10 lists online and I would also like to quickly check IP-s.

tbussmann commented 2 years ago

It would be very helpful if there would be a way to search for an IP-Address on http://iplists.firehol.org/ that would show the all the lists this address is currently included. Often, when debugging connection issues I have to download most of the lists and use a script like in https://github.com/firehol/blocklist-ipsets/issues/63#issuecomment-395284883 just to find out if the issue is caused by one of the blocklists or not.

WeszNL commented 3 days ago

@tbussmann I realize this is an older issue, but I created a tool for myself to debug and check if an IP is listed in any of the ipset blacklists aggregated by FireHOL. Originally made for personal use, I thought it might be useful to others as well.

https://blacklist.sernate.com/firehol/

tbussmann commented 3 days ago

@WeszNL: Hartelijk bedankt! This is a very useful service, thanks for sharing.