Skip to content

๐Ÿงฑ Blocklist โ€บ Generate #778

๐Ÿงฑ Blocklist โ€บ Generate

๐Ÿงฑ Blocklist โ€บ Generate #778

# #
# @usage https://github.com/ConfigServer-Software/service-blocklists
# @type github workflow
# @updated 09.28.25
# @usage generates a list of ipsets which can then be used within host files, config server firewall, and various other apps
#
#
# @secrets secrets.SELF_TOKEN self github personal access token (fine-grained)
# secrets.SELF_TOKEN_CL self github personal access token (classic)
# secrets.NPM_TOKEN self npmjs access token
# secrets.PYPI_API_TOKEN self Pypi API token (production site) - https://pypi.org/
# secrets.PYPI_API_TEST_TOKEN self Pypi API token (test site) - https://test.pypi.org/
# secrets.SELF_DOCKERHUB_TOKEN self Dockerhub token
# secrets.CODECOV_TOKEN codecov upload token for nodejs projects
# secrets.API_GEOLITE2_KEY maxmind API token
# secrets.CF_ACCOUNT_ID cloudflare account id
# secrets.CF_ACCOUNT_TOKEN cloudflare account token
# secrets.ARTIFACTS_DOMAIN github artifacts domain name
# secrets.ARTIFACTS_PORT github artifacts port
# secrets.ARTIFACTS_GITHUB_SSH_PRIVATE_KEY github artifacts server ssh private key
# secrets.ORG_TOKEN org github personal access token (fine-grained)
# secrets.ORG_TOKEN_CL org github personal access token (classic)
# secrets.ORG_DOCKERHUB_TOKEN org dockerhub secret
# secrets.ORG_GITEA_TOKEN org gitea personal access token (classic) with package:write permission
# secrets.BOT_GPG_KEY_ASC bot gpg private key (armored) | BEGIN PGP PRIVATE KEY BLOCK
# secrets.BOT_GPG_KEY_B64 bot gpg private key (binary) converted to base64
# secrets.BOT_GPG_PASSPHRASE bot gpg private key passphrase
# secrets.DISCORD_WEBHOOK_CHAN_GITHUB_RELEASES discord webhook to report release notifications from github to discord
# secrets.DISCORD_WEBHOOK_CHAN_GITHUB_WORKFLOWS discord webhook to report workflow notifications from github to discord
# secrets.DISCORD_WEBHOOK_CHAN_GITHUB_UPDATES discord webhook to report activity notifications from github to discord
#
# @local these workflows can be tested locally through the use of `act`
# https://github.com/nektos/act
# Extract act to folder
# Add system env var with path to act.exe
# Run the commands:
# git pull https://github.com/username/repo
# act -W .github/workflows/blocklist-generate.yml -P ubuntu-latest=catthehacker/ubuntu:full-22.04
# act -W .github/workflows/blocklist-generate.yml -s TOKEN_CL=XXXXXXXXXX --pull=false
#
# ๐Ÿ“„ bl-master.sh generate master ipset | URLs: VARARG
# ๐Ÿ“„ bl-plain.sh generate ipset from online plain-text url / page | URLs: VARARG
# ๐Ÿ“„ bl-json.sh generate ipset from json formatted web url. requires url and jq query | URLs: SINGLE
# ๐Ÿ“„ bl-htmlip.sh generate ipset by fetching HTML in web url, pulls only ips with grep rule (cant be changed) | URLs: SINGLE
# ๐Ÿ“„ bl-html.sh generate ipset by fetching HTML in web url, does not run its own grep, must be specified in command | URLs: VARARG
# ๐Ÿ“„ bl-block.sh generate ipset by fetching locally specified file in /blocks/ repo folder
# ๐Ÿ“„ bl-format.sh generate ipset by from an existing list of IPs. does not generate ips itself. only validates a list provided
# ๐Ÿ“„ bl-spf.sh generate ipset by fetching _spf ips from domain
#
# local test requires the same structure as the github workflow
# ๐Ÿ“ .github
# ๐Ÿ“ blocks
# ๐Ÿ“ bruteforce
# ๐Ÿ“„ 01.ipset
# ๐Ÿ“ privacy
# ๐Ÿ“„ 01.ipset
# ๐Ÿ“ scripts
# ๐Ÿ“„ bl-master.sh
# ๐Ÿ“„ bl-plain.sh
# ๐Ÿ“„ bl-json.sh
# ๐Ÿ“„ bl-htmlip.sh
# ๐Ÿ“„ bl-html.sh
# ๐Ÿ“„ bl-block.sh
# ๐Ÿ“„ bl-format.sh
# ๐Ÿ“„ bl-spf.sh
# ๐Ÿ“ workflows
# ๐Ÿ“„ blocklist-generate.yml
# #
name: '๐Ÿงฑ Blocklist โ€บ Generate'
run-name: '๐Ÿงฑ Blocklist โ€บ Generate'
# #
# triggers
# #
on:
# #
# Trigger โ€บ Workflow Dispatch
# #
workflow_dispatch:
inputs:
RUN_MODE:
description: '๐Ÿงญ Run Mode'
required: true
default: core_only
type: choice
options:
- core_only
- daily_only
- weekly_only
- biweekly_only
# #
# Trigger โ€บ Cron Schedule
# #
schedule:
# Every 4th hour of the day (00:00, 04:00, 08:00, 12:00, 16:00, 20:00)
- cron: '0 */4 * * *'
# Once per day (01:15 AM)
- cron: '15 1 * * *'
# Every week (00:00 on Sunday)
- cron: '0 0 * * 0'
# Biweekly at midnight (every 14 days)
- cron: '0 0 */14 * *'
# #
# concurrency
# #
concurrency:
group: blocklist-generate-${{ github.ref }}
cancel-in-progress: false
# #
# environment variables
# #
env:
ASSIGN_USER: Aetherinox
BOT_NAME_1: BinaryServ
BOT_NAME_DEPENDABOT: dependabot[bot]
BOT_NAME_RENOVATE: renovate[bot]
GPG_KEY_BASE64: ${{ secrets.ADMINSERV_GPG_KEY_B64 }}
GPG_KEY_PASSPHRASE: ${{ secrets.ADMINSERV_GPG_PASSPHRASE }}
# #
# jobs
# #
jobs:
# #
# Job โ€บ Setup
# #
blocklist-setup:
name: >-
๐Ÿ“ฆ Setup
runs-on: ubuntu-latest
# runs-on: apollo-x64
timeout-minutes: 120
steps:
# #
# Job โ€บ Checkout
# #
- name: >-
โ˜‘๏ธ Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
# #
# Job โ€บ Job Information
# #
- name: >-
๐Ÿ”„ Load Job
uses: qoomon/actions--context@v5
id: 'context'
# #
# Job โ€บ Start
# #
- name: >-
โœ… Start
run: |
echo "โ€Ž"
echo "โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•"
echo " Starting Job ${{ steps.context.outputs.job_name }}"
echo "โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•"
YEAR="$(date +'%Y')"
echo "YEAR=${YEAR}" >> $GITHUB_ENV
NOW="$(date +'%m-%d-%Y %H:%M:%S')" # 02-25-2025 12:49:48
echo "NOW=${NOW}" >> $GITHUB_ENV
NOW_SHORT="$(date +'%m-%d-%Y')" # 02-25-2025
echo "NOW_SHORT=${NOW_SHORT}" >> $GITHUB_ENV
NOW_LONG="$(date +'%m-%d-%Y %H:%M')" # 02-25-2025 12:49
echo "NOW_LONG=${NOW_LONG}" >> $GITHUB_ENV
NOW_DOCKER="$(date +'%Y%m%d')" # 20250225
echo "NOW_DOCKER=${NOW_DOCKER}" >> $GITHUB_ENV
NOW_DOCKER_TS="$(date -u +'%FT%T.%3NZ')" # 2025-02-25T12:50:11.569Z
echo "NOW_DOCKER_TS=${NOW_DOCKER_TS}" >> $GITHUB_ENV
SHA1="$(git rev-parse HEAD)" # 71fad013cfce9116ec62779e4a7e627fe4c33627
echo "SHA1=${SHA1}" >> $GITHUB_ENV
SHA1_GH="$(echo ${GITHUB_SHA})" # 71fad013cfce9116ec62779e4a7e627fe4c33627
echo "SHA1_GH=${SHA1_GH}" >> $GITHUB_ENV
PKG_VER_1DIGIT="$(echo ${{ env.IMAGE_VERSION }} | cut -d '.' -f1-1)" # 15.52.35 > 15
echo "PKG_VER_1DIGIT=${PKG_VER_1DIGIT}" >> $GITHUB_ENV
PKG_VER_2DIGIT="$(echo ${{ env.IMAGE_VERSION }} | cut -d '.' -f1-2)" # 15.52.35 > 15.52
echo "PKG_VER_2DIGIT=${PKG_VER_2DIGIT}" >> $GITHUB_ENV
echo "โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•"
echo "โ€Ž"
echo "โ€Ž"
sudo apt -qq update
sudo apt -qq install tree
echo "โ€Ž"
echo "โ€Ž"
echo "โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•"
echo "โ€Ž"
echo "โ€Ž"
echo " Runner .............. ${{ runner.name }}"
echo " Workflow ............ ${{ github.workflow }} (#${{ github.workflow_ref }})"
echo " Run Number .......... ${{ github.run_number }}"
echo " Ref ................. ${{ github.ref }}"
echo " Ref Name ............ ${{ github.ref_name }}"
echo " Event Name .......... ${{ github.event_name }}"
echo " Repo ................ ${{ github.repository }}"
echo " Repo Owner .......... ${{ github.repository_owner }}"
echo " Run ID .............. https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
echo " Triggered By ........ ${{ github.actor }}"
echo " SHA 1 (GITHUB_SHA) .. ${GITHUB_SHA}"
echo " SHA 2 (github.sha) .. ${{ github.sha }}"
echo " SHA 3 (env.SHA1) .... ${SHA1}"
echo " SHA 4 (env.SHA1_GH) . ${SHA1_GH}"
echo " Workspace ........... ${{ github.workspace }}"
echo " PWD ................. ${PWD}"
echo " Job Name ............ ${{ steps.context.outputs.job_name }}"
echo " Job ID .............. ${{ steps.context.outputs.job_id }}"
echo " Job URL ............. ${{ steps.context.outputs.job_url }}"
echo " Run ID .............. ${{ steps.context.outputs.run_id }}"
echo " Run Attempt ......... ${{ steps.context.outputs.run_attempt }}"
echo " Run Number .......... ${{ steps.context.outputs.run_number }}"
echo " Run URL ............. ${{ steps.context.outputs.run_url }}"
echo " Run Env ............. ${{ steps.context.outputs.environment }}"
echo " Run Env URL ......... ${{ steps.context.outputs.environment_url }}"
echo " Run Deployment ...... ${{ steps.context.outputs.deployment_id }}"
echo " Run Deployment URL .. ${{ steps.context.outputs.deployment_url }}"
echo " Run Deployment ...... ${{ steps.context.outputs.deployment_id }}"
echo " Run Runner Name ..... ${{ steps.context.outputs.runner_name }}"
echo " Run Runner ID ....... ${{ steps.context.outputs.runner_id }}"
echo " Year ................ ${YEAR}"
echo " Now ................. ${NOW}"
echo " Now (Short) ......... ${NOW_SHORT}"
echo " Now (Long) .......... ${NOW_LONG}"
echo " Now (Docker) ........ ${NOW_DOCKER}"
echo " Now (Docker TS) ..... ${NOW_DOCKER_TS}"
echo "โ€Ž"
echo "โ€Ž"
echo "โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•"
echo "โ€Ž"
echo "โ€Ž"
tree -I node_modules -I .git -I ./
echo "โ€Ž"
echo "โ€Ž"
echo "โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•"
echo "โ€Ž"
echo "โ€Ž"
# #
# Generate โ€บ Install Packages
# #
- name: "๐Ÿงฑ Install Packages"
run: |
sudo apt-get install -y ipcalc ed html2text whois uuid-runtime autoconf
# #
# Generate โ€บ Cache Packages
# #
- name: "๐Ÿงฑ Cache Packages"
uses: awalsh128/cache-apt-pkgs-action@latest
with:
packages: ipcalc ed html2text whois uuid-runtime
version: 1.0
# #
# Job โ€บ Blocklist โ€บ Master
# #
blocklist-generate:
name: >-
๐Ÿ“‹ Generate โ€บ Blocklist
runs-on: ubuntu-latest
# runs-on: apollo-x64
timeout-minutes: 120
needs: [ blocklist-setup ]
outputs:
artifact-name: ${{ steps.generate_artifact_zip.outputs.artifact-name }}
artifact-path: ${{ steps.generate_artifact_zip.outputs.artifact-path }}
steps:
# #
# Generate โ€บ Checkout
# #
- name: >-
โ˜‘๏ธ Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
# #
# Generate โ€บ Job Information
# #
- name: >-
๐Ÿ”„ Load Job
uses: qoomon/actions--context@v4
id: 'context'
# #
# Generate โ€บ Start
# #
- name: >-
โœ… Start
run: |
echo "โ€Ž"
echo "โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•"
echo " Starting Job ${{ steps.context.outputs.job_name }}"
echo "โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•"
YEAR="$(date +'%Y')"
echo "YEAR=${YEAR}" >> $GITHUB_ENV
NOW="$(date +'%m-%d-%Y %H:%M:%S')" # 02-25-2025 12:49:48
echo "NOW=${NOW}" >> $GITHUB_ENV
NOW_SHORT="$(date +'%m-%d-%Y')" # 02-25-2025
echo "NOW_SHORT=${NOW_SHORT}" >> $GITHUB_ENV
NOW_LONG="$(date +'%m-%d-%Y %H:%M')" # 02-25-2025 12:49
echo "NOW_LONG=${NOW_LONG}" >> $GITHUB_ENV
NOW_DOCKER="$(date +'%Y%m%d')" # 20250225
echo "NOW_DOCKER=${NOW_DOCKER}" >> $GITHUB_ENV
NOW_DOCKER_TS="$(date -u +'%FT%T.%3NZ')" # 2025-02-25T12:50:11.569Z
echo "NOW_DOCKER_TS=${NOW_DOCKER_TS}" >> $GITHUB_ENV
SHA1="$(git rev-parse HEAD)" # 71fad013cfce9116ec62779e4a7e627fe4c33627
echo "SHA1=${SHA1}" >> $GITHUB_ENV
