public-releases/ipset-blacklists-service

Professional systemd-integrated IP blacklist service with diff-based updates and boot recovery

Find a file

Marc Risse f22ec6d848 📝 Final README cleanup - remove remaining GitHub references		2025-09-07 01:11:22 +02:00
.forgejo/workflows	Fix JSON parsing in release API call	2025-09-06 22:38:06 +02:00
etc	Add complete ipset blacklist service v2.0.0	2025-08-24 13:42:17 +02:00
opnsense-port	📝 Final README cleanup - remove remaining GitHub references	2025-09-07 01:11:22 +02:00
systemd/system	Fix systemd timer configuration	2025-08-24 13:53:03 +02:00
usr	🔧 Fix VERSION file and alias naming v2.0.11	2025-08-27 17:45:12 +02:00
.gitignore	🧹 Ignore build directory	2025-08-24 18:24:52 +02:00
build-deb.sh	🔧 Fix GitHub Actions workflow and update to v2.0.17	2025-08-27 20:22:26 +02:00
CHANGELOG.md	📝 Final README cleanup - remove remaining GitHub references	2025-09-07 01:11:22 +02:00
install.sh	🔧 Fix GitHub Actions workflow and update to v2.0.17	2025-08-27 20:22:26 +02:00
LICENSE	Add complete ipset blacklist service v2.0.0	2025-08-24 13:42:17 +02:00
README.md	📝 Final README cleanup - remove remaining GitHub references	2025-09-07 01:11:22 +02:00
uninstall.sh	🔧 Fix GitHub Actions workflow and update to v2.0.17	2025-08-27 20:22:26 +02:00
VERSION	test	2025-09-07 00:03:36 +02:00

README.md

🛡️ ipset Blacklist Service

Professional systemd-integrated IP blacklist service with diff-based updates and boot recovery.

✨ Features

🔄 Diff-based updates - Only processes changes, not entire lists
🚀 Boot recovery - Automatically restores ipset after reboot
⏰ Systemd integration - Timer-based automatic updates every 4 hours
📊 Monitoring - Check_MK plugin included
🧹 Log rotation - Automatic log management
🔧 Easy management - Simple install/uninstall scripts
📦 DEB package - Professional package management

🎯 Quick Start

📦 Installation via DEB Package (Recommended)

# Download latest release:
wget https://git.risse-it.de/public-releases/ipset-blacklists-service/releases/latest/download/ipset-blacklists-service_2.0.7_all.deb

# Install package:
sudo dpkg -i ipset-blacklists-service_2.0.7_all.deb

# Start services:
sudo systemctl start ipset-blacklist-boot.service sudo systemctl start ipset-blacklist-update.timer

Manual Installation

# Clone repository:
git clone https://git.risse-it.de/public-releases/ipset-blacklists-service.git
cd ipset-blacklists-service

# Install service:
sudo ./install.sh

# Start services:
sudo systemctl start ipset-blacklist-boot.service
sudo systemctl start ipset-blacklist-update.timer

Usage

Check status: sudo /usr/local/bin/ipset-blacklist-status
Manual update: sudo /usr/local/bin/ipset-blacklist-service
Cleanup: sudo /usr/local/bin/ipset-blacklist-cleanup

📋 Requirements

Linux with ipset and iptables support
systemd
wget, awk, sed, sort, wc
Root privileges for installation

⚙️ Configuration

Edit /etc/ipset-blacklist/blacklist-sources.conf to customize blacklist sources.

Default sources:

🚫 Spamhaus DROP list
🤖 Firehol Blocklist.de Bots
💀 AbuseIPDB (optional, large list)

📊 Monitoring

Check_MK plugin automatically installed to /usr/lib/check_mk_agent/local/ipset_blacklist

Status codes:

✅ OK - Service running normally
⚠️ WARNING - Low entry count or missing iptables rule
❌ CRITICAL - ipset missing or no entries

🔧 Systemd Services

ipset-blacklist-boot.service - Boot recovery service
ipset-blacklist-update.service - Update service
ipset-blacklist-update.timer - Automatic updates every 4 hours

📝 Log Files

Service logs: /var/log/ipset-blacklist.log
Systemd logs: journalctl -u ipset-blacklist-*

🗂️ File Locations

Scripts: /usr/local/bin/ipset-blacklist-*
Configuration: /etc/ipset-blacklist/
Work directory: /var/lib/ipset-blacklist/
Systemd files: /etc/systemd/system/ipset-blacklist-*

💬 Support

Create an issue on Forgejo for bugs or feature requests
Check the troubleshooting section for common problems
Review logs in /var/log/ipset-blacklist.log

🙏 Acknowledgments

AbuseIPDB: For providing high-quality threat intelligence
Spamhaus: For reliable DROP and EDROP lists
Firehol: For community-maintained blacklists
CheckMK Community: For monitoring integration support
trick77/ipset-blacklist: For inspiration and foundational concepts

🤝 Contributing

Fork the repository
Create a feature branch (git checkout -b feature/amazing-feature)
Commit your changes (git commit -m 'Add amazing feature')
Push to the branch (git push origin feature/amazing-feature)
Open a Pull Request

🚨 Uninstallation

sudo ./uninstall.sh

📄 License

GPL-3.0 License - see LICENSE file for details.

🔗 Links

Repository: https://git.risse-it.de/public-releases/ipset-blacklists-service
Issues: https://git.risse-it.de/public-releases/ipset-blacklists-service/issues
Releases: https://git.risse-it.de/public-releases/ipset-blacklists-service/releases

🚀 Ready for production deployment!

For support and updates, visit: https://git.risse-it.de/public-releases/ipset-blacklists-service

🔥 OPNsense Port

NEW: Native OPNsense/FreeBSD port available!

📦 OPNsense Installation

Download OPNsense package and install: fetch https://git.risse-it.de/public-releases/ipset-blacklists-service/releases/latest/download/ipset-blacklists-opnsense.tar.gz tar -xzf ipset-blacklists-opnsense.tar.gz cd ipset-blacklists-opnsense-* ./scripts/install-opnsense.sh
Add firewall rule: Create Alias + Firewall Rule via Web GUI, see OPNsense README

🎯 OPNsense Features

✅ pfctl tables instead of ipset
✅ Native FreeBSD compatibility
✅ Cron-based automatic updates
✅ Same diff-logic as Linux version
✅ Easy installation and management

Documentation: OPNsense README

Mirror sync test So 7. Sep 00:03:24 CEST 2025

Migration completed So 7. Sep 00:33:42 CEST 2025