ALPHA VERSION -- Bad IPs - Distributed IP Blocking System

🚀 Quick Start

Install Bad IPs on Ubuntu/Debian with a single command:

bash <(curl -fsSL https://projects.thedude.vip/bad-ips/install.sh)

The installer will:

Add the Silver Linings apt repository
Install Bad IPs and dependencies
Configure PostgreSQL database connection
Set up detectors for your services
Configure trusted networks (never_block)
Configure permanent blocks (always_block)
Start monitoring automatically

📦 Installation Steps

For those who prefer a step-by-step approach or want to understand what the installer does:

1. Add Repository and Install Package

# Add GPG key curl -fsSL https://projects.thedude.vip/apt/silver-linings.gpg.key | \ sudo gpg --dearmor -o /etc/apt/keyrings/silver-linings.gpg # Add repository echo "deb [signed-by=/etc/apt/keyrings/silver-linings.gpg] https://projects.thedude.vip/apt ./" | \ sudo tee /etc/apt/sources.list.d/bad-ips.list # Install sudo apt update sudo apt install bad-ips

2. Configure Database Connection

Edit /usr/local/etc/badips.d/database.conf:

[global] db_host = 10.10.0.116 db_port = 5432 db_name = bad_ips db_user = bad_ips_admin db_password = your_password_here db_ssl_mode = disable

3. Configure Network Filtering

Edit /usr/local/etc/badips.conf:

[global] log_level = info block_duration = 691200 # 8 days # Trusted networks (never blocked) never_block_cidrs = 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,127.0.0.0/8 # Permanent blocks (optional) always_block_cidrs = 240.0.0.0/4,198.51.100.0/24

4. Set Up nftables

# The installer creates /etc/nftables.d/99-badips.nft automatically # This provides a dedicated 'inet badips' table with IPv4 and IPv6 support # View the Bad IPs nftables configuration: sudo cat /etc/nftables.d/99-badips.nft # The configuration includes: # - IPv4 sets: badipv4, never_block, always_block # - IPv6 sets: badipv6, never_block_v6, always_block_v6 # - Prerouting hook at priority -150 (processes all traffic) # Verify nftables configuration is loaded: sudo nft list table inet badips

5. Start Service

sudo systemctl enable bad_ips sudo systemctl start bad_ips sudo systemctl status bad_ips

Note: The automated installer handles all these steps, including interactive prompts for database credentials and network configuration.

🗑️ Uninstalling Bad IPs

To completely remove Bad IPs and clean up all configuration:

sudo apt remove --purge bad-ips

This will:

Stop and disable the bad_ips service
Remove the Bad IPs package
Delete the local database (/var/lib/bad_ips/)
Clean up all nftables rules and sets

Expected Warnings

You may see these warnings during removal - they are normal and expected:

dpkg: warning: while removing bad-ips, directory '/usr/local/share' not empty so not removed dpkg: warning: while removing bad-ips, directory '/usr/local/lib' not empty so not removed dpkg: warning: while removing bad-ips, directory '/usr/local/etc/badips.d' not empty so not removed

These warnings appear because:

/usr/local/share and /usr/local/lib are system directories that may contain files from other packages
/usr/local/etc/badips.d may contain custom detector configurations you created
dpkg will not remove non-empty directories to avoid deleting files from other packages or your custom configurations

Complete Cleanup: If you want to remove everything including custom configs:

sudo apt remove --purge bad-ips sudo rm -rf /usr/local/etc/badips.d sudo rm -rf /usr/local/etc/badips.conf

Remove Repository

To also remove the apt repository:

sudo rm /etc/apt/sources.list.d/bad-ips.list sudo rm /etc/apt/keyrings/silver-linings.gpg sudo apt update

✨ Features

🔍 Real-time Monitoring

Monitors systemd journal and log files for attack patterns

🚫 Automatic Blocking

Blocks IPs using nftables with configurable timeouts

🗄️ Centralized Database

PostgreSQL for threat sharing across all servers

⚡ Multi-threaded

Async architecture with queue-based pipeline

🎯 Configurable Detectors

SSH, mail, web, DNS - add your own patterns

🛡️ Trusted Networks

Never-block CIDR filtering for management networks

The NATO Effect

"An attack on one is an attack on all."

When any server blocks an IP, it's shared via database with all servers. An attacker brute-forcing SSH on your mail server gets instantly blocked everywhere.

⚙️ Configuration

Main Configuration

Edit /usr/local/etc/badips.conf:

[global] log_level = debug block_duration = 691200 # 8 days never_block_cidrs = 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16

Database Configuration

Edit /usr/local/etc/badips.d/database.conf:

[global] db_host = 10.10.0.116 db_port = 5432 db_name = bad_ips db_user = bad_ips_admin db_password = your_password

Detector Configuration

Example SSH detector (10-sshd.conf):

[detector:sshd] units = ssh.service, sshd.service pattern1 = Failed password for invalid user pattern2 = Failed password for root

→ Full Configuration Reference

📚 Documentation

Man Page: man bad_ips (after installation)
Configuration: Full reference
GitHub: Repository

Useful Commands

systemctl status bad_ips systemctl reload bad_ips journalctl -u bad_ips.service -f sudo nft list set inet badips badipv4 sudo nft list set inet badips badipv6 sudo nft list table inet badips bad_ips --test-config

🤝 Support

Issues: GitHub Issues
Email: gardner@homelab