SHA1_GH="$(echo ${GITHUB_SHA})" # 71fad013cfce9116ec62779e4a7e627fe4c33627
echo "SHA1_GH=${SHA1_GH}" >> $GITHUB_ENV
PKG_VER_1DIGIT="$(echo ${{ env.IMAGE_VERSION }} | cut -d '.' -f1-1)" # 15.52.35 > 15
echo "PKG_VER_1DIGIT=${PKG_VER_1DIGIT}" >> $GITHUB_ENV
PKG_VER_2DIGIT="$(echo ${{ env.IMAGE_VERSION }} | cut -d '.' -f1-2)" # 15.52.35 > 15.52
echo "PKG_VER_2DIGIT=${PKG_VER_2DIGIT}" >> $GITHUB_ENV
echo "โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•"
echo "โ€Ž"
echo "โ€Ž"
sudo apt -qq update
sudo apt -qq install tree
echo "โ€Ž"
echo "โ€Ž"
echo "โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•"
echo "โ€Ž"
echo "โ€Ž"
echo " Runner .............. ${{ runner.name }}"
echo " Workflow ............ ${{ github.workflow }} (#${{ github.workflow_ref }})"
echo " Run Number .......... ${{ github.run_number }}"
echo " Ref ................. ${{ github.ref }}"
echo " Ref Name ............ ${{ github.ref_name }}"
echo " Event Name .......... ${{ github.event_name }}"
echo " Repo ................ ${{ github.repository }}"
echo " Repo Owner .......... ${{ github.repository_owner }}"
echo " Run ID .............. https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
echo " Triggered By ........ ${{ github.actor }}"
echo " SHA 1 (GITHUB_SHA) .. ${GITHUB_SHA}"
echo " SHA 2 (github.sha) .. ${{ github.sha }}"
echo " SHA 3 (env.SHA1) .... ${SHA1}"
echo " SHA 4 (env.SHA1_GH) . ${SHA1_GH}"
echo " Workspace ........... ${{ github.workspace }}"
echo " PWD ................. ${PWD}"
echo " Job Name ............ ${{ steps.context.outputs.job_name }}"
echo " Job ID .............. ${{ steps.context.outputs.job_id }}"
echo " Job URL ............. ${{ steps.context.outputs.job_url }}"
echo " Run ID .............. ${{ steps.context.outputs.run_id }}"
echo " Run Attempt ......... ${{ steps.context.outputs.run_attempt }}"
echo " Run Number .......... ${{ steps.context.outputs.run_number }}"
echo " Run URL ............. ${{ steps.context.outputs.run_url }}"
echo " Run Env ............. ${{ steps.context.outputs.environment }}"
echo " Run Env URL ......... ${{ steps.context.outputs.environment_url }}"
echo " Run Deployment ...... ${{ steps.context.outputs.deployment_id }}"
echo " Run Deployment URL .. ${{ steps.context.outputs.deployment_url }}"
echo " Run Deployment ...... ${{ steps.context.outputs.deployment_id }}"
echo " Run Runner Name ..... ${{ steps.context.outputs.runner_name }}"
echo " Run Runner ID ....... ${{ steps.context.outputs.runner_id }}"
echo " Year ................ ${YEAR}"
echo " Now ................. ${NOW}"
echo " Now (Short) ......... ${NOW_SHORT}"
echo " Now (Long) .......... ${NOW_LONG}"
echo " Now (Docker) ........ ${NOW_DOCKER}"
echo " Now (Docker TS) ..... ${NOW_DOCKER_TS}"
echo "โ€Ž"
echo "โ€Ž"
echo "โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•"
echo "โ€Ž"
echo "โ€Ž"
tree -I node_modules -I .git -I ./
echo "โ€Ž"
echo "โ€Ž"
echo "โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•"
echo "โ€Ž"
echo "โ€Ž"
# #
# Generate โ€บ Install Packages
# #
- name: "๐Ÿงฑ Install Packages"
run: |
sudo apt-get install -y ipcalc ed html2text whois uuid-runtime autoconf
# #
# Generate โ€บ Cache Packages
# #
- name: '๐Ÿงฑ Cache Packages'
uses: awalsh128/cache-apt-pkgs-action@latest
with:
packages: ipcalc ed html2text whois uuid-runtime
version: 1.0
# #
# Generate โ€บ Check Day by building date key
# #
- name: 'Build day key'
id: task_blocklist_generate_date_key
shell: bash
run: |
echo "day=$(date -u +'%Y-%m-%d')" >> "$GITHUB_OUTPUT"
# #
# Generate โ€บ Resolve Run Mode
# #
- name: 'Resolve run mode'
id: task_blocklist_generate_run_mode
run: |
run_core="false"
run_daily="false"
run_weekly="false"
run_biweekly="false"
force_daily="false"
if [ "${{ github.event_name }}" = "schedule" ]; then
if [ "${{ github.event.schedule }}" = "0 */4 * * *" ]; then
run_core="true"
elif [ "${{ github.event.schedule }}" = "15 1 * * *" ]; then
run_daily="true"
elif [ "${{ github.event.schedule }}" = "0 0 * * 0" ]; then
run_weekly="true"
elif [ "${{ github.event.schedule }}" = "0 0 */14 * *" ]; then
run_biweekly="true"
fi
elif [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
if [ "${{ inputs.RUN_MODE }}" = "core_only" ]; then
run_core="true"
elif [ "${{ inputs.RUN_MODE }}" = "daily_only" ]; then
run_daily="true"
force_daily="true"
elif [ "${{ inputs.RUN_MODE }}" = "weekly_only" ]; then
run_weekly="true"
elif [ "${{ inputs.RUN_MODE }}" = "biweekly_only" ]; then
run_biweekly="true"
fi
fi
echo "run_core=${run_core}" >> "$GITHUB_OUTPUT"
echo "run_daily=${run_daily}" >> "$GITHUB_OUTPUT"
echo "run_weekly=${run_weekly}" >> "$GITHUB_OUTPUT"
echo "run_biweekly=${run_biweekly}" >> "$GITHUB_OUTPUT"
echo "force_daily=${force_daily}" >> "$GITHUB_OUTPUT"
# #
# Generate โ€บ Configure
#
# this step installs packages we need to manage ipsets.
# - iprange
# this package allows us to convert ip ranges into a CIDR formatted ip
# 10.10.0.1-10.10.0.9 => 10.10.0.1
# 10.10.0.2/31
# 10.10.0.4/30
# 10.10.0.8/31
# https://github.com/firehol/iprange
# #
- name: 'โš™๏ธ Configure'
id: task_blocklist_generate_configure
run: |
git clone https://github.com/firehol/iprange.git ./.temp/iprange
cd .temp/iprange
./autogen.sh
./configure --disable-man
sudo make && make install
# #
# Release โ€บ Dockerhub โ€บ Install Dependencies
# #
- name: '๐Ÿ“ฆ Install Dependencies'
run:
sudo apt-get install -qq dos2unix
# #
# Release โ€บ Dockerhub โ€บ Execute dos2unix
# #
- name: '๐Ÿ” Apply dos2unix'
run: |
echo "โš ๏ธโš ๏ธโš ๏ธ Running DOS2UNIX โš ๏ธโš ๏ธโš ๏ธ"
find .github/scripts -type f -name "*.sh" -print0 | xargs -0 dos2unix --
echo "โœ…โœ…โœ… Completed DOS2UNIX โœ…โœ…โœ…"
# #
# Generate โ€บ Set Template Permissions
# #
- name: "โ˜‘๏ธ Set Permissions"
id: task_blocklist_generate_perms
run: |
echo "๐Ÿ”ง Setting executable permissions for scripts"
num_success=0
num_failure=0
for f in .github/scripts/*.sh; do
echo "Setting executable permission on ${f}"
chmod 755 "${f}"
if [ -x "${f}" ]; then
echo " โœ… ${f} is executable"
num_success=$((num_success + 1))
else
echo "::error file=${f},line=1,title=Permission Failed::Failed to set executable bit"
num_failure=$((num_failure + 1))
fi
echo ""
done
echo "โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•"
echo "โœ… ${num_success} successfully verified"
echo "โŒ ${num_failure} failed"
echo "โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•"
if [ "${num_failure}" -gt 0 ]; then
exit 1
fi
echo "๐ŸŽ‰ All script permissions verified"
# #
# Generate โ€บ Set Env Variables
# #
- name: "๐Ÿ“ฆ Set Env Variables"
id: task_commit_pre
run: |
useragent="${{ vars.BL_GENERAL_USERAGENT }}"
echo "USERAGENT=$(echo $useragent)" >> $GITHUB_ENV
# #
# Generate โ€บ Master
# #
- name: "๐Ÿงฑ Generate โ€บ Main"
id: task_blocklist_generate_master
if: steps.task_blocklist_generate_run_mode.outputs.run_core == 'true'
run: |
# #
# Main โ€บ Master
# #
./.github/scripts/bl-master.sh blocklists/master.ipset ${{ secrets.API_01_FILE_01 }} ${{ secrets.API_01_FILE_02 }} ${{ secrets.API_01_FILE_03 }} ${{ secrets.API_01_FILE_04 }} ${{ secrets.API_01_FILE_05 }} ${{ secrets.API_01_FILE_06 }} ${{ secrets.API_01_FILE_07 }} ${{ secrets.API_01_FILE_08 }} ${{ secrets.API_01_FILE_09 }}
# #
# Main โ€บ Highrisk
# #
HIGHRISK_URL=$( CFG_STDOUT=true ./.github/scripts/bl-htmlip.sh _highrisk_null.ipset "${{ vars.BL_MAIN_HIGHRISK_L1 }}" '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' )
HIGHRISK_LOCAL=$( CFG_STDOUT=true ./.github/scripts/bl-block.sh blocklists/highrisk.ipset highrisk )
HIGHRISK_LIST=$( echo -e "${HIGHRISK_URL}\n${HIGHRISK_LOCAL}" | sort -u )
echo "$HIGHRISK_LIST" | ./.github/scripts/bl-format.sh blocklists/highrisk.ipset
# #
# Main โ€บ TOR Exit Nodes
#
# @ref https://check.torproject.org/exit-addresses
# curl -sSL "${{ vars.BL_TOR_EXITNODES }}" \
# | grep '^ExitAddress' \
# | awk '{print $2}' \
# https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1
# #
curl -sSL "${{ vars.BL_TOR_EXITNODES_BARE }}" \
| sort -u \
| .github/scripts/bl-format.sh blocklists/tor_exitnodes.ipset
# #
# Generate โ€บ Threats
# #
- name: "๐Ÿงฑ Generate โ€บ Threats"
id: task_blocklist_generate_threats
if: steps.task_blocklist_generate_run_mode.outputs.run_core == 'true'
env:
BL_THREATS_API_URL: ${{ secrets.BL_THREATS_API_URL }}
BL_THREATS_API_ID_NAME: ${{ secrets.BL_THREATS_API_ID_NAME }}
BL_THREATS_API_ID_VALUE: ${{ secrets.BL_THREATS_API_ID_VALUE }}
BL_THREATS_API_KEY_NAME: ${{ secrets.BL_THREATS_API_KEY_NAME }}
BL_THREATS_API_KEY_VALUE: ${{ secrets.BL_THREATS_API_KEY_VALUE }}
username: github
port: ${{ secrets.ARTIFACTS_PORT }}
domain: ${{ secrets.ARTIFACTS_DOMAIN }}
sshkey: ${{ secrets.ARTIFACTS_GITHUB_SSH_PRIVATE_KEY }}
run: |
# Setup SSH
mkdir -p ~/.ssh
echo "$sshkey" > "$HOME/.ssh/github_sftp_key"
chmod 600 "$HOME/.ssh/github_sftp_key"
# #
# Threats โ€บ Attackers โ€บ All
# #
# #
# Threats โ€บ Attackers โ€บ All (1d)
# #
ALL_LIST_API=$(
curl --location "${BL_THREATS_API_URL}/SSH" \
--header "$BL_THREATS_API_ID_NAME: $BL_THREATS_API_ID_VALUE" \
--header "$BL_THREATS_API_KEY_NAME: $BL_THREATS_API_KEY_VALUE" \
| jq -r '.[].remote_host'
)
ALL_LIST_LOCAL=$(
ssh -p "$port" \
-i "$HOME/.ssh/github_sftp_key" \
-o StrictHostKeyChecking=no \
"$username@$domain" \
"cat /files/honeypots/ssh.json" \
| jq -r '.src_ip // empty'
)
ALL_LIST=$(
echo -e "${ALL_LIST_API}\n${ALL_LIST_LOCAL}" | sort -u
)
echo "$ALL_LIST" | CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true ./.github/scripts/bl-format.sh blocklists/threats/all_1d.ipset
# #
# Threats โ€บ Attackers โ€บ All (365d)
# #
ALL_LIST_LIFETIME=$(
{
grep -vE '^\s*(#|$)' blocklists/threats/all_365d.ipset 2>/dev/null || true
echo "$ALL_LIST"
} | awk '!seen[$1]++ { print $1 }'
)
echo "$ALL_LIST_LIFETIME" | CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true ./.github/scripts/bl-format.sh blocklists/threats/all_365d.ipset
# #
# Threats โ€บ Attackers โ€บ SSH
# #
# #
# Threats โ€บ Attackers โ€บ SSH (1d)
# #
SSH_LIST_API=$(
curl --location "${BL_THREATS_API_URL}/SSH" \
--header "$BL_THREATS_API_ID_NAME: $BL_THREATS_API_ID_VALUE" \
--header "$BL_THREATS_API_KEY_NAME: $BL_THREATS_API_KEY_VALUE" \
| jq -r '.[].remote_host'
)
SSH_LIST_LOCAL=$(
ssh -p "$port" \
-i "$HOME/.ssh/github_sftp_key" \
-o StrictHostKeyChecking=no \
"$username@$domain" \
"cat /files/honeypots/ssh.json" \
| jq -r '.src_ip // empty'
)
SSH_LIST=$(
echo -e "${SSH_LIST_API}\n${SSH_LIST_LOCAL}" | sort -u
)
echo "$SSH_LIST" | CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true ./.github/scripts/bl-format.sh blocklists/threats/ssh_1d.ipset
# #
# Threats โ€บ Attackers โ€บ SSH (365d)
# #
SSH_LIST_LIFETIME=$(
{
grep -vE '^\s*(#|$)' blocklists/threats/ssh_365d.ipset 2>/dev/null || true
echo "$SSH_LIST"
} | awk '!seen[$1]++ { print $1 }'
)
echo "$SSH_LIST_LIFETIME" | CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true ./.github/scripts/bl-format.sh blocklists/threats/ssh_365d.ipset
# #
# Threats โ€บ Attackers โ€บ VNC
# #
# #
# Threats โ€บ Attackers โ€บ VNC (1d)
# #
VNC_LIST=$(
curl --location "${BL_THREATS_API_URL}/VNC" \
--header "$BL_THREATS_API_ID_NAME: $BL_THREATS_API_ID_VALUE" \
--header "$BL_THREATS_API_KEY_NAME: $BL_THREATS_API_KEY_VALUE" \
| jq -r '.[].remote_host' \
| sort -u
)
echo "$VNC_LIST" | CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true ./.github/scripts/bl-format.sh blocklists/threats/vnc_1d.ipset
# #
# Threats โ€บ Attackers โ€บ VNC (365d)
# #
VNC_LIST_LIFETIME=$(
{
grep -vE '^\s*(#|$)' blocklists/threats/vnc_365d.ipset 2>/dev/null || true
echo "$VNC_LIST"
} | awk '!seen[$1]++ { print $1 }'
)
echo "$VNC_LIST_LIFETIME" | CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true ./.github/scripts/bl-format.sh blocklists/threats/vnc_365d.ipset
# #
# Threats โ€บ Attackers โ€บ SIP
# #
# #
# Threats โ€บ Attackers โ€บ SIP (1d)
# #
SIP_LIST=$(
curl --location "${BL_THREATS_API_URL}/SIP" \
--header "$BL_THREATS_API_ID_NAME: $BL_THREATS_API_ID_VALUE" \
--header "$BL_THREATS_API_KEY_NAME: $BL_THREATS_API_KEY_VALUE" \
| jq -r '.[].remote_host' \
| sort -u
)
echo "$SIP_LIST" | CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true ./.github/scripts/bl-format.sh blocklists/threats/sip_1d.ipset
# #
# Threats โ€บ Attackers โ€บ SIP (365d)
# #
SIP_LIST_LIFETIME=$(
{
grep -vE '^\s*(#|$)' blocklists/threats/sip_365d.ipset 2>/dev/null || true
echo "$SIP_LIST"
} | awk '!seen[$1]++ { print $1 }'
)
echo "$SIP_LIST_LIFETIME" | CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true ./.github/scripts/bl-format.sh blocklists/threats/sip_365d.ipset
# #
# Threats โ€บ Attackers โ€บ Telnet
# #
# #
# Threats โ€บ Attackers โ€บ Telnet (1d)
# #
TELNET_LIST=$(
curl --location "${BL_THREATS_API_URL}/Telnet" \
--header "$BL_THREATS_API_ID_NAME: $BL_THREATS_API_ID_VALUE" \
--header "$BL_THREATS_API_KEY_NAME: $BL_THREATS_API_KEY_VALUE" \
| jq -r '.[].remote_host' \
| sort -u
)
echo "$TELNET_LIST" | CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true ./.github/scripts/bl-format.sh blocklists/threats/telnet_1d.ipset
# #
# Threats โ€บ Attackers โ€บ Telnet (365d)
# #
TELNET_LIST_LIFETIME=$(
{
grep -vE '^\s*(#|$)' blocklists/threats/telnet_365d.ipset 2>/dev/null || true
echo "$TELNET_LIST"
} | awk '!seen[$1]++ { print $1 }'
)
echo "$TELNET_LIST_LIFETIME" | CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true ./.github/scripts/bl-format.sh blocklists/threats/telnet_365d.ipset
# #
# Threats โ€บ Attackers โ€บ FTP
# #
# #
# Threats โ€บ Attackers โ€บ FTP (1d)
# #
FTP_LIST=$(
curl --location "${BL_THREATS_API_URL}/FTP" \
--header "$BL_THREATS_API_ID_NAME: $BL_THREATS_API_ID_VALUE" \
--header "$BL_THREATS_API_KEY_NAME: $BL_THREATS_API_KEY_VALUE" \
| jq -r '.[].remote_host' \
| sort -u
)
echo "$FTP_LIST" | CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true ./.github/scripts/bl-format.sh blocklists/threats/ftp_1d.ipset
# #
# Threats โ€บ Attackers โ€บ FTP (365d)
# #
FTP_LIST_LIFETIME=$(
{
grep -vE '^\s*(#|$)' blocklists/threats/ftp_365d.ipset 2>/dev/null || true
echo "$FTP_LIST"
} | awk '!seen[$1]++ { print $1 }'
)
echo "$FTP_LIST_LIFETIME" | CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true ./.github/scripts/bl-format.sh blocklists/threats/ftp_365d.ipset
# #
# Threats โ€บ Attackers โ€บ HTTP
# #
# #
# Threats โ€บ Attackers โ€บ HTTP (1d)
# #
HTTP_LIST=$(
curl --location "${BL_THREATS_API_URL}/HTTP" \
--header "$BL_THREATS_API_ID_NAME: $BL_THREATS_API_ID_VALUE" \
--header "$BL_THREATS_API_KEY_NAME: $BL_THREATS_API_KEY_VALUE" \
| jq -r '.[].remote_host' \
| sort -u
)
echo "$HTTP_LIST" | CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true ./.github/scripts/bl-format.sh blocklists/threats/http_1d.ipset
# #
# Threats โ€บ Attackers โ€บ HTTP (365d)
# #
HTTP_LIST_LIFETIME=$(
{
grep -vE '^\s*(#|$)' blocklists/threats/http_365d.ipset 2>/dev/null || true
echo "$HTTP_LIST"
} | awk '!seen[$1]++ { print $1 }'
)
echo "$HTTP_LIST_LIFETIME" | CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true ./.github/scripts/bl-format.sh blocklists/threats/http_365d.ipset
# #
# Threats โ€บ Attackers โ€บ RDP
# #
# #
# Threats โ€บ Attackers โ€บ RDP (1d)
# #
RDP_LIST=$(
curl --location "${BL_THREATS_API_URL}/RDP" \
--header "$BL_THREATS_API_ID_NAME: $BL_THREATS_API_ID_VALUE" \
--header "$BL_THREATS_API_KEY_NAME: $BL_THREATS_API_KEY_VALUE" \
| jq -r '.[].remote_host' \
| sort -u
)
echo "$RDP_LIST" | CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true ./.github/scripts/bl-format.sh blocklists/threats/rdp_1d.ipset
# #
# Threats โ€บ Attackers โ€บ RDP (365d)
# #
RDP_LIST_LIFETIME=$(
{
grep -vE '^\s*(#|$)' blocklists/threats/rdp_365d.ipset 2>/dev/null || true
echo "$RDP_LIST"
} | awk '!seen[$1]++ { print $1 }'
)
echo "$RDP_LIST_LIFETIME" | CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true ./.github/scripts/bl-format.sh blocklists/threats/rdp_365d.ipset
# #
# Threats โ€บ Attackers โ€บ SMTP
# #
# #
# Threats โ€บ Attackers โ€บ SMTP (1d)
# #
SMTP_LIST=$(
curl --location "${BL_THREATS_API_URL}/SMTP" \
--header "$BL_THREATS_API_ID_NAME: $BL_THREATS_API_ID_VALUE" \
--header "$BL_THREATS_API_KEY_NAME: $BL_THREATS_API_KEY_VALUE" \
| jq -r '.[].remote_host' \
| sort -u
)
echo "$SMTP_LIST" | CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true ./.github/scripts/bl-format.sh blocklists/threats/smtp_1d.ipset
# #
# Threats โ€บ Attackers โ€บ SMTP (365d)
# #
SMTP_LIST_LIFETIME=$(
{
grep -vE '^\s*(#|$)' blocklists/threats/smtp_365d.ipset 2>/dev/null || true
echo "$SMTP_LIST"
} | awk '!seen[$1]++ { print $1 }'
)
echo "$SMTP_LIST_LIFETIME" | CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true ./.github/scripts/bl-format.sh blocklists/threats/smtp_365d.ipset
# #
# Generate โ€บ 3rd Party
# #
- name: "๐Ÿงฑ Generate โ€บ 3rd Party"
id: task_blocklist_generate_3rdparty
if: steps.task_blocklist_generate_run_mode.outputs.run_core == 'true'
run: |
# #
# 3rd Party โ€บ Alienvault
# #
curl -sSL "${{ vars.BL_3PARTY_ALIENVAULT_REPUTATION }}" \
| cut -d'#' -f1 \
| grep -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' \
| .github/scripts/bl-format.sh blocklists/3rdparty/alienvault/bad_reputation.ipset
# #
# 3rd Party โ€บ BBcan177
# #
curl -sSL "${{ vars.BL_3PARTY_BBCAN177_MS1 }}" \
| CFG_INCLUDE_COMMENTS=true .github/scripts/bl-format.sh blocklists/3rdparty/bbcan177/ms1.ipset
curl -sSL "${{ vars.BL_3PARTY_BBCAN177_MS3 }}" \
| CFG_INCLUDE_COMMENTS=true .github/scripts/bl-format.sh blocklists/3rdparty/bbcan177/ms3.ipset
# #
# 3rd Party โ€บ Binary Defense
# #
curl -sSL "${{ vars.BL_3PARTY_BINARYDEFENSE_L1 }}" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/binarydefense/blocklist.ipset
# #
# 3rd Party โ€บ Bitwire-IT
#
# @ref https://github.com/bitwire-it/ipblocklist
# #
curl -sSL "${{ vars.BL_3PARTY_BITWIRE_INBOUND }}" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/bitwire/inbound.ipset
curl -sSL "${{ vars.BL_3PARTY_BITWIRE_OUTBOUND }}" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/bitwire/outbound.ipset
# #
# 3rd Party โ€บ Blacklist Monster
#
# @ref https://blackhole.monster/
# #
curl -sSL "${{ vars.BL_3PARTY_BLACKLIST_MONSTER_TODAY }}" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/blackhole.monster/blacklist_today.ipset
curl -sSL "${{ vars.BL_3PARTY_BLACKLIST_MONSTER_15D }}" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/blackhole.monster/blacklist_15d.ipset
curl -sSL "${{ vars.BL_3PARTY_BLACKLIST_MONSTER_30D }}" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/blackhole.monster/blacklist_30d.ipset
curl -sSL "${{ vars.BL_3PARTY_BLACKLIST_MONSTER_ALL}}" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/blackhole.monster/blacklist_all.ipset
# #
# 3rd Party โ€บ Blocklist.de
# #
curl -sSL "${{ vars.BL_3PARTY_BLOCKLISTDE_ALL }}" \
| .github/scripts/bl-format.sh blocklists/3rdparty/blocklist.de/all.ipset
curl -sSL "${{ vars.BL_3PARTY_BLOCKLISTDE_SSH }}" \
| .github/scripts/bl-format.sh blocklists/3rdparty/blocklist.de/attacks_ssh.ipset
curl -sSL "${{ vars.BL_3PARTY_BLOCKLISTDE_MAIL }}" \
| .github/scripts/bl-format.sh blocklists/3rdparty/blocklist.de/attacks_mail.ipset
curl -sSL "${{ vars.BL_3PARTY_BLOCKLISTDE_APACHE }}" \
| .github/scripts/bl-format.sh blocklists/3rdparty/blocklist.de/attacks_apache.ipset
curl -sSL "${{ vars.BL_3PARTY_BLOCKLISTDE_IMAP }}" \
| .github/scripts/bl-format.sh blocklists/3rdparty/blocklist.de/attacks_imap.ipset
curl -sSL "${{ vars.BL_3PARTY_BLOCKLISTDE_FTP }}" \
| .github/scripts/bl-format.sh blocklists/3rdparty/blocklist.de/attacks_ftp.ipset
curl -sSL "${{ vars.BL_3PARTY_BLOCKLISTDE_SIP }}" \
| .github/scripts/bl-format.sh blocklists/3rdparty/blocklist.de/attacks_sip.ipset
curl -sSL "${{ vars.BL_3PARTY_BLOCKLISTDE_BOTS }}" \
| .github/scripts/bl-format.sh blocklists/3rdparty/blocklist.de/attacks_bots.ipset
curl -sSL "${{ vars.BL_3PARTY_BLOCKLISTDE_LONGTERM }}" \
| .github/scripts/bl-format.sh blocklists/3rdparty/blocklist.de/attacks_longterm.ipset
curl -sSL "${{ vars.BL_3PARTY_BLOCKLISTDE_IRC }}" \
| .github/scripts/bl-format.sh blocklists/3rdparty/blocklist.de/attacks_ircbot.ipset
curl -sSL "${{ vars.BL_3PARTY_BLOCKLISTDE_BRUTEFORCE }}" \
| .github/scripts/bl-format.sh blocklists/3rdparty/blocklist.de/attacks_bruteforce.ipset
# #
# 3rd Party โ€บ Botvrij
# #
curl -sSL "${{ vars.BL_3PARTY_BOTVRIJ_L1 }}" \
| CFG_INCLUDE_COMMENTS=true .github/scripts/bl-format.sh blocklists/3rdparty/botvrij/threats_ioc.ipset
# #
# 3rd Party โ€บ BruteForceBlocker (Daniel Gerzo)
#
# @ref https://danger.rulez.sk/index.php/bruteforceblocker/faq/
# #
curl -sSL "${{ vars.BL_3PARTY_BRUTEFORCEBLOCKER_L1 }}" \
| .github/scripts/bl-format.sh blocklists/3rdparty/bruteforceblocker/blocklist.ipset
# #
# 3rd Party โ€บ CINS Army (Collective Intelligence Network Security)
#
# @ref https://cinsscore.com/list/ci-badguys.txt
# #
curl -sSL "${{ vars.BL_3PARTY_CINSSCORE_BADGUYS }}" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/cinsscore/badguys.ipset
# #
# 3rd Party โ€บ DShield
#
# @ref https://www.dshield.org/feeds_doc.html
# #
curl -sSL "${{ vars.BL_3PARTY_DSHIELD_BLOCK }}" \
| grep -v '^#' \
| awk '$4 >= 50 {print $1 "/" $3}' \
| sort -u \
| .github/scripts/bl-format.sh blocklists/3rdparty/dshield/blocklist.ipset
# #
# 3rd Party โ€บ Emerging Threats
#
# @ref https://rules.emergingthreats.net/blockrules/compromised-ips.txt
# #
curl -sSL "${{ vars.BL_3PARTY_EMERGINGTHREATS_COMPROMISED }}" \
| grep -v '^#' \
| .github/scripts/bl-format.sh blocklists/3rdparty/emergingthreats/compromised.ipset
# #
# 3rd Party โ€บ Feodo Tracker โ€บ Botnet Command and Control (C2 or C&C)
#
# Dridex, Heodo (aka Emotet), TrickBot, QakBot (aka QuakBot / Qbot) and
# BazarLoader (aka BazarBackdoor) botnet command&control servers (C2s).
#
# blocklist_c2_recommended C&C IP addresses (avoid false positives)
# Only contains active botnet C&C servers or active in past hours.
# blocklist_c2_ioc_normal Indicators Of Compromise (IOCs) (Normal)
# Datasets contain additional info on tracked botnet C2s;
# also IP addresses acting as botnet C2 within last 30 days.
# blocklist_c2_ioc_aggressive Indicators Of Compromise (IOCs) (Aggressive)
# Comprehensive list of all botnet C2s Feodo Tracker has.
# IP addresses are re-used/recycled; false positive are much higher.
#
# @ref https://feodotracker.abuse.ch/blocklist/
# #
curl -sSL "${{ vars.BL_3PARTY_FEODOTRACKER_C2_RECOMMENDED }}" \
| grep -v '^#' \
| .github/scripts/bl-format.sh blocklists/3rdparty/feodotracker/blocklist_c2_recommended.ipset
curl -sSL "${{ vars.BL_3PARTY_FEODOTRACKER_C2_IOC_NORMAL }}" \
| grep -v '^#' \
| .github/scripts/bl-format.sh blocklists/3rdparty/feodotracker/blocklist_c2_iocs_normal.ipset
curl -sSL "${{ vars.BL_3PARTY_FEODOTRACKER_C2_IOC_AGGRESSIVE }}" \
| grep -v '^#' \
| .github/scripts/bl-format.sh blocklists/3rdparty/feodotracker/blocklist_c2_iocs_aggressive.ipset
# #
# 3rd Party โ€บ Firehol
# #
curl -sSL "https://iplists.firehol.org/files/firehol_abusers_1d.netset" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/firehol/abusers_1d.ipset
curl -sSL "https://iplists.firehol.org/files/firehol_abusers_30d.netset" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/firehol/abusers_30d.ipset
curl -sSL "https://iplists.firehol.org/files/firehol_anonymous.netset" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/firehol/anonymous.ipset
curl -sSL "https://iplists.firehol.org/files/bitcoin_nodes.ipset" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/firehol/bitcoin_nodes.ipset
curl -sSL "https://iplists.firehol.org/files/bitcoin_nodes_1d.ipset" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/firehol/bitcoin_nodes_1d.ipset
curl -sSL "https://iplists.firehol.org/files/bitcoin_nodes_7d.ipset" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/firehol/bitcoin_nodes_7d.ipset
curl -sSL "https://iplists.firehol.org/files/bitcoin_nodes_30d.ipset" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/firehol/bitcoin_nodes_30d.ipset
curl -sSL "https://iplists.firehol.org/files/botscout.ipset" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/firehol/botscout.ipset
curl -sSL "https://iplists.firehol.org/files/botscout_1d.ipset" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/firehol/botscout_1d.ipset
curl -sSL "https://iplists.firehol.org/files/botscout_7d.ipset" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/firehol/botscout_7d.ipset
curl -sSL "https://iplists.firehol.org/files/botscout_30d.ipset" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/firehol/botscout_30d.ipset
curl -sSL "https://iplists.firehol.org/files/cybercrime.ipset" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/firehol/cybercrime.ipset
curl -sSL "https://iplists.firehol.org/files/dshield.netset" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/firehol/dshield.ipset
curl -sSL "https://iplists.firehol.org/files/dshield_1d.netset" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/firehol/dshield_1d.ipset
curl -sSL "https://iplists.firehol.org/files/dshield_7d.netset" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/firehol/dshield_7d.ipset
curl -sSL "https://iplists.firehol.org/files/dshield_30d.netset" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/firehol/dshield_30d.ipset
curl -sSL "https://iplists.firehol.org/files/firehol_level1.netset" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/firehol/level1.ipset
curl -sSL "https://iplists.firehol.org/files/firehol_level2.netset" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/firehol/level2.ipset
curl -sSL "https://iplists.firehol.org/files/firehol_level3.netset" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/firehol/level3.ipset
curl -sSL "https://iplists.firehol.org/files/firehol_level4.netset" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/firehol/level4.ipset
curl -sSL "https://iplists.firehol.org/files/firehol_proxies.netset" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/firehol/proxies.ipset
curl -sSL "https://iplists.firehol.org/files/firehol_webclient.netset" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/firehol/webclient.ipset
curl -sSL "https://iplists.firehol.org/files/firehol_webserver.netset" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/firehol/webservert.ipset
curl -sSL "https://iplists.firehol.org/files/greensnow.ipset" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/firehol/greensnow.ipset
curl -sSL "https://iplists.firehol.org/files/sblam.ipset" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/firehol/sblam.ipset
# #
# 3rd Party โ€บ GreenSnow
# #
curl -sSL "${{ vars.BL_3PARTY_GREENSNOW }}" \
| .github/scripts/bl-format.sh blocklists/3rdparty/greensnow/blocklist.ipset
# #
# 3rd Party โ€บ Hagezi
# #
curl -sSL "${{ vars.BL_3PARTY_HAGEZI_L1 }}" \
| cut -d'#' -f1 \
| grep -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' \
| .github/scripts/bl-format.sh blocklists/3rdparty/hagezi/threat_intelligence.ipset
# #
# 3rd Party โ€บ IPSum
# #
curl -sSL "${{ vars.BL_3PARTY_IPSUM_L1 }}" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/ipsum/level1.ipset
curl -sSL "${{ vars.BL_3PARTY_IPSUM_L2 }}" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/ipsum/level2.ipset
curl -sSL "${{ vars.BL_3PARTY_IPSUM_L3 }}" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/ipsum/level3.ipset
curl -sSL "${{ vars.BL_3PARTY_IPSUM_L4 }}" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/ipsum/level4.ipset
curl -sSL "${{ vars.BL_3PARTY_IPSUM_L5 }}" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/ipsum/level5.ipset
curl -sSL "${{ vars.BL_3PARTY_IPSUM_L6 }}" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/ipsum/level6.ipset
curl -sSL "${{ vars.BL_3PARTY_IPSUM_L7 }}" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/ipsum/level7.ipset
curl -sSL "${{ vars.BL_3PARTY_IPSUM_L8 }}" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/ipsum/level8.ipset
# #
# 3rd Party โ€บ LinuxTracker
# #
curl -sSL "${{ vars.BL_3PARTY_LINUXTRACKER_L1 }}" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/linuxtracker/blocklist.ipset
# #
# 3rd Party โ€บ Mikrotik โ€บ Core
#
# Url https://github.com/multiduplikator/mikrotik_blocklist
# Entries ~20k
# Update Every 3 hours
# Sources Core threat feeds
# Tor Exit Nodes Tor exit node IPs https://github.com/SecOps-Institute/Tor-IP-Addresses
# Spamhaus DROP "Don't Route Or Peer" list https://www.spamhaus.org/drop/
# SSL Blacklist Botnet C&C servers https://sslbl.abuse.ch/
# Blocklist.de Fail2ban reported IPs https://lists.blocklist.de/
# Feodo Tracker Banking trojan C&C servers https://feodotracker.abuse.ch/
# FireHOL Level 1 Aggregated threat intelligence https://github.com/stamparm/ipsum
# #
curl -sSL "${{ vars.BL_3PARTY_MULTIDUPLIKATOR_CORE }}" \
| CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/multiduplikator/blocklist_core.ipset
# #
# 3rd Party โ€บ Mikrotik โ€บ Large
#
# Url https://github.com/multiduplikator/mikrotik_blocklist
# Entries ~25k
# Update Every 3 hours
# Sources Core + CINS Army
# Tor Exit Nodes Tor exit node IPs https://github.com/SecOps-Institute/Tor-IP-Addresses
# Spamhaus DROP "Don't Route Or Peer" list https://www.spamhaus.org/drop/
# SSL Blacklist Botnet C&C servers https://sslbl.abuse.ch/
# Blocklist.de Fail2ban reported IPs https://lists.blocklist.de/
# Feodo Tracker Banking trojan C&C servers https://feodotracker.abuse.ch/
# FireHOL Level 1 Aggregated threat intelligence https://github.com/stamparm/ipsum
# CINS Army Collective Intelligence Network Security https://cinsscore.com/
# #
curl -sSL "${{ vars.BL_3PARTY_MULTIDUPLIKATOR_LARGE }}" \
| CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/multiduplikator/blocklist_large.ipset
# #
# 3rd Party โ€บ Mikrotik โ€บ Extra Large
#
# Url https://github.com/multiduplikator/mikrotik_blocklist
# Entries ~68k
# Update Every 3 hours
# Sources Core + CINS Army + IPsum L1
# Tor Exit Nodes Tor exit node IPs https://github.com/SecOps-Institute/Tor-IP-Addresses
# Spamhaus DROP "Don't Route Or Peer" list https://www.spamhaus.org/drop/
# SSL Blacklist Botnet C&C servers https://sslbl.abuse.ch/
# Blocklist.de Fail2ban reported IPs https://lists.blocklist.de/
# Feodo Tracker Banking trojan C&C servers https://feodotracker.abuse.ch/
# FireHOL Level 1 Aggregated threat intelligence https://github.com/stamparm/ipsum
# CINS Army Collective Intelligence Network Security https://cinsscore.com/
# IPsum Level 1 Broader threat IPs (1+ hits) https://github.com/stamparm/ipsum
# #
curl -sSL "${{ vars.BL_3PARTY_MULTIDUPLIKATOR_EXLARGE }}" \
| CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/multiduplikator/blocklist_extralarge.ipset
# #
# 3rd Party โ€บ Myip.ms โ€บ Full Database
# #
tmp_zip="$(mktemp)"
curl -sSL "${{ vars.BL_3PARTY_MYIPMS_FULL }}" -o "${tmp_zip}"
zip_entry="$(unzip -Z1 "${tmp_zip}" | grep -m1 -E '(^|/)full_blacklist_database\.txt$')"
[ -z "${zip_entry}" ] && { echo "full_blacklist_database.txt not found in zip" >&2; rm -f "${tmp_zip}"; exit 1; }
unzip -p "${tmp_zip}" "${zip_entry}" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/myip.ms/blocklist_full.ipset
rm -f "${tmp_zip}"
# #
# 3rd Party โ€บ Myip.ms โ€บ CSF / cPanel Specific
# #
curl -sSL "${{ vars.BL_3PARTY_MYIPMS_CSF }}" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/myip.ms/blocklist_configserver.ipset
# #
# 3rd Party โ€บ Myip.ms โ€บ General
# #
curl -sSL "${{ vars.BL_3PARTY_MYIPMS_GENERAL }}" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/myip.ms/blocklist_general.ipset
# #
# 3rd Party โ€บ Myip.ms โ€บ htaccess
# #
curl -sSL "${{ vars.BL_3PARTY_MYIPMS_HTACCESS }}" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/myip.ms/blocklist_htaccess.ipset
# #
# 3rd Party โ€บ Myip.ms โ€บ Web Crawlers
# #
curl -sSL "${{ vars.BL_3PARTY_MYIPMS_WEBCRAWLERS }}" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/myip.ms/blocklist_webcrawlers.ipset
# #
# 3rd Party โ€บ Rutgers
# #
curl -sSL "${{ vars.BL_3PARTY_RUTGERS_ATTACKERS }}" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/rutgers.edu/blocklist.ipset
# #
# 3rd Party โ€บ Sblam
# #
curl -sSL "${{ vars.BL_3PARTY_SBLAM_L1 }}" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/sblam/blocklist.ipset
# #
# 3rd Party โ€บ Sekuripy โ€บ SSH auth log brute-force offenders
# #
curl -sSL "${{ vars.BL_3PARTY_SEKURIPY_SSH_L1 }}" \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/sekuripy/ssh-bruteforce-attackers.ipset
# #
# 3rd Party โ€บ Sentinel Turris
# #
curl -sSL "${{ vars.BL_3PARTY_SENTINEL_TURRIS_L1 }}" \
| cut -d',' -f1 \
| tail -n +2 \
| CFG_SKIP_BOGON_FILTER=true CFG_TRUSTED_INPUT=true .github/scripts/bl-format.sh blocklists/3rdparty/sentinel.turris/greylist.ipset
# #
# Generate โ€บ Privacy โ€บ A - G
# #
- name: '๐Ÿงฑ Generate โ€บ Privacy (A-G) (1/day)'
id: task_blocklist_generate_privacy_a_to_g
if: steps.task_blocklist_generate_run_mode.outputs.run_daily == 'true'
run: |
# #
# Privacy โ€บ General
# #
CFG_SKIP_CIDR_DEDUPE=true CFG_SKIP_BOGON_FILTER=true CFG_INCLUDE_COMMENTS=true ./.github/scripts/bl-block.sh blocklists/privacy/@general.ipset privacy/general
# #
# Privacy โ€บ Activision
# #
./.github/scripts/range-iprange.sh blocklists/privacy/activision.ipset "${{ vars.BL_ACTIVISION_URL }}"
# #
# Privacy โ€บ Ahrefs
# #
curl -sSL -A "${{ env.USERAGENT }}" ${{ vars.BL_AI_AHREFS_URL }} | jq -r '.ips[].ip_address | select( . != null )' | .github/scripts/bl-format.sh blocklists/privacy/ahrefs.ipset
# #
# Privacy โ€บ AI โ€บ ChatGPT
# #
curl -sSL ${{ vars.BL_AI_OPENAI_GPTBOT_URL }} ${{ vars.BL_AI_OPENAI_GPTCHAT_URL }} ${{ vars.BL_AI_OPENAI_SEARCHBOT_URL }} \
| jq -r '.prefixes[] | .ipv4Prefix // .ipv6Prefix' \
| sort -u \
| .github/scripts/bl-format.sh blocklists/privacy/ai_openai_gpt_all.ipset
curl -sSL "${{ vars.BL_AI_OPENAI_GPTBOT_URL }}" \
| jq -r '.prefixes[] | .ipv4Prefix // .ipv6Prefix' \
| sort -u \
| .github/scripts/bl-format.sh blocklists/privacy/ai_openai_gpt_bot.ipset
curl -sSL "${{ vars.BL_AI_OPENAI_GPTCHAT_URL }}" \
| jq -r '.prefixes[] | .ipv4Prefix // .ipv6Prefix' \
| sort -u \
| .github/scripts/bl-format.sh blocklists/privacy/ai_openai_gpt_chat.ipset
curl -sSL "${{ vars.BL_AI_OPENAI_SEARCHBOT_URL }}" \
| jq -r '.prefixes[] | .ipv4Prefix // .ipv6Prefix' \
| sort -u \
| .github/scripts/bl-format.sh blocklists/privacy/ai_openai_gpt_searchbot.ipset
# #
# Privacy โ€บ AI โ€บ Claude
# #
curl -sSL "${{ vars.BL_AI_CLAUDE_URL }}" \
| sed 's/<[^>]*>/\n/g' \
| sed -n '/Phased out IP addresses/,$!p' \
| grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]{1,2}|([0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}/[0-9]{1,3}' \
| sort -u \
| .github/scripts/bl-format.sh blocklists/privacy/ai_claude_official.ipset
# #
# Privacy โ€บ Akamai (Cloud / CDN)
# #
AKAMAI_IPv4=$( curl -sSL -A "${{ env.USERAGENT }}" ${{ vars.BL_AKAMAI_CORE_URL }}/akamai_ipv4_CIDRs.txt \
| grep -vE '^(#|;|[[:space:]]*$)' )
AKAMAI_IPv6=$( curl -sSL -A "${{ env.USERAGENT }}" ${{ vars.BL_AKAMAI_CORE_URL }}/akamai_ipv6_CIDRs.txt \
| grep -vE '^(#|;|[[:space:]]*$)' )
AKAMAI_LIST=$( echo -e "${AKAMAI_IPv4}\n${AKAMAI_IPv6}" | sort -u )
echo "$AKAMAI_LIST" | .github/scripts/bl-format.sh blocklists/privacy/akamai.ipset
# #
# Privacy โ€บ Amazon AWS
# #
./.github/scripts/bl-json.sh blocklists/privacy/amazon_aws.ipset "${{ vars.BL_AMAZON_CORE_URL }}" '.prefixes[] | select(.service=="AMAZON") | .ip_prefix'
# #
# Privacy โ€บ Amazon EC2
# #
./.github/scripts/bl-json.sh blocklists/privacy/amazon_ec2.ipset "${{ vars.BL_AMAZON_CORE_URL }}" '.prefixes[] | select(.service=="EC2") | .ip_prefix'
# #
# Privacy โ€บ Anthropic
# #
./.github/scripts/bl-mip.sh blocklists/privacy/anthropic.ipset "${{ vars.BL_AI_ANTHROPIC_URL }}" privacy/anthropic
# #
# Privacy โ€บ Apple Bot
# #
curl -sSL -A "${{ env.USERAGENT }}" ${{ vars.BL_APPLE_INC_BOT_URL }} | jq -r '.prefixes | .[] |.ipv4Prefix//empty,.ipv6Prefix//empty' | .github/scripts/bl-format.sh blocklists/privacy/apple_bot.ipset
# #
# Privacy โ€บ Apple Proxy
# https://developer.apple.com/icloud/prepare-your-network-for-icloud-private-relay/
# #
curl -sSL -A "${{ env.USERAGENT }}" ${{ vars.BL_APPLE_INC_PROXY_URL }} \
| awk -F',' 'NR>1{print $1}' \
| CFG_TRUSTED_INPUT=true CFG_SKIP_BOGON_FILTER=true .github/scripts/bl-format.sh blocklists/privacy/apple_icloud.ipset
# #
# Privacy โ€บ Alibaba
# #
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/privacy/alibaba.ipset "${{ vars.BL_CHINA_ALIBABA_ASN }}"
# #
# Privacy โ€บ Automattic / Tumblr / Wordpress.com
# #
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/privacy/automattic.ipset "${{ vars.BL_AUTOMATTIC_WP_ASN }}"
# #
# Privacy โ€บ Baidu
# #
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/privacy/baidu.ipset "${{ vars.BL_CHINA_BAIDU_ASN }}"
# #
# Privacy โ€บ Bing
# #
./.github/scripts/bl-json.sh blocklists/privacy/bing.ipset "${{ vars.BL_BING_URL }}" '.prefixes | .[] |.ipv4Prefix//empty,.ipv6Prefix//empty'
# #
# Privacy โ€บ Blizzard
# #
./.github/scripts/range-iprange.sh blocklists/privacy/blizzard.ipset "${{ vars.BL_BLIZZARD_URL }}"
# #
# Privacy โ€บ Bluehost
# #
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/privacy/bluehost_eig.ipset "${{ vars.BL_BLUEHOST_EIG_ASN }}"
# #
# Privacy โ€บ Bunny CDN
# #
BUNNYCDN_IPv4=$( curl -sSL ${{ vars.BL_BUNNYCDN_URL }}/plain \
| grep -vE '^(#|;|[[:space:]]*$)' )
BUNNYCDN_IPv6=$( curl -sSL ${{ vars.BL_BUNNYCDN_URL }}/ipv6 \
| jq -r '.[] | select( . != null )' | grep -vE '^(#|;|[[:space:]]*$)' )
BUNNYCDN_LIST=$( echo -e "${BUNNYCDN_IPv4}\n${BUNNYCDN_IPv6}" | sort -u )
echo "$BUNNYCDN_LIST" | .github/scripts/bl-format.sh blocklists/privacy/bunnycdn.ipset
# #
# Privacy โ€บ ByteDance / Tiktok
# #
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/privacy/bytedance.ipset "${{ vars.BL_TIKTOK_BYTEDANCE_ASN }}"
# Privacy โ€บ Censys, Inc.
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/privacy/censys_io.ipset "${{ vars.BL_CENSYS_IO_ASN }}"
# Privacy โ€บ China โ€บ China Broadcasting Network
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/privacy/china_broadcasting_network.ipset "${{ vars.BL_CHINA_BROADCASTING_NETWORK_ASN }}"
# Privacy โ€บ China โ€บ China Mobile
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/privacy/china_mobile.ipset "${{ vars.BL_CHINA_MOBILE_ASN }}"
# Privacy โ€บ China โ€บ ChinaNET
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/privacy/china_chinanet.ipset "${{ vars.BL_CHINA_CHINANET_ASN }}"
# Privacy โ€บ China โ€บ China / Shanghai Mobile Communications Co.,Ltd.
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/privacy/china_net_mobile.ipset "${{ vars.BL_CHINA_NETMOBILE_ASN }}"
# Privacy โ€บ China โ€บ China Networks Inter-Exchange
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/privacy/china_networks.ipset "${{ vars.BL_CHINA_NETWORKS_ASN }}"
# Privacy โ€บ China โ€บ Telecom
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/privacy/china_telecom.ipset "${{ vars.BL_CHINA_TELECOM_ASN }}"
# Privacy โ€บ China โ€บ Tencent Networks
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/privacy/china_tencent.ipset "${{ vars.BL_CHINA_TENCENT_NET_ASN }}"
# Privacy โ€บ China โ€บ Tietong
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/privacy/china_tietong.ipset "${{ vars.BL_CHINA_TIETONG_ASN }}"
# Privacy โ€บ China โ€บ Unicorn
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/privacy/china_unicorn.ipset "${{ vars.BL_CHINA_UNICORN_ASN }}"
# #
# Privacy โ€บ Cloudfront
# #
./.github/scripts/bl-json.sh blocklists/privacy/cloudfront.ipset "${{ vars.BL_AMAZON_CLOUDFRONT_URL }}" 'map(.[]) | sort | .[]'
# #
# Privacy โ€บ Cloudflare CDN
# #
CLOUDFLARE_IPv4=$( curl -sSL -A "${{ env.USERAGENT }}" ${{ vars.BL_CLOUDFLARE_URL }}/ips-v4 \
| grep -vE '^(#|;|[[:space:]]*$)' )
CLOUDFLARE_IPv6=$( curl -sSL -A "${{ env.USERAGENT }}" ${{ vars.BL_CLOUDFLARE_URL }}/ips-v6 \
| grep -vE '^(#|;|[[:space:]]*$)' )
CLOUDFLARE_LIST=$( echo -e "${CLOUDFLARE_IPv4}\n${CLOUDFLARE_IPv6}" | sort -u )
echo "$CLOUDFLARE_LIST" | .github/scripts/bl-format.sh blocklists/privacy/cloudflare.ipset
# #
# Privacy โ€บ COLOCROSSING / HostPapa
# #
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/privacy/colocrossing_hostpapa.ipset "${{ vars.BL_COLOCROSSING_HOSTPAPA_ASN }}"
# #
# Privacy โ€บ Contabo Hosting
# #
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/privacy/contabo_gmbh.ipset "${{ vars.BL_CONTABO_GMBH_ASN }}"
# #
# Privacy โ€บ Digital Ocean
# #
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/privacy/digitalocean_asn.ipset "${{ vars.BL_DIGITAL_OCEAN_ASN }}"
# #
# Privacy โ€บ Digital Ocean
# #
curl -sSL -A "${{ env.USERAGENT }}" ${{ vars.BL_DIGITAL_OCEAN_URL }} \
| cut -d, -f1 \
| grep -vE '^(#|;|[[:space:]]*$)' \
| sort -u \
| .github/scripts/bl-format.sh blocklists/privacy/digitalocean_source.ipset
# #
# Privacy โ€บ Dream Hosting
# #
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/privacy/dreamhost.ipset "${{ vars.BL_DREAMHOST_ASN }}"
# #
# Privacy โ€บ DuckDuckGo
#
# Originally, we crawled DDG's Github docs page. However, it was shut down in 2025.
# curl -sSL -A "${{ env.USERAGENT }}" https://raw.githubusercontent.com/duckduckgo/duckduckgo-help-pages/master/_docs/results/duckduckbot.md | grep "^\- " | awk '{gsub("-",""); print}' | awk '{gsub(/ /,""); print}' | .github/scripts/bl-format.sh blocklists/privacy/duckduckgo.ipset
#
# Now we use their official json list
# https://duckduckgo.com/duckduckbot.json
# #
./.github/scripts/bl-json.sh blocklists/privacy/duckduckgo.ipset "${{ vars.BL_DUCKDUCKGO_URL }}" '.prefixes[] | select(.ipv4Prefix or .ipv6Prefix) | (.ipv4Prefix // .ipv6Prefix)'
# #
# Privacy โ€บ Electronic Arts & IGN
# #
./.github/scripts/range-iprange.sh blocklists/privacy/electronicarts_ign.ipset "${{ vars.BL_ELECTRONICARTS_URL }}"
# #
# Privacy โ€บ Facebook
# https://github.com/SecOps-Institute/FacebookIPLists/blob/master/facebook_asn_list.lst
# https://bgp.he.net/search?search%5Bsearch%5D=facebook&commit=Search
# #
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/privacy/facebook.ipset "${{ vars.BL_FACEBOOK_ASN }}"
# #
# Privacy โ€บ Fastly
# #
./.github/scripts/bl-json.sh blocklists/privacy/fastly.ipset ${{ vars.BL_FASTLY_URL }} 'map(.[]) | .[]'
# #
# Privacy โ€บ Github
#
# https://api.github.com/meta
# #
GITHUB_URL="${{ vars.BL_GITHUB_URL }}"
./.github/scripts/bl-json.sh blocklists/privacy/github_all.ipset $GITHUB_URL '.. | strings | select(test("^[0-9a-fA-F:.]+/[0-9]+$"))'
./.github/scripts/bl-json.sh blocklists/privacy/github_hooks.ipset $GITHUB_URL '.hooks[]'
./.github/scripts/bl-json.sh blocklists/privacy/github_web.ipset $GITHUB_URL '.web[]'
./.github/scripts/bl-json.sh blocklists/privacy/github_api.ipset $GITHUB_URL '.api[]'
./.github/scripts/bl-json.sh blocklists/privacy/github_git.ipset $GITHUB_URL '.git[]'
./.github/scripts/bl-json.sh blocklists/privacy/github_packages.ipset $GITHUB_URL '.packages[]'
./.github/scripts/bl-json.sh blocklists/privacy/github_pages.ipset $GITHUB_URL '.pages[]'
./.github/scripts/bl-json.sh blocklists/privacy/github_importer.ipset $GITHUB_URL '.importer[]'
./.github/scripts/bl-json.sh blocklists/privacy/github_actions.ipset $GITHUB_URL '.actions[]'
./.github/scripts/bl-json.sh blocklists/privacy/github_actions_macos.ipset $GITHUB_URL '.actions_macos[]'
./.github/scripts/bl-json.sh blocklists/privacy/github_codespaces.ipset $GITHUB_URL '.codespaces[]'
./.github/scripts/bl-json.sh blocklists/privacy/github_copilot.ipset $GITHUB_URL '.copilot[]'
# #
# Privacy โ€บ Google โ€บ Core
# #
./.github/scripts/bl-json.sh blocklists/privacy/google_core.ipset "${{ vars.BL_GOOGLE_BOTS_URL }}" '.prefixes[] | select(.ipv4Prefix or .ipv6Prefix) | (.ipv4Prefix // .ipv6Prefix)'
# #
# Privacy โ€บ Google โ€บ Bot
# #
./.github/scripts/bl-json.sh blocklists/privacy/google_bots.ipset "${{ vars.BL_GOOGLE_BOTS_URL }}" '.prefixes | .[] |.ipv4Prefix//empty,.ipv6Prefix//empty'
# #
# Privacy โ€บ Google โ€บ Cloud
# #
./.github/scripts/bl-json.sh blocklists/privacy/google_cloud.ipset "${{ vars.BL_GOOGLE_CLOUD_URL }}" '.prefixes[] | select(.ipv4Prefix or .ipv6Prefix) | (.ipv4Prefix // .ipv6Prefix)'
# #
# Generate โ€บ Privacy โ€บ H - N
# #
- name: '๐Ÿงฑ Generate โ€บ Privacy (H-N) (1/day)'
id: task_blocklist_generate_privacy_h_to_n
if: steps.task_blocklist_generate_run_mode.outputs.run_daily == 'true'
run: |
# #
# Privacy โ€บ Huawei
# #
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/privacy/huawei.ipset "${{ vars.BL_HUAWEI_ASN }}"
# #
# Privacy โ€บ Linode
# #
curl -sSL "${{ vars.BL_LINODE_URL }}" | awk -F',' '{print $1}' | sort -u | .github/scripts/bl-format.sh blocklists/privacy/linode.ipset
# #
# Privacy โ€บ Microsoft โ€บ 365
# #
MS_365_URL="${{ vars.BL_MICROSOFT_365_URL }}?clientrequestid=$(uuidgen)"
./.github/scripts/bl-json.sh blocklists/privacy/microsoft_365.ipset $MS_365_URL '.[] | .ips[]?'
# #
# Privacy โ€บ Microsoft โ€บ Azure
#
# - Public Cloud
# - US Government
# - Germany Cloud
# - China Cloud
#
# @ref https://azservicetags.azurewebsites.net/
# #
MS_AZURE_URL_PUBLIC=$( curl -sSL "${{ vars.BL_MICROSOFT_AZURE_PUBLIC_URL }}" | grep -o 'https://download.microsoft.com/download[^"]*ServiceTags_Public_[0-9]\+\.json' | head -n1 )
./.github/scripts/bl-json.sh blocklists/privacy/microsoft_azure_public.ipset $MS_AZURE_URL_PUBLIC '.values[].properties.addressPrefixes[]'
MS_AZURE_URL_USGOV=$( curl -sSL "${{ vars.BL_MICROSOFT_AZURE_USGOV_URL }}" | grep -o 'https://download.microsoft.com/download[^"]*ServiceTags_AzureGovernment_[0-9]\+\.json' | head -n1 )
./.github/scripts/bl-json.sh blocklists/privacy/microsoft_azure_usgov.ipset $MS_AZURE_URL_USGOV '.values[].properties.addressPrefixes[]'
MS_AZURE_URL_GERMANY=$( curl -sSL "${{ vars.BL_MICROSOFT_AZURE_GERMANY_URL }}" | grep -o 'https://download.microsoft.com/download[^"]*ServiceTags_AzureGermany_[0-9]\+\.json' | head -n1 )
./.github/scripts/bl-json.sh blocklists/privacy/microsoft_azure_usgov.ipset $MS_AZURE_URL_GERMANY '.values[].properties.addressPrefixes[]'
MS_AZURE_URL_CHINA=$( curl -sSL "${{ vars.BL_MICROSOFT_AZURE_CHINA_URL }}" | grep -o 'https://download.microsoft.com/download[^"]*ServiceTags_China_[0-9]\+\.json' | head -n1 )
./.github/scripts/bl-json.sh blocklists/privacy/microsoft_azure_china.ipset $MS_AZURE_URL_CHINA '.values[].properties.addressPrefixes[]'
# #
# Privacy โ€บ Nintendo
# #
./.github/scripts/range-iprange.sh blocklists/privacy/nintendo.ipset "${{ vars.BL_NINTENDO_URL }}"
# #
# Generate โ€บ Privacy โ€บ O - T
# #
- name: '๐Ÿงฑ Generate โ€บ Privacy (O-T) (1/day)'
id: task_blocklist_generate_privacy_o_to_t
if: steps.task_blocklist_generate_run_mode.outputs.run_daily == 'true'
run: |
# #
# Privacy โ€บ Oracle โ€บ OCI (EC2 / GCP)
# #
./.github/scripts/bl-json.sh blocklists/privacy/oracle_oci.ipset "${{ vars.BL_ORACLE_OCI_URL }}" '.regions[].cidrs[] | select(.tags[] == "OCI") | .cidr'
# #
# Privacy โ€บ Oracle โ€บ Oracle services network (OSN)
# #
./.github/scripts/bl-json.sh blocklists/privacy/oracle_osn.ipset "${{ vars.BL_ORACLE_OSN_URL }}" '.regions[].cidrs[] | select(.tags[] == "OSN") | .cidr'
# #
# Privacy โ€บ Oracle โ€บ Object Storage
# #
./.github/scripts/bl-json.sh blocklists/privacy/oracle_object_storage.ipset "${{ vars.BL_ORACLE_OBJ_URL }}" '.regions[].cidrs[] | select(.tags[] == "OBJECT_STORAGE") | .cidr'
# #
# Privacy โ€บ Oracle โ€บ All
# #
./.github/scripts/bl-json.sh blocklists/privacy/oracle_all.ipset "${{ vars.BL_ORACLE_ALL_URL }}" '.regions[].cidrs[] | .cidr'
# #
# Privacy โ€บ Pandora
# #
./.github/scripts/range-iprange.sh blocklists/privacy/pandora.ipset "${{ vars.BL_PANDORA_URL }}"
# #
# Privacy โ€บ Perplexity โ€บ All
#
# @ref https://docs.perplexity.ai/docs/resources/perplexity-crawlers
# #
curl -sSL https://www.perplexity.ai/perplexitybot.json https://www.perplexity.ai/perplexity-user.json \
| jq -r '.prefixes[] | select(.ipv4Prefix or .ipv6Prefix) | (.ipv4Prefix // .ipv6Prefix)' \
| sort -u \
| ./.github/scripts/bl-format.sh blocklists/privacy/perplexity_all.ipset
# #
# Privacy โ€บ Perplexity โ€บ Bot
# #
./.github/scripts/bl-json.sh blocklists/privacy/perplexity_bot.ipset "https://www.perplexity.ai/perplexitybot.json" '.prefixes[] | select(.ipv4Prefix or .ipv6Prefix) | (.ipv4Prefix // .ipv6Prefix)'
# #
# Privacy โ€บ Perplexity โ€บ User
# #
./.github/scripts/bl-json.sh blocklists/privacy/perplexity_user.ipset "https://www.perplexity.ai/perplexity-user.json" '.prefixes[] | select(.ipv4Prefix or .ipv6Prefix) | (.ipv4Prefix // .ipv6Prefix)'
# #
# Privacy โ€บ Pingdom
# #
PINGDOM_IPv4=$( curl -sSL "${{ vars.BL_PINGDOM_URL }}/ipv4" \
| grep -vE '^(#|;|[[:space:]]*$)')
PINGDOM_IPv6=$( curl -sSL "${{ vars.BL_PINGDOM_URL }}/ipv6" \
| grep -vE '^(#|;|[[:space:]]*$)')
PINGDOM_LIST=$( echo -e "${PINGDOM_IPv4}\n${PINGDOM_IPv6}" | sort -u )
echo "$PINGDOM_LIST" | .github/scripts/bl-format.sh blocklists/privacy/pingdom.ipset
# #
# Privacy โ€บ Pirate Bay
# #
./.github/scripts/range-iprange.sh blocklists/privacy/piratebay.ipset "${{ vars.BL_PIRATEBAY_URL }}"
# #
# Privacy โ€บ ProtonVPN
#
# Gathering these are tricky. Requires the authentication COOKIE / session_id to access API.
# User Id => secrets.BL_PROTON_VPN_USERID
# Cookie => secrets.BL_PROTON_VPN_AUTHCOOKIE
# Session id => secrets.BL_PROTON_VPN_SESSIONID
# #
curl -s \
-H 'x-pm-appversion: AndroidVPN_5.5.52' \
-H 'x-pm-apiversion: 3' \
-H 'x-pm-locale: en_US' \
-H 'x-pm-uid: ${{ secrets.BL_PROTON_VPN_USERID }}' \
-H 'cookie: ${{ secrets.BL_PROTON_VPN_AUTHCOOKIE }}; Session-Id=${{ secrets.BL_PROTON_VPN_SESSIONID }}; Tag=default; Theme=1; Domain=protonvpn.com; st=eyJ0IjoiZiIsImgiOiIwIn0' \
'${{ vars.BL_PROTON_VPN_URL }}' \
| jq -r '.LogicalServers[] | .Servers[]? | .EntryIP, .ExitIP, .ExitIPv6 | select(. != null)' \
| sort -u \
| .github/scripts/bl-format.sh blocklists/privacy/proton_vpn.ipset proton_vpn
# Privacy โ€บ Punkbuster
./.github/scripts/range-iprange.sh blocklists/privacy/punkbuster.ipset "${{ vars.BL_PUNKBUSTER_URL }}"
# Privacy โ€บ Riot Games
./.github/scripts/range-iprange.sh blocklists/privacy/riot_games.ipset "${{ vars.BL_RIOTGAMES_URL }}"
# Privacy โ€บ RSS API
curl -sSL -A "${{ env.USERAGENT }}" "${{ vars.BL_RSSAPI_URL }}" | .github/scripts/bl-format.sh blocklists/privacy/rssapi.ipset
# Privacy โ€บ Shadow Server
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/privacy/shadowserver.ipset "${{ vars.BL_SHADOWSERVER_FOUNDATION_ASN }}"
# Privacy โ€บ Sony โ€บ All
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/privacy/sony_all.ipset "${{ vars.BL_SONY_ALL_ASN }}"
# Privacy โ€บ Sony โ€บ Sony Network Communications Inc. (Japan/ISP/So-net)
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/privacy/sony_network_communications.ipset "${{ vars.BL_SONY_NETWORK_COMMUNICATIONS_ASN }}"
# Privacy โ€บ Sony โ€บ Sony Interactive Entertainment LLC (Playstation)
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/privacy/sony_playstation_network.ipset "${{ vars.BL_SONY_PLAYSTATION_NETWORK_ASN }}"
# Privacy โ€บ Sony โ€บ Sony Pictures Technologies Inc.
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/privacy/sony_pictures_technologies.ipset "${{ vars.BL_SONY_PICTURES_TECHNOLOGIES_ASN }}"
# Privacy โ€บ Sony โ€บ User Reported
./.github/scripts/range-iprange.sh blocklists/privacy/sony_userflagged.ipset "${{ vars.BL_SONY_USERFLAGGED_URL }}"
# Privacy โ€บ Steam
./.github/scripts/range-iprange.sh blocklists/privacy/steam.ipset "${{ vars.BL_STEAM_URL }}"
# Privacy โ€บ Stripe โ€บ API
curl -sSL -A "${{ env.USERAGENT }}" "${{ vars.BL_STRIPE_API_URL }}" | .github/scripts/bl-format.sh blocklists/privacy/stripe_api.ipset
# Privacy โ€บ Stripe โ€บ Armada Gator
curl -sSL -A "${{ env.USERAGENT }}" "${{ vars.BL_STRIPE_ARMADA_GATOR_URL }}" | .github/scripts/bl-format.sh blocklists/privacy/stripe_armada_gator.ipset
# Privacy โ€บ Stripe โ€บ Webhooks
curl -sSL -A "${{ env.USERAGENT }}" "${{ vars.BL_STRIPE_WEBHOOKS_URL }}" | .github/scripts/bl-format.sh blocklists/privacy/stripe_webhooks.ipset
# Privacy โ€บ Telegram
curl -sSL -A "${{ env.USERAGENT }}" "${{ vars.BL_TELEGRAM_URL }}" | .github/scripts/bl-format.sh blocklists/privacy/telegram.ipset
# Privacy โ€บ Tumblr
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/privacy/tumblr.ipset "${{ vars.BL_TUMBLR_ASN }}"
# Privacy โ€บ Twitter / X
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/privacy/twitter_x.ipset "${{ vars.BL_TWITTER_INC_X_ASN }}"
# #
# Generate โ€บ Privacy โ€บ U - Z
# #
- name: '๐Ÿงฑ Generate โ€บ Privacy (U-Z) (1/day)'
id: task_blocklist_generate_privacy_u_to_z
if: steps.task_blocklist_generate_run_mode.outputs.run_daily == 'true'
run: |
# Privacy โ€บ Ubisoft
./.github/scripts/range-iprange.sh blocklists/privacy/ubisoft.ipset "${{ vars.BL_UBISOFT_URL }}"
# Privacy โ€บ Uptime Robot
curl -sSL -A "${{ env.USERAGENT }}" "${{ vars.BL_UPTIMEROBOT_URL }}" | .github/scripts/bl-format.sh blocklists/privacy/uptimerobot.ipset
# Privacy โ€บ WebPageTest
curl -sSLk -A "${{ env.USERAGENT }}" "${{ secrets.PROXY_WEB_URL_HTTPS }}/json?url=https%3A%2F%2Fwebpagetest.org%2Faddresses.php%3Ff%3Djson" | jq -r '.data[].addresses[] | select( . != null )' | .github/scripts/bl-format.sh blocklists/privacy/webpagetest.ipset
# Privacy โ€บ Xfire
./.github/scripts/range-iprange.sh blocklists/privacy/xfire.ipset "${{ vars.BL_XFIRE_URL }}"
# #
# Generate โ€บ Spam
# #
- name: '๐Ÿงฑ Generate โ€บ Spam'
id: task_blocklist_generate_spam
if: steps.task_blocklist_generate_run_mode.outputs.run_core == 'true'
run: |
./.github/scripts/bl-plain.sh blocklists/spam/spamhaus.ipset ${{ vars.BL_SPAM_SPAMHAUS_URL }}
# #
# Generate โ€บ Spam โ€บ Forums
#
# only updated once per day (daily path)
# #
- name: '๐Ÿงฑ Generate โ€บ Spam โ€บ Forums (1/day)'
id: task_blocklist_spam_generate_forums
if: steps.task_blocklist_generate_run_mode.outputs.run_daily == 'true'
run: |
chmod +x ".github/scripts/bl-plain.sh"
./.github/scripts/bl-plain.sh blocklists/spam/forums.ipset ${{ vars.BL_SPAM_FORUMS_URL }}
# #
# Generate โ€บ Internet Service Provider
#
# @resources https://ftp.arin.net/info/asn.txt
# https://networksdb.io
# https://rapidapi.com
# https://ip.guide/
# https://2ip.io
# https://ip2location.com
# https://ipqualityscore.com
# https://ipinfo.io
# https://radb.net
# https://bgpview.io
# @info script on another server is responsible for ensuring this workflow list is kept up to date with the correct ASN.
# we use numerous resources to compare ASNs to see which ones are active and which ones have been migrated.
# #
- name: '๐Ÿงฑ Generate โ€บ ISP (1/day)'
id: task_blocklist_generate_isp
if: steps.task_blocklist_generate_run_mode.outputs.run_daily == 'true'
run: |
# ISP โ€บ AOL
./.github/scripts/bl-block.sh blocklists/isp/aol.ipset isp/aol.ipset
# ISP โ€บ ATT
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/isp/att.ipset "${{ vars.BL_ATT_ASN }}"
# ISP โ€บ Cablevision | Later merged with Suddenlink
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/isp/cablevision.ipset "${{ vars.BL_CABLEVISION_ASN }}"
# ISP โ€บ Charter & Spectrum (Previously Time Warner Cable)
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/isp/charter_spectrum_timewarnercable.ipset "${{ vars.BL_CHARTER_SPECTRUM_TIMEWARNERCABLE_ASN }}"
# ISP โ€บ Comcast
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/isp/comcast.ipset "${{ vars.BL_COMCAST_ASN }}"
# ISP โ€บ Cox Communications
# https://networksdb.io/ip-addresses-of/cox-communications-inc
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/isp/cox_communications.ipset "${{ vars.BL_COX_COMMUNICATIONS_ASN }}"
# ISP โ€บ Embarq
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/isp/embarq.ipset "${{ vars.BL_EMBARQ_ASN }}"
# ISP โ€บ Frontier Communications
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/isp/frontier_communications.ipset "${{ vars.BL_FRONTIER_COMMUNICATIONS_ASN }}"
# ISP โ€บ Qwest / CenturyLink
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/isp/qwest_centurylink.ipset "${{ vars.BL_QWEST_CENTURYLINK_ASN }}"
# ISP โ€บ Sprint
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/isp/sprint.ipset "${{ vars.BL_SPRINT_ASN }}"
# ISP โ€บ Verizon
# https://networksdb.io/search/org/verizon
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/isp/verizon.ipset "${{ vars.BL_VERIZON_ASN }}"
# ISP โ€บ SpaceX Starlink
CFG_TRUSTED_INPUT=true ./.github/scripts/bl-whois.sh blocklists/isp/spacex_starlink.ipset "${{ vars.BL_SPACEX_STARLINK_ASN }}"
# ISP โ€บ Suddenlink / Altice / Optiumum
./.github/scripts/bl-json.sh blocklists/isp/suddenlink_altice_optimum.ipset https://ip.guide/AS19108 '.routes | .v4//empty,.v6//empty | .[]'
# #
# Generate โ€บ Geographical โ€บ Geolite2 โ€บ Setup
#
# this step should only be ran once per day (at 1:15am UTC).
# The vars defined below are used for caching. The current day of the year + year are calculated, this allows
# the same cached files to be used in a 24 hour period. When the day of the year changes, a new set of geo files will
# be updated.
#
# CACHE VARS: year_week outputs the current week of the year, and year
# 51_2024
#
# year_day outputs the current day of the year, and year
# 308_2024
# #
- name: '๐Ÿงฑ Geographical โ€บ GeoLite2 (Setup)'
id: task_blocklist_geographical_generate_setup
if: steps.task_blocklist_generate_run_mode.outputs.run_daily == 'true'
run: |
should_run="true"
force_run="${{ steps.task_blocklist_generate_run_mode.outputs.force_daily }}"
echo "should_run=${should_run}" >> "$GITHUB_OUTPUT"
echo "force_run=${force_run}" >> "$GITHUB_OUTPUT"
echo "year_week=$(date +'%U_%Y')" >> $GITHUB_ENV
echo "year_day=$(date +'%j_%Y')" >> $GITHUB_ENV
# #
# Generate โ€บ Geographical โ€บ Geolite2 โ€บ Cache
#
# uses the same cache in a 24 hour period.
#
# @output cache-hit
# only run step if cache hit found
# if: steps.task_blocklist_geographical_generate_cache.outputs.cache-hit == 'true'
# #
- name: '๐Ÿงฑ Geographical โ€บ GeoLite2 (Cache)'
id: task_blocklist_geographical_generate_cache
uses: actions/cache@v5
if: steps.task_blocklist_geographical_generate_setup.outputs.should_run == 'true'
with:
path: .github/.daily/geolite2
key: daily-${{ runner.os }}-geolite2-${{ steps.task_blocklist_generate_date_key.outputs.day }}
# #
# Generate โ€บ Geographical โ€บ Geolite2 โ€บ Build
# #
- name: '๐Ÿงฑ Geographical โ€บ GeoLite2 (1/day)'
id: task_blocklist_generate_geolite2_country
if: steps.task_blocklist_geographical_generate_setup.outputs.should_run == 'true' && ( steps.task_blocklist_geographical_generate_setup.outputs.force_run == 'true' || steps.task_blocklist_geographical_generate_cache.outputs.cache-hit != 'true' )
run: |
chmod +x ".github/scripts/bl-geolite2.sh"
run_geolite2=".github/scripts/bl-geolite2.sh -l ${{ secrets.API_GEOLITE2_KEY }}"
eval "./$run_geolite2"
# #
# Generate โ€บ ASN
#
# ASN numbers are automatically managed & updated via a backend system. Store ASNs as github variable.
# #
- name: '๐Ÿงฑ Geographical โ€บ GeoLite2 โ€บ ASN (1/day)'
id: task_blocklist_generate_geolite2_asn
if: steps.task_blocklist_geographical_generate_setup.outputs.should_run == 'true' && ( steps.task_blocklist_geographical_generate_setup.outputs.force_run == 'true' || steps.task_blocklist_geographical_generate_cache.outputs.cache-hit != 'true' )
run: |
export MAXMIND_LICENSE_KEY="${{ secrets.API_GEOLITE2_KEY }}"
export BL_GEOLITE2_REUSE_TEMP=true
rm -rf .github/temp .github/.temp
./.github/scripts/bl-geolite2_asn.sh --folder A --file akamai_core --asn ${{ vars.BL_AKAMAI_CORE_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder A --file akamai_linode --asn ${{ vars.BL_AKAMAI_LINODE_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder A --file alibaba --asn ${{ vars.BL_CHINA_ALIBABA_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder A --file amazon_core --asn ${{ vars.BL_AMAZON_CORE_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder A --file amazon_cloudfront --asn ${{ vars.BL_AMAZON_CLOUDFRONT_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder A --file apple_inc --asn ${{ vars.BL_APPLE_INC_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder A --file att --asn ${{ vars.BL_ATT_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder A --file automattic --asn ${{ vars.BL_AUTOMATTIC_WP_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder B --file baidu --asn ${{ vars.BL_CHINA_BAIDU_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder B --file bluehost_eig --asn ${{ vars.BL_BLUEHOST_EIG_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder B --file bunnycdn --asn ${{ vars.BL_BUNNYCDN_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder C --file cablevision --asn ${{ vars.BL_CABLEVISION_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder C --file censys_io --asn ${{ vars.BL_CENSYS_IO_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder C --file charter_spectrum_timewarnercable --asn ${{ vars.BL_CHARTER_SPECTRUM_TIMEWARNERCABLE_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder C --file china_broadcasting_network --asn ${{ vars.BL_CHINA_BROADCASTING_NETWORK_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder C --file china_mobile --asn ${{ vars.BL_CHINA_MOBILE_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder C --file china_chinanet --asn ${{ vars.BL_CHINA_CHINANET_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder C --file china_net_mobile --asn ${{ vars.BL_CHINA_NETMOBILE_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder C --file china_networks --asn ${{ vars.BL_CHINA_NETWORKS_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder C --file china_telecom --asn ${{ vars.BL_CHINA_TELECOM_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder C --file china_tencent_net --asn ${{ vars.BL_CHINA_TENCENT_NET_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder C --file china_tietong --asn ${{ vars.BL_CHINA_TIETONG_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder C --file china_unicorn --asn ${{ vars.BL_CHINA_UNICORN_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder C --file cloudflare --asn ${{ vars.BL_CLOUDFLARE_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder C --file colocrossing_hostpapa --asn ${{ vars.BL_COLOCROSSING_HOSTPAPA_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder C --file comcast --asn ${{ vars.BL_COMCAST_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder C --file contabo_gmbh --asn ${{ vars.BL_CONTABO_GMBH_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder C --file cox_communications --asn ${{ vars.BL_COX_COMMUNICATIONS_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder D --file digitalocean --asn ${{ vars.BL_DIGITAL_OCEAN_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder D --file dreamhost --asn ${{ vars.BL_DREAMHOST_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder E --file embarq --asn ${{ vars.BL_EMBARQ_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder F --file facebook --asn ${{ vars.BL_FACEBOOK_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder F --file fastly --asn ${{ vars.BL_FASTLY_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder F --file fdc_servers --asn ${{ vars.BL_FDC_SERVERS_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder F --file frontier_communications --asn ${{ vars.BL_FRONTIER_COMMUNICATIONS_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder G --file github_inc --asn ${{ vars.BL_GITHUB_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder G --file godaddy --asn ${{ vars.BL_GODADDY_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder G --file google --asn ${{ vars.BL_GOOGLE_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder H --file haproxy_technologies_inc --asn ${{ vars.BL_HAPROXY_TECHNOLOGIES_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder H --file hetzner --asn ${{ vars.BL_HETZNER_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder H --file hostinger --asn ${{ vars.BL_HOSTINGER_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder I --file inmotion_hosting --asn ${{ vars.BL_INMOTION_HOSTING_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder I --file ionos_1and1 --asn ${{ vars.BL_IONOS_1AND1_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder I --file internet_measurement_com --asn ${{ vars.BL_INTERNET_MEASUREMENT_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder K --file korea_telecom --asn ${{ vars.BL_KOREA_TELECOM_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder L --file leaseweb_hosting --asn ${{ vars.BL_LEASEWEB_HOSTING_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder M --file microsoft_corp --asn ${{ vars.BL_MICROSOFT_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder N --file namecheap --asn ${{ vars.BL_NAMECHEAP_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder N --file nintendo --asn ${{ vars.BL_NINTENDO_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder O --file onyphe_io --asn ${{ vars.BL_ONYPHE_IO_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder O --file oracle --asn ${{ vars.BL_ORACLE_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder O --file ovh_cloud --asn ${{ vars.BL_OVH_CLOUD_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder P --file palo_alto_networks --asn ${{ vars.BL_PALO_ALTO_NETWORKS_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder P --file psychz_networks --asn ${{ vars.BL_PSYCHZ_NETWORKS_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder Q --file quadra_net --asn ${{ vars.BL_QUADRA_NET_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder Q --file qwest_centurylink --asn ${{ vars.BL_QWEST_CENTURYLINK_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder R --file rackspace_hosting --asn ${{ vars.BL_RACKSPACE_HOSTING_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder R --file recyber_net --asn ${{ vars.BL_RECYBER_NET_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder R --file russia_crimeacom_south_llc --asn ${{ vars.BL_RUSSIA_CRIMEACOM_SOUTH_LLC_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder R --file russia_zummer_llc --asn ${{ vars.BL_RUSSIA_ZUMMER_LLC_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder S --file scaleway_sas --asn ${{ vars.BL_SCALEWAY_SAS_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder S --file servers_dot_com_inc --asn ${{ vars.BL_SERVERS_DOT_COM_INC_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder S --file shadowserver_foundation --asn ${{ vars.BL_SHADOWSERVER_FOUNDATION_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder S --file shodan_io --asn ${{ vars.BL_SHODAN_IO_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder S --file sharktech --asn ${{ vars.BL_SHARKTECH_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder S --file stackpath_blackhost --asn ${{ vars.BL_STACKPATH_BLACKHOST_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder S --file spacex_starlink --asn ${{ vars.BL_SPACEX_STARLINK_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder S --file sprint --asn ${{ vars.BL_SPRINT_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder T --file tiktok_bytedance --asn ${{ vars.BL_TIKTOK_BYTEDANCE_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder T --file tumblr --asn ${{ vars.BL_TUMBLR_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder T --file twitter_x --asn ${{ vars.BL_TWITTER_INC_X_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder U --file upcloud_usa_inc --asn ${{ vars.BL_UPCLOUD_USA_INC_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder U --file usa_department_of_defense_dnic --asn ${{ vars.BL_USA_DOD_DNIC_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder U --file usa_internet_corp --asn ${{ vars.BL_USA_INTERNET_CORP_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder V --file verizon --asn ${{ vars.BL_VERIZON_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder V --file vietel --asn ${{ vars.BL_VIETNAM_VIETEL_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder V --file vultr --asn ${{ vars.BL_VULTR_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder Y --file yahoo --asn ${{ vars.BL_YAHOO_ASN }}
./.github/scripts/bl-geolite2_asn.sh --folder Y --file youtube --asn ${{ vars.BL_YOUTUBE_ASN }}
rm -rf blocklists/geolite/asn/ipv4 blocklists/geolite/asn/ipv6
rm -rf .github/temp .github/.temp
# #
# Generate โ€บ Transmission
# #
- name: '๐Ÿงฑ Generate โ€บ Transmission'
id: task_blocklist_generate_transmission
if: steps.task_blocklist_generate_run_mode.outputs.run_core == 'true'
run: |
./.github/scripts/bt-transmission.sh
# #
# Generate โ€บ Weekly
#
# Only updated once per week
# #
- name: '๐Ÿงฑ Generate โ€บ Weekly (7/days)'
id: task_blocklist_generate_weekly
if: steps.task_blocklist_generate_run_mode.outputs.run_weekly == 'true'
run: |
# #
# Weekly โ€บ BOGON
# #
CFG_SKIP_CIDR_DEDUPE=true ./.github/scripts/bogon.sh blocklists/bogon.ipset
# #
# Generate โ€บ Biweekly
#
# Only updated once every 2 weeks
# #
- name: '๐Ÿงฑ Generate โ€บ Bi-weekly (14/days)'
id: task_blocklist_generate_biweekly
if: steps.task_blocklist_generate_run_mode.outputs.run_biweekly == 'true'
run: |
# #
# Biweekly โ€บ IANA
# #
CFG_SKIP_BOGON_FILTER=true CFG_SKIP_CIDR_DEDUPE=true ./.github/scripts/range-iprange.sh blocklists/iana-reserved.ipset .github/blocks/iana/reserved.ipset
CFG_SKIP_BOGON_FILTER=true CFG_SKIP_CIDR_DEDUPE=true ./.github/scripts/range-iprange.sh blocklists/iana-private.ipset .github/blocks/iana/private.ipset
CFG_SKIP_BOGON_FILTER=true CFG_SKIP_CIDR_DEDUPE=true ./.github/scripts/range-iprange.sh blocklists/iana-multicast.ipset .github/blocks/iana/multicast.ipset
# #
# Delete Leftover Temps
# #
- name: '๐Ÿงฑ Generate โ€บ Cleanup Temps'
id: task_blocklist_generate_cleanup
if: steps.task_blocklist_generate_run_mode.outputs.run_core == 'true'
run: |
echo "๐Ÿงน Cleaning up leftover .tmp files..."
find ./blocklists -type f -name '*.tmp' -print -delete
echo "โœ… Cleanup complete."
# #
# Generate โ€บ Verbose โ€บ List Tree
# #
- name: '๐ŸŒฒ Debug โ€บ Verbose Tree Listing'
if: steps.task_blocklist_generate_run_mode.outputs.run_core == 'true'
run: |
echo "โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•"
echo " PWD ..................... ${PWD}"
echo " GITHUB.WORKSPACE ........ ${{ github.workspace }}"
echo -e
echo -e
tree -I node_modules -I .git -I ./
echo "โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•โ€•"
# #
# Generate โ€บ SFTP / SSH โ€บ Upload Artifact
# #
- name: 'SSH โ€บ Zip Artifacts'
id: generate_artifact_zip
run: |
REPO_NAME="${{ github.event.repository.name }}" # csf-firewall
BRANCH_NAME="${{ github.ref_name }}" # main
RUN_ID="${{ github.run_id }}" # 17373119899
ARTIFACT_NAME="artifact_${BRANCH_NAME}_${RUN_ID}.zip" # artifacts_main_xxxxxx.zip
ARTIFACT_PATH="${REPO_NAME}/${ARTIFACT_NAME}" # csf-firewall/artifacts_main_xxxxxx.zip
echo "REPO_NAME=$REPO_NAME" >> $GITHUB_ENV # csf-firewall
echo "ARTIFACT_NAME=$ARTIFACT_NAME" >> $GITHUB_ENV # artifacts_main_xxxxxx.zip
echo "ARTIFACT_PATH=$ARTIFACT_PATH" >> $GITHUB_ENV # csf-firewall/artifacts_main_xxxxxx.zip
echo "artifact-name=$ARTIFACT_NAME" >> $GITHUB_OUTPUT # artifacts_main_xxxxxx.zip
echo "artifact-path=$ARTIFACT_PATH" >> $GITHUB_OUTPUT # csf-firewall/artifacts_main_xxxxxx.zip
zip -r "$ARTIFACT_NAME" ./* # delete original zip before push
# #
# Generate โ€บ SFTP / SSH โ€บ Upload Artifact
# #
- name: 'SSH โ€บ Upload Artifacts'
env:
username: github
port: ${{ secrets.ARTIFACTS_PORT }}
domain: ${{ secrets.ARTIFACTS_DOMAIN }}
sshkey: ${{ secrets.ARTIFACTS_GITHUB_SSH_PRIVATE_KEY }}
run: |
# #
# Make sure the .ssh folder exists
# #
mkdir -p ~/.ssh
echo "$sshkey" > "$HOME/.ssh/github_sftp_key"
chmod 600 "$HOME/.ssh/github_sftp_key"
# #
# Upload to repo-specific directory
# #
sftp -P "$port" \
-i "$HOME/.ssh/github_sftp_key" \
-o StrictHostKeyChecking=no \
"$username@$domain" <<EOF
mkdir $REPO_NAME
cd $REPO_NAME
put $ARTIFACT_NAME
bye
EOF
# Delete local artifact after upload
rm -f "$ARTIFACT_NAME"
# #
# Generate โ€บ Artifact โ€บ Upload
# #
- name: "๐ŸŽ Generate โ€บ Upload Artifact"
id: task_blocklist_generate_artifact_upload
uses: actions/upload-artifact@v4
with:
name: blocklist-latest
path: ./
retention-days: 1
# #
# Job โ€บ Commit
# #
blocklist-commit:
name: >-
๐Ÿ“‹ Commit
runs-on: ubuntu-latest
# runs-on: apollo-x64
timeout-minutes: 120
needs: [ blocklist-setup, blocklist-generate ]
steps:
# #
# Commit โ€บ Checkout
# #
- name: >-
โ˜‘๏ธ Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
# #
# Commit โ€บ Artifact โ€บ Setup SSH
# #
- name: '๐ŸŽ Commit โ€บ Setup SSH Artifact'
run: |
mkdir -p ~/.ssh
echo "${{ secrets.ARTIFACTS_GITHUB_SSH_PRIVATE_KEY }}" > "$HOME/.ssh/github_sftp_key"
chmod 600 "$HOME/.ssh/github_sftp_key"
# #
# Commit โ€บ Artifact โ€บ Download
# #
#- name: '๐ŸŽ Commit โ€บ Download Artifact'
# run: |
# ARTIFACT_PATH="${{ needs.blocklist-generate.outputs.artifact-path }}" # csf-firewall/artifacts_main_xxxxxx.zip
# ARTIFACT_NAME="$(basename "$ARTIFACT_PATH")" # artifacts_main_xxxxxx.zip
# REPO_NAME="$(dirname "$ARTIFACT_PATH")" # csf-firewall
# echo "Downloading $ARTIFACT_PATH"
# sftp -P ${{ secrets.ARTIFACTS_PORT }} \
# -i "$HOME/.ssh/github_sftp_key" \
# -o StrictHostKeyChecking=no \
# github@${{ secrets.ARTIFACTS_DOMAIN }} <<EOF
# cd $REPO_NAME
# get $ARTIFACT_NAME
# bye
# EOF
# unzip -o "$ARTIFACT_NAME" # unzip -o artifacts_main_xxxxxx.zip
# rm -f "$ARTIFACT_NAME" # rm -f artifacts_main_xxxxxx.zip
# #
# Commit โ€บ GPG โ€บ Import Key (No Passphrase)
#
# requires your GPG private key, converted to base64 binary .gpg (not armored .asc)
#
# this is utilized to generate signed hash digest
#
# find . -maxdepth 1 \( -name '*.zip' -o -name '*.gz' \) -printf '%P\n' | xargs -r sha1sum | gpg --digest-algo sha256 --clearsign > sha1sum.txt.asc
# find . -maxdepth 1 \( -name '*.zip' -o -name '*.gz' \) -printf '%P\n' | xargs -r sha256sum | gpg --digest-algo sha256 --clearsign > sha256
# #
- name: '๐Ÿชช Commit โ€บ GPG โ€บ Import Signing Key โ€บ W/o Passphrase'
if: env.GPG_KEY_BASE64 != '' && env.GPG_KEY_PASSPHRASE == ''
run: |
echo "$GPG_KEY_BASE64" | base64 -di | gpg --import
# #
# Commit โ€บ GPG โ€บ Import Key (With Passphrase)
#
# requires your GPG private key, converted to base64 binary .gpg (not armored .asc)
#
# this is utilized to generate signed hash digest
#
# find . -maxdepth 1 \( -name '*.zip' -o -name '*.gz' \) -printf '%P\n' | xargs -r sha1sum | gpg --digest-algo sha256 --clearsign > sha1sum.txt.asc
# find . -maxdepth 1 \( -name '*.zip' -o -name '*.gz' \) -printf '%P\n' | xargs -r sha256sum | gpg --digest-algo sha256 --clearsign > sha256
# #
- name: '๐Ÿชช Commit โ€บ GPG โ€บ Import Signing Key โ€บ w/ Passphrase'
if: env.GPG_KEY_BASE64 != '' && env.GPG_KEY_PASSPHRASE != ''
run: |
echo "$GPG_KEY_BASE64" | base64 -di > /tmp/signing-key.gpg
echo "$GPG_KEY_PASSPHRASE" | gpg --pinentry-mode loopback --passphrase-fd 0 --import /tmp/signing-key.gpg
(echo "$GPG_KEY_PASSPHRASE"; echo; echo) | gpg --command-fd 0 --pinentry-mode loopback --change-passphrase $(gpg --list-secret-keys --with-colons 2> /dev/null | grep '^sec:' | cut --delimiter ':' --fields 5 | tail -n 1)
# #
# Commit โ€บ Artifact โ€บ Download
# #
- name: "๐ŸŽ Commit โ€บ Download Artifact"
id: task_commit_artifact_download
uses: actions/download-artifact@v4
with:
name: blocklist-latest
path: ./
# #
# Commit โ€บ Precommit
# #
- name: "๐Ÿ“ฆ Commit โ€บ Pre-commit"
id: task_commit_pre
run: |
now=$(date -u '+%m/%d/%Y %H:%M')
commit_label="Sync" >> $GITHUB_ENV
commit_message="\`๏ธ๏ธ๐Ÿ”’ $commit_label ๐Ÿ”’\` \`$now UTC\`" >> $GITHUB_ENV
echo "COMMIT_MESSAGE=$(echo $commit_message)" >> $GITHUB_ENV
echo "NOW=$(echo $now)" >> $GITHUB_ENV
# #
# Commit โ€บ Update โ€บ README
# #
- name: "๐Ÿ“„ Commit โ€บ Update โ€บ README"
id: task_commit_update_readme
run: |
chmod +x ".github/scripts/update-readme.sh"
./.github/scripts/update-readme.sh README.md
# #
# Commit โ€บ Update โ€บ Manifest
# #
- name: "๐Ÿ“„ Commit โ€บ Update โ€บ Manifest"
id: task_commit_update_manifest
run: |
chmod +x ".github/scripts/update-manifest.sh"
./.github/scripts/update-manifest.sh manifest.json
# #
# Commit โ€บ GPG Key
#
# required in order to do signed commits
# #
- name: "๐Ÿ“ฆ Commit โ€บ GPG Key"
id: task_commit_gpg
uses: crazy-max/ghaction-import-gpg@v6
with:
gpg_private_key: ${{ secrets.ADMINSERV_GPG_KEY_ASC }}
passphrase: ${{ secrets.ADMINSERV_GPG_PASSPHRASE }}
git_user_signingkey: true
git_commit_gpgsign: true
# #
# Commit โ€บ Commit
# #
- name: "๐Ÿ“ฆ Commit โ€บ Execute"
id: task_commit_execute
uses: stefanzweifel/git-auto-commit-action@v5
with:
commit_message: ${{ env.COMMIT_MESSAGE }}
commit_author: "${{ steps.task_commit_gpg.outputs.name }} <${{ steps.task_commit_gpg.outputs.email }}>"
commit_user_name: ${{ steps.task_commit_gpg.outputs.name }}
commit_user_email: ${{ steps.task_commit_gpg.outputs.email }}
# #
# Commit โ€บ Clean up Artifacts
#
# Left-behind artifacts cleaned up after 5 days
# #
- name: '๐ŸŽ Commit โ€บ Cleanup Old Artifacts'
env:
username: github
port: ${{ secrets.ARTIFACTS_PORT }}
domain: ${{ secrets.ARTIFACTS_DOMAIN }}
sshkey: ${{ secrets.ARTIFACTS_GITHUB_SSH_PRIVATE_KEY }}
run: |
ssh -p "$port" \
-i "$HOME/.ssh/github_sftp_key" \
-o StrictHostKeyChecking=no \
"$username@$domain" \
"find /files/${{ github.event.repository.name }} -name 'artifacts_*.zip' -type f -mtime +2 -delete